Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe

Overview

General Information

Sample name:SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
Analysis ID:1446951
MD5:bfbb46c049e5d57500c3f5cdb1ba7f45
SHA1:c58483fb9fe53e411c03be9d2d7b73bbe48793e4
SHA256:351b5948fc7f05d1d6ecf2c46ccc82ad540859d9130be307e6bf22b41da1a766
Tags:exe
Infos:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contain functionality to detect virtual machines
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to detect virtual machines (IN, VMware)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe (PID: 5876 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe" MD5: BFBB46C049E5D57500C3F5CDB1BA7F45)
    • Installer.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe" /spid:5876 /splha:35562336 MD5: 2F1908B8473BF08AFF928A95EE9ADF2D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dllJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\Temp\is-8997833.tmp\SetupHelper.dllJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bplJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000000.00000000.2012630901.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000002.00000002.3301930565.0000000007261000.00000020.00000001.01000000.00000004.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                00000000.00000003.2015672908.0000000006363000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                  00000000.00000003.2016354535.0000000002350000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    Click to see the 2 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                      2.2.Installer.exe.7260000.8.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        2.2.Installer.exe.15e0000.4.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                          Sigma Signatures

                          No Sigma rule has matched

                          Snort Signatures

                          No Snort rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2178 @Oxrtl@System@Crypt@Crypt@Base64EncodeW$qqrxp22System@Classes@TStreamt1,@System@@FillChar$qqrpvic,2_2_00BD2178
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD23F4 @Oxrtl@System@Crypt@Crypt@DPAPIDecode$qqrp28System@Classes@TMemoryStreamr24System@%DynamicArray$uc%p34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,@System@Classes@TStream@SetPosition$qqrxj,CryptUnprotectData,@System@@TryFinallyExit$qqrv,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Move$qqrpxvpvi,LocalFree,2_2_00BD23F4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2330 @Oxrtl@System@Crypt@Crypt@DPAPIDecode$qqrp28System@Classes@TMemoryStreamp25System@Sysutils@TEncodingp34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui,@System@@UStrClr$qqrpv,@Oxrtl@System@Crypt@Crypt@DPAPIDecode$qqrp28System@Classes@TMemoryStreamr24System@%DynamicArray$uc%p34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui,@System@Sysutils@TEncoding@GetString$qqrx24System@%DynamicArray$uc%,@System@Sysutils@TEncoding@GetDefault$qqrv,@System@Sysutils@TEncoding@GetString$qqrx24System@%DynamicArray$uc%,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,2_2_00BD2330
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD24E0 @Oxrtl@System@Crypt@Crypt@DPAPIEncode$qqrx31System@%AnsiStringT$us$i65535$%r24System@%DynamicArray$uc%p34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui,@System@@LStrLen$qqrx31System@%AnsiStringT$us$i65535$%,@System@@LStrLen$qqrx31System@%AnsiStringT$us$i65535$%,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@@DynArrayLength$qqrpxv,@System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%,@System@Move$qqrpxvpvi,@Oxrtl@System@Crypt@Crypt@DPAPIEncode$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%p34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,2_2_00BD24E0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD25C0 @Oxrtl@System@Crypt@Crypt@DPAPIEncode$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%p34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,@System@@DynArrayLength$qqrpxv,@System@@DynArrayLength$qqrpxv,CryptProtectData,@System@@TryFinallyExit$qqrv,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Move$qqrpxvpvi,LocalFree,2_2_00BD25C0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2698 @Oxrtl@System@Crypt@Crypt@SimpleDecode$qqrpucxixuc,2_2_00BD2698
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD26E8 @Oxrtl@System@Crypt@Finalization$qqrv,2_2_00BD26E8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD26C4 @Oxrtl@System@Crypt@Crypt@SimpleEncode$qqrpucxixuc,2_2_00BD26C4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2770 @Oxrtl@System@Cryptrsa@CryptRSA@,2_2_00BD2770
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2A90 @Oxrtl@System@Cryptrsa@CryptRSA@PemToBin$qqrx20System@UnicodeStringr24System@%DynamicArray$uc%,@System@@UStrLen$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,CryptStringToBinaryW,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@@UStrLen$qqrx20System@UnicodeString,CryptStringToBinaryW,2_2_00BD2A90
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2A0C @$xp$30Oxrtl@System@Cryptrsa@CryptRSA,@Oxrtl@System@Cryptrsa@CryptRSA@Dump$qqrx20System@UnicodeStringx24System@%DynamicArray$uc%,@System@Classes@TFileStream@,@System@Classes@TFileStream@$bctr$qqrx20System@UnicodeStringus,@System@@DynArrayLength$qqrpxv,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Sysutils@FreeAndNil$qqrpv,@System@@UStrLen$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,CryptStringToBinaryW,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@@UStrLen$qqrx20System@UnicodeString,CryptStringToBinaryW,2_2_00BD2A0C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2A50 @Oxrtl@System@Cryptrsa@CryptRSA@Dump$qqrx20System@UnicodeStringx24System@%DynamicArray$uc%,@System@Classes@TFileStream@,@System@Classes@TFileStream@$bctr$qqrx20System@UnicodeStringus,@System@@DynArrayLength$qqrpxv,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Sysutils@FreeAndNil$qqrpv,2_2_00BD2A50
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD0B1C @$xp$45Oxrtl@System@Crypt@PCRYPTPROTECT_PROMPTSTRUCT,@Oxrtl@System@Crypt@TCryptAES@,2_2_00BD0B1C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2B14 @Oxrtl@System@Cryptrsa@CryptRSA@BinToASN1$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@System@@DynArrayLength$qqrpxv,CryptDecodeObjectEx,@System@@FillChar$qqrpvic,@System@@GetMem$qqri,CryptDecodeObjectEx,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Move$qqrpxvpvi,@System@@FreeMem$qqrpv,2_2_00BD2B14
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD0B44 @$xp$37Oxrtl@System@Crypt@TCryptAESChainMode,@Oxrtl@System@Crypt@TCryptAES@,2_2_00BD0B44
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2CF4 @Oxrtl@System@Cryptrsa@CryptRSA@Encrypt$qqrx20System@UnicodeStringt1r20System@UnicodeStringo,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@PemToBin$qqrx20System@UnicodeStringr24System@%DynamicArray$uc%,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@BinToASN1$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPublic$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@Axrtl@Winapi@Advapi32@AdvApi32@CryptAcquireContext$qqrruix20System@UnicodeStringt2uiui,@System@@DynArrayLength$qqrpxv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptImportKey$qqruipucuiuiuipui,@System@Sysutils@TEncoding@GetUTF8$qqrv,@System@Classes@TStringStream@,@System@Classes@TStringStream@$bctr$qqrx20System@UnicodeStringp25System@Sysutils@TEncodingo,@System@Classes@TMemoryStream@,@System@TObject@$bctr$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@SetPosition$qqrxj,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@System@Netencoding@TBase64Encoding@,@System@Netencoding@TBase64Encoding@$bctr$qqri,@System@@DynArrayHigh$qqrpxv,@System@Netencoding@TNetEncoding@EncodeBytesToString$qqrpxucxi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@Sysutils@FreeAndNil$qqrpv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@System@@UStrClr$qqrpv,@$xp$21System@%TArray__1$uc%,@System@@FinalizeArray$qqrpvt1ui,2_2_00BD2CF4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2C04 @Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPublic$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@System@@DynArrayLength$qqrpxv,CryptDecodeObjectEx,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@@DynArrayLength$qqrpxv,CryptDecodeObjectEx,2_2_00BD2C04
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD0B1C @$xp$45Oxrtl@System@Crypt@PCRYPTPROTECT_PROMPTSTRUCT,@Oxrtl@System@Crypt@TCryptAES@,2_2_00BD0B1C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2C7C @Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPrivate$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@System@@DynArrayLength$qqrpxv,CryptDecodeObjectEx,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@@DynArrayLength$qqrpxv,CryptDecodeObjectEx,2_2_00BD2C7C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD0E28 @$xp$28Oxrtl@System@Crypt@TCryptAES,@Oxrtl@System@Crypt@Crypt@,2_2_00BD0E28
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD0E28 @$xp$28Oxrtl@System@Crypt@TCryptAES,@Oxrtl@System@Crypt@Crypt@,2_2_00BD0E28
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2FB0 @Axrtl@Winapi@Advapi32@AdvApi32@CryptDestroyKey$qqrui,@System@Sysutils@FreeAndNil$qqrpv,@System@Sysutils@FreeAndNil$qqrpv,2_2_00BD2FB0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2FDD @Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,2_2_00BD2FDD
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD303C @Oxrtl@System@Cryptrsa@CryptRSA@Decrypt$qqrx20System@UnicodeStringt1r20System@UnicodeStringo,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@PemToBin$qqrx20System@UnicodeStringr24System@%DynamicArray$uc%,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPrivate$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@Axrtl@Winapi@Advapi32@AdvApi32@CryptAcquireContext$qqrruix20System@UnicodeStringt2uiui,@System@@DynArrayLength$qqrpxv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptImportKey$qqruipucuiuiuipui,@System@Netencoding@TNetEncoding@GetBase64Encoding$qqrv,@System@Netencoding@TNetEncoding@DecodeStringToBytes$qqrx20System@UnicodeString,@System@Classes@TStringStream@,@System@Classes@TStringStream@$bctr$qqrx24System@%DynamicArray$uc%,@System@Classes@TMemoryStream@,@System@TObject@$bctr$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@Classes@TStream@ReadData$qqrruii,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDecrypt$qqruiuiiuipucpui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDestroyKey$qqrui,@System@Sysutils@FreeAndNil$qqrpv,@System@Sysutils@FreeAndNil$qqrpv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,@$xp$21System@%TArray__1$uc%,@System@@FinalizeArray$qqrpvt1ui,2_2_00BD303C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C6B1AC @Oxrtl@System@Crypt@initialization$qqrv,2_2_00C6B1AC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C6B1BC @Oxrtl@System@Cryptrsa@initialization$qqrv,2_2_00C6B1BC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD32BC @Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,2_2_00BD32BC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD33B8 @Oxrtl@System@Cryptrsa@CryptRSA@EncryptText$qqrx20System@UnicodeStringt1r20System@UnicodeString,@Oxrtl@System@Cryptrsa@CryptRSA@GenerateTextKey$qqrx20System@UnicodeStringuiruit3,@System@Sysutils@TEncoding@GetUTF8$qqrv,@System@Sysutils@TEncoding@GetBytes$qqrx20System@UnicodeString,@System@@DynArrayLength$qqrpxv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@DynArrayHigh$qqrpxv,@System@Netencoding@TNetEncoding@GetBase64Encoding$qqrv,@System@Netencoding@TNetEncoding@EncodeBytesToString$qqrpxucxi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@System@@UStrClr$qqrpv,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,2_2_00BD33B8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD3320 @Oxrtl@System@Cryptrsa@CryptRSA@GenerateTextKey$qqrx20System@UnicodeStringuiruit3,@Axrtl@Winapi@Advapi32@AdvApi32@CryptAcquireContext$qqrruix20System@UnicodeStringt2uiui,@Axrtl@Winapi@Advapi32@AdvApi32@CryptCreateHash$qqruiuiuiuipui,@System@@UStrLen$qqrx20System@UnicodeString,@Axrtl@Winapi@Advapi32@AdvApi32@CryptHashData$qqruipxucuiui,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDeriveKey$qqruiuiuiuipui,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDestroyHash$qqrui,2_2_00BD3320
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD14F0 @$xp$24Oxrtl@System@Crypt@Crypt,@System@@ClassCreate$qqrpvzc,@System@@AfterConstruction$qqrxp14System@TObject,@System@@BeforeDestruction$qqrxp14System@TObjectzc,@Oxrtl@System@Crypt@TCryptAES@Done$qqrv,@System@TObject@$bdtr$qqrv,@System@@ClassDestroy$qqrxp14System@TObject,@Oxrtl@System@Crypt@TCryptAES@Init$qqrx37Oxrtl@System@Crypt@TCryptAESChainModepvi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptOpenAlgorithmProvider$qqrrpvpbt2ui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptGetProperty$qqrpvpbpucuiruiui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,@System@AllocMem$qqri,@System@@UStrLen$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptSetProperty$qqrpvpbpucuiui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptGenerateSymmetricKey$qqrpvrpvpucuit3uiui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,2_2_00BD14F0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD34DC @Oxrtl@System@Cryptrsa@CryptRSA@DecryptText$qqrx20System@UnicodeStringt1r20System@UnicodeString,@Oxrtl@System@Cryptrsa@CryptRSA@GenerateTextKey$qqrx20System@UnicodeStringuiruit3,@System@Netencoding@TNetEncoding@GetBase64Encoding$qqrv,@System@Netencoding@TNetEncoding@DecodeStringToBytes$qqrx20System@UnicodeString,@System@@DynArrayLength$qqrpxv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDecrypt$qqruiuiiuipucpui,@System@Sysutils@TEncoding@GetUTF8$qqrv,@System@Sysutils@TEncoding@GetString$qqrx24System@%DynamicArray$uc%,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@System@@UStrClr$qqrpv,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,2_2_00BD34DC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD15BC @Oxrtl@System@Crypt@TCryptAES@Init$qqrx37Oxrtl@System@Crypt@TCryptAESChainModepvi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptOpenAlgorithmProvider$qqrrpvpbt2ui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptGetProperty$qqrpvpbpucuiruiui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,@System@AllocMem$qqri,@System@@UStrLen$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptSetProperty$qqrpvpbpucuiui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,@Axrtl@Winapi@Bcrypt@BCrypt@BCryptGenerateSymmetricKey$qqrpvrpvpucuit3uiui,@Axrtl@Winapi@Bcrypt@BCrypt@CheckResult$qqri,2_2_00BD15BC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD158C @Oxrtl@System@Crypt@TCryptAES@$bdtr$qqrv,@System@@BeforeDestruction$qqrxp14System@TObjectzc,@Oxrtl@System@Crypt@TCryptAES@Done$qqrv,@System@TObject@$bdtr$qqrv,@System@@ClassDestroy$qqrxp14System@TObject,2_2_00BD158C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD35F0 @Oxrtl@System@Cryptrsa@CryptRSA@EncryptStream$qqrp22System@Classes@TStreamt1x20System@UnicodeString,@Oxrtl@System@Cryptrsa@CryptRSA@GenerateTextKey$qqrx20System@UnicodeStringuiruit3,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@SetPosition$qqrxj,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@SetPosition$qqrxj,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,2_2_00BD35F0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD1520 @$xp$21System@%TArray__1$uc%,CryptProtectData,2_2_00BD1520
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C01500 @Oxrtl@System@Internet@TInternetPostQueue@Enqueue$qqrx20System@UnicodeStringt1p28System@Classes@TMemoryStreamxo71System@%DelphiInterface$44Axrtl@System@Win@Internet@IHttpRequestParams%,@System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%,@Oxrtl@System@Internet@TInternetPostQueueItem@,@Oxrtl@System@Internet@TInternetPostQueueItem@$bctr$qqrx20System@UnicodeString71System@%DelphiInterface$44Axrtl@System@Win@Internet@IHttpRequestParams%,@System@Classes@TMemoryStream@,@System@TObject@$bctr$qqrv,@Oxrtl@System@Crypt@Crypt@Base64Encode$qqrxp22System@Classes@TStreamt1,@System@Classes@TStream@SetPosition$qqrxj,@Axrtl@System@Win@Internet@THTTPFormDataPost@AddBinaryField$qqrx20System@UnicodeStringxp28System@Classes@TMemoryStream,@System@Sysutils@FreeAndNil$qqrpv,@Axrtl@System@Win@Internet@THTTPFormDataPost@AddBinaryField$qqrx20System@UnicodeStringxp28System@Classes@TMemoryStream,@Oxrtl@System@Thread@%TThreadQueue__1$p44Oxrtl@System@Internet@TInternetPostQueueItem%@Enqueue$qqrp44Oxrtl@System@Internet@TInternetPostQueueItem,@System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%,2_2_00C01500
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD1564 @Oxrtl@System@Crypt@TCryptAES@$bctr$qqrv,@System@@ClassCreate$qqrpvzc,@System@@AfterConstruction$qqrxp14System@TObject,2_2_00BD1564
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk9jiU77v3D8BloaUdyDS9BePd7PYIRYudhVSOv13ufXFSfQr6kBFzlGk233vh8pi0QUAajggqAvcL00POakc7EMyNhL6qUNxeEl//rZVsKgSdVb0NTFOCdaXdzh6eVIakHLFStwrkLWbWIYy5PaoJzRSydlYqUkWDf2GBbSTmtwIDAQAB-----END PUBLIC KEY-----memstr_098403f3-8
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeFile created: C:\ProgramData\Outbyte\Driver Updater\2.x\Logs\InstallerInternal.logJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\EULA.rtfJump to behavior
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: certificate valid
                          Source: unknownHTTPS traffic detected: 45.33.97.245:443 -> 192.168.2.5:49705 version: TLS 1.2
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BF43D8 @Oxrtl@System@Fileutils@FileUtils@GetFileLastAccessTime$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,@System@Sysutils@FileDateToDateTime$qqri,2_2_00BF43D8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BF4454 @Oxrtl@System@Fileutils@FileUtils@GetFileLastModifiedTime$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,@System@Sysutils@FileDateToDateTime$qqri,2_2_00BF4454
                          Source: global trafficHTTP traffic detected: GET /tools/userdata/?product=driver-updater HTTP/1.1Host: outbyte.comCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /sid/get/xco7KleGZQ/ HTTP/1.1Host: outbyte.comCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /tools/ipInfo/ HTTP/1.1Host: outbyte.comCache-Control: no-cache
                          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /tools/userdata/?product=driver-updater HTTP/1.1Host: outbyte.comCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /sid/get/xco7KleGZQ/ HTTP/1.1Host: outbyte.comCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /tools/ipInfo/ HTTP/1.1Host: outbyte.comCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: outbyte.com
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113955561.0000000006B8D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B3D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.000000000098E000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129371131.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122452933.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2091212094.0000000000996000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127728710.0000000006B49000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3291466231.0000000002025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129371131.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3258954583.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.00000000009B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0:
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/l3.crl0a
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                          Source: Installer.exe, 00000002.00000002.3258954583.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssur
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113955561.0000000006B8D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B3D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.000000000098E000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129371131.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122452933.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.00000000009B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2091212094.0000000000996000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127728710.0000000006B49000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3291466231.0000000002025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: Installer.exe, 00000002.00000002.3291466231.0000000002025000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.00000000009B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicv
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122452933.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.00000000009B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.certum.pl0.
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122452933.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129371131.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3258954583.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.00000000009B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113955561.0000000006B8D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B3D000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.000000000098E000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111856325.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129371131.0000000000982000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2091212094.0000000000996000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127728710.0000000006B49000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3291466231.0000000002025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.00000000027A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://outbyte.com/en/support/contacts/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2019118283.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://outbyte.com/en/support/contacts/%http://www.outbyte.com/driver-updater
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2019118283.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://outbyte.com/en/support/contacts/%http://www.outbyte.com/driver-updater%http://www.outbyte.com
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/l3.cer0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2098057068.0000000006EFF000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2082086460.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2090687498.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3327010670.00000000FFCF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2125410407.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103608187.0000000006B31000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103242352.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2115408398.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2105009162.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2111769114.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099008997.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2099958786.0000000006C32000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114404470.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2127064355.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2112583896.0000000006B33000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122362329.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2114962619.00000000009BC000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2122452933.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2119210783.0000000006EBD000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2103716509.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3299107608.0000000006A20000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.0000000000981000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2113349223.00000000009B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000002.3258090694.000000000071D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.0000000002350000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.0000000006363000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3301930565.0000000007261000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.google-analytics.com/collect
                          Source: Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jrsoftware.org/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jrsoftware.org/0
                          Source: Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/
                          Source: Installer.exe, 00000002.00000002.3311551438.000000000A200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org4.
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.00000000027A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.outbyte.com/driver-updater
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.0000000002764000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.29920
                          Source: Installer.exe, 00000002.00000002.3307935681.0000000007674000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.29920QJg
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.00000000027A6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.outbyte.com/en/support.php
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2019118283.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.outbyte.com/en/support.phpThttp://www.outbyte.com/en/checkforupdate/?product=driver-updat
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.00000000072CE000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3275278121.00000000015E1000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: https://%s:%u/d.phph
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.outbyte.com/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.outbyte.com/upgrade/annual-subscription
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.outbyte.com/api/wot/request/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.sclpfybn.com/rest/v1/external/navigation/list
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bis.outbyte.com/rest/v1/external/navigation/list/https://outbyte.com/support/faq/driver-upda
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://customer.appesteem.com/certified?vendor=OUTBY
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://customer.appesteem.com/certified?vendor=OUTBY2La
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://customer.appesteem.com/certified?vendor=OUTBY?Your
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://customer.appesteem.com/certified?vendor=OUTBYBIhre
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://customer.appesteem.com/certified?vendor=OUTBYTSua
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://customer.appesteem.com/certified?vendor=OUTBYUSu
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3291632311.0000000003921000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://debuglogs.outbyte.com/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2098057068.0000000006EFF000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.0000000006F76000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2082086460.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000002.3327010670.00000000FFCF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://debuglogs.outbyte.com/U
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://du.outbyte.com/api/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://du.outbyte.com/api/info/
                          Source: Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mit-license.org
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driver
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverR
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverU
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverY
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driver_
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=drivere
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverm
                          Source: Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/driver-updater/-https://www.trustpilot.com/review/outbyte.com
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/driver-updater/afteruninstallb/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/driver-updater/renew/?key=%0:snYou
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/driver-updater/update/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/driver-updater/update/5https://outbyte.com/software/driver-updater/purchase/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/en/support/livechat/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/feedback/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/goblog/blog/outbyte-pc-repair-ultimate-guide/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/goblog/blog/why-update-computer-drivers/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/goblog/blog/why-update-computer-drivers/%https://account.outbyte.com/check/key
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/how-to-uninstall/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/license/
                          Source: Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/licensecheck/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/lp/48discount/?t=%0:d
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/privacy/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/privacy/:https://outbyte.com/tools/userdata/?product=driver-updater
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/products/1https://outbyte.com/driver-updater/afterinstallb/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/products/1https://outbyte.com/driver-updater/afterinstallb/MZP
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/refunds/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/sid/get/%0:s/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/sid/ip/driver-updater/bOur
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/##defs.ProductNameInternal##/purchase/?info
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/avarmor/account
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/avarmor/download/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/driver-updater/after-uninstall/?activated=%0:d
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/driver-updater/afterinstall/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/file-recovery/account
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/file-recovery/download/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/helpdesk/account%https://outbyte.com/support/livechat/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/outbyte-vpn/account
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/software/pc-repair/account
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/=An
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/AUn
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/HUn
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/NNormalmente
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/PEin
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/QUn
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/contacts/eWindows
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/faq/driver-updater/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/how-to-activate/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/support/livechat/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/feedback/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3258954583.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2175840837.0000000006B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/ipInfo/
                          Source: Installer.exe, 00000002.00000002.3291632311.0000000003904000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/ipInfo/l
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/phones/?product=driver-updater
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/software/info/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/software/info/RHai
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/software/info/RYou
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/software/info/_Sie
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/software/info/bTiene
                          Source: Installer.exe, 00000002.00000002.3258954583.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/userdata/?product=driver-updater
                          Source: Installer.exe, 00000002.00000002.3258954583.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outbyte.com/tools/userdata/?product=driver-updater=
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2098057068.0000000006EFF000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.0000000006F76000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2082086460.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000002.3327010670.00000000FFCF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.outbyte.com/v1/check
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.outbyte.com/v1/check-https://account.outbyte.com/site/current-time
                          Source: Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/repository.0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2083070058.000000000057E000.00000002.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2095786000.000000000706A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                          Source: Installer.exe, 00000002.00000002.3299208150.0000000006BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8
                          Source: Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/MPL/2.0
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/eula/computers0https://outbyte.com/software/pc-repair/download/
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/privacy
                          Source: Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.trustpilot.com/review/outbyte.com
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                          Source: unknownHTTPS traffic detected: 45.33.97.245:443 -> 192.168.2.5:49705 version: TLS 1.2
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086B71C @Vcl@Imaging@Gifimg@TGIFImage@LoadFromClipboardFormat$qqrusuip10HPALETTE__,GetClipboardData,GlobalSize,GlobalLock,@System@Classes@TMemoryStream@,@System@TObject@$bctr$qqrv,@System@Move$qqrpxvpvi,@System@TObject@Free$qqrv,@Vcl@Graphics@TBitmap@,@Vcl@Graphics@TBitmap@$bctr$qqrv,@System@TObject@Free$qqrv,@Vcl@Consts@_SUnknownClipboardFormat,@System@LoadResString$qqrp20System@TResStringRec,@System@@UStrClr$qqrpv,2_2_0086B71C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD2CF4 @Oxrtl@System@Cryptrsa@CryptRSA@Encrypt$qqrx20System@UnicodeStringt1r20System@UnicodeStringo,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@PemToBin$qqrx20System@UnicodeStringr24System@%DynamicArray$uc%,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@BinToASN1$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPublic$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@Axrtl@Winapi@Advapi32@AdvApi32@CryptAcquireContext$qqrruix20System@UnicodeStringt2uiui,@System@@DynArrayLength$qqrpxv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptImportKey$qqruipucuiuiuipui,@System@Sysutils@TEncoding@GetUTF8$qqrv,@System@Classes@TStringStream@,@System@Classes@TStringStream@$bctr$qqrx20System@UnicodeStringp25System@Sysutils@TEncodingo,@System@Classes@TMemoryStream@,@System@TObject@$bctr$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@SetPosition$qqrxj,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@System@Netencoding@TBase64Encoding@,@System@Netencoding@TBase64Encoding@$bctr$qqri,@System@@DynArrayHigh$qqrpxv,@System@Netencoding@TNetEncoding@EncodeBytesToString$qqrpxucxi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@Sysutils@FreeAndNil$qqrpv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@System@@UStrClr$qqrpv,@$xp$21System@%TArray__1$uc%,@System@@FinalizeArray$qqrpvt1ui,2_2_00BD2CF4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BD303C @Oxrtl@System@Cryptrsa@CryptRSA@Decrypt$qqrx20System@UnicodeStringt1r20System@UnicodeStringo,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@PemToBin$qqrx20System@UnicodeStringr24System@%DynamicArray$uc%,@Oxrtl@System@Cryptrsa@CryptRSA@,@Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPrivate$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%,@Axrtl@Winapi@Advapi32@AdvApi32@CryptAcquireContext$qqrruix20System@UnicodeStringt2uiui,@System@@DynArrayLength$qqrpxv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptImportKey$qqruipucuiuiuipui,@System@Netencoding@TNetEncoding@GetBase64Encoding$qqrv,@System@Netencoding@TNetEncoding@DecodeStringToBytes$qqrx20System@UnicodeString,@System@Classes@TStringStream@,@System@Classes@TStringStream@$bctr$qqrx24System@%DynamicArray$uc%,@System@Classes@TMemoryStream@,@System@TObject@$bctr$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@Classes@TStream@ReadData$qqrruii,@$xp$21System@%TArray__1$uc%,@System@@DynArraySetLength$qqrv,@System@Classes@TStream@ReadData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDecrypt$qqruiuiiuipucpui,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@Classes@TStream@WriteData$qqrx24System@%DynamicArray$uc%i,@System@Classes@TStream@GetPosition$qqrv,@System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci,@Axrtl@Winapi@Advapi32@AdvApi32@CryptDestroyKey$qqrui,@System@Sysutils@FreeAndNil$qqrpv,@System@Sysutils@FreeAndNil$qqrpv,@Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui,@$xp$21System@%TArray__1$uc%,@System@@DynArrayClear$qqrrpvpv,@$xp$21System@%TArray__1$uc%,@System@@FinalizeArray$qqrpvt1ui,2_2_00BD303C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C133F0: @Oxrtl@System@Powerutils@PowerUtils@GetBatteryInformation$qqrp43Oxrtl@System@Powerutils@BATTERY_INFORMATION,@Oxrtl@System@Powerutils@GUID_DEVCLASS_BATTERY,@System@@FillChar$qqrpvic,@Oxrtl@System@Powerutils@GUID_DEVCLASS_BATTERY,@System@@TryFinallyExit$qqrv,@System@GetMemory$qi,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,CreateFileW,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@FillChar$qqrpvic,DeviceIoControl,@Axrtl@Winapi@Kernel32@Kernel32@DeviceIoControl$qqruiuipvuit3uiruip11_OVERLAPPED,CloseHandle,2_2_00C133F0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BF1180 @Oxrtl@System@Utils@SysUtils@RunCmdRequest$qqrx20System@UnicodeStringp27Axrtl@System@Thread@TThreadxuixo,@System@Sysutils@EmptyStr,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,CreatePipe,GetCurrentProcess,OpenProcessToken,@System@@TryFinallyExit$qqrv,DuplicateTokenEx,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,GetStdHandle,@Axrtl@Project@Processinfo@ProcessInfo@IsWow64Process$qqrv,@Axrtl@System@Ioutils@TPathHelper@FSystemDirectoryX64,@System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@Axrtl@System@Ioutils@TPathHelper@FSystemDirectoryX32,@System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString,@System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString,@System@@UStrLen$qqrx20System@UnicodeString,@System@GetMemory$qi,@System@@UStrLen$qqrx20System@UnicodeString,@System@Sysutils@StrPCopy$qqrpbx20System@UnicodeString,CreateProcessAsUserW,@System@FreeMemory$qpv,@System@@UStrClr$qqrpv,@System@@UStrClr$qqrpv,@System@@LStrClr$qqrpv,2_2_00BF1180
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_008543582_2_00854358
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_008855582_2_00885558
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0085D95E2_2_0085D95E
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00857B7C2_2_00857B7C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00878CBC2_2_00878CBC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00869C582_2_00869C58
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00888D802_2_00888D80
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00883F242_2_00883F24
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00874F682_2_00874F68
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BDA0BC2_2_00BDA0BC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C420BC2_2_00C420BC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C420442_2_00C42044
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BE83F42_2_00BE83F4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C323882_2_00C32388
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C304342_2_00C30434
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C1C5EC2_2_00C1C5EC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BE894C2_2_00BE894C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BE6E452_2_00BE6E45
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C06FFC2_2_00C06FFC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C494CC2_2_00C494CC
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: String function: 00BC2590 appears 72 times
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: String function: 00BC1120 appears 60 times
                          Source: SetupHelper.dll.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: SetupHelper.dll.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Source: SetupHelper.dll.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Source: InstallerUtils.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: Number of sections : 11 > 10
                          Source: Installer.exe.0.drStatic PE information: Number of sections : 11 > 10
                          Source: DriverUpdater.exe.0.drStatic PE information: Number of sections : 11 > 10
                          Source: DriverUpdater.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form '\024TfmPanelDriversIssue\023fmPanelDriversIssue\010AutoSize\010\013BorderStyle\007\006bsNone\007Caption\006\023fmPanelDriversIssue\014ClientHeight\003.\001\013ClientWidt'
                          Source: DriverUpdater.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form '\017TfmZoneSettings\016fmZoneSettings\013BorderStyle\007\006bsNone\007Caption\006\016fmZoneSettings\014ClientHeight\003\273\002\013ClientWidth\003c\001'
                          Source: DriverUpdater.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form '\014TfmZoneTools\013fmZoneTools\013BorderStyle\007\006bsNone\007Caption\006\013fmZoneTools\014ClientHeight\003\372\001\013ClientWidth\003c\001'
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetupHelper.dll> vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000002.3259161722.00000000021F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInstaller.exe4 vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetupHelper.dll> vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetupHelper.dll> vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2077002312.0000000003018000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000000.2012691436.0000000000476000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameOutbyte-driver-updater-setup.exe@ vs SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: classification engineClassification label: sus26.evad.winEXE@3/30@1/1
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0085919C GetLastError,FormatMessageW,@System@@UStrFromWArray$qqrr20System@UnicodeStringpbi,@System@Classes@EOutOfResources@,@System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString,@System@@RaiseExcept$qqrv,@Vcl@Consts@_SOutOfResources,@System@LoadResString$qqrp20System@TResStringRec,@System@Classes@EOutOfResources@,@System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString,@System@@RaiseExcept$qqrv,@System@@UStrArrayClr$qqrpvi,2_2_0085919C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2CBB0 @Oxrtl@Winapi@Shell32@Shell32@SHLoadLibraryFromKnownFolder$qqrrx5_GUIDxuir40System@%DelphiInterface$13IShellLibrary%,@System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%,CoCreateInstance,@System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%,@System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%,@System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%,2_2_00C2CBB0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086C80C @Vcl@Imaging@Pngimage@EPNGMissingPalette@,@$xp$39Vcl@Imaging@Pngimage@EPNGMissingPalette,@Vcl@Imaging@Pngimage@EPNGUnknownCriticalChunk@,@Vcl@Imaging@Pngimage@EPNGUnknownCompression@,@Axrtl@System@Strutils@StrUtils@BytesToStr$qqrj34Axrtl@System@Strutils@TConvertTypei,@$xp$43Vcl@Imaging@Pngimage@EPNGUnknownCompression,@Vcl@Imaging@Pngimage@EPNGUnknownInterlace@,@$xp$41Vcl@Imaging@Pngimage@EPNGUnknownInterlace,@Vcl@Imaging@Pngimage@EPNGNoImageData@,@$xp$36Vcl@Imaging@Pngimage@EPNGNoImageData,@Vcl@Imaging@Pngimage@EPNGCouldNotLoadResource@,2_2_0086C80C
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C1C0A4 @Oxrtl@System@Processes@Processes@TProcess@DoTerminateProcess$qqrxui,@Oxrtl@System@Processes@Processes@TProcess@ProcessHandle$qqrxuixo,@Oxrtl@System@Processes@Processes@TerminateProcess$qqruiuijpqqr20System@UnicodeStringuiui47Oxrtl@System@Processes@TProcessStopServiceStageo$o,GetLastError,CloseHandle,2_2_00C1C0A4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeMutant created: \Sessions\1\BaseNamedObjects\INSTALLER_8D622ABC-7F4F-49CF-A95A-86F8A21753BA_global_outbyte_driver updater
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeMutant created: NULL
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeMutant created: \Sessions\1\BaseNamedObjects\INSTALLER_8D622ABC-7F4F-49CF-A95A-86F8A21753BA_local_outbyte_driver updater_installer
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1690
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1690
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeMutant created: \Sessions\1\BaseNamedObjects\{C48CB245-2929-4724-9EEC-3BCCB48C78DE}-{42EDCAAA-67F6-42D0-A9C3-4291C4042352}-Protection
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeMutant created: \Sessions\1\BaseNamedObjects\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_SETUP
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmpJump to behavior
                          Source: Yara matchFile source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Installer.exe.7260000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Installer.exe.15e0000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2012630901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.3301930565.0000000007261000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2015672908.0000000006363000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2016354535.0000000002350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2013941037.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.3275278121.00000000015E1000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dll, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\SetupHelper.dll, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bpl, type: DROPPED
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeFile read: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Data\main.iniJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe"
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe "C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe" /spid:5876 /splha:35562336
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe "C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe" /spid:5876 /splha:35562336Jump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: oledlg.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: oleacc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: opengl32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: glu32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: faultrep.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: dbgcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: googleanalyticshelperiv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: localizer.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: setuphelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: debughelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: debughelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: msftedit.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: riched20.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: usp10.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: msls31.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: windows.globalization.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: bcp47mrm.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: globinputhost.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: windows.ui.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: windowmanagementapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: inputhost.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile written: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Data\main.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: certificate valid
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic file information: File size 22391760 > 1048576
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeStatic PE information: section name: .didata
                          Source: DriverUpdater.exe.0.drStatic PE information: section name: .didata
                          Source: DriverUpdater.exe.0.drStatic PE information: section name: .xdata
                          Source: CommonForms.Site.dll.0.drStatic PE information: section name: .xdata
                          Source: SetupHelper.dll.0.drStatic PE information: section name: .didata
                          Source: InstallerUtils.dll.0.drStatic PE information: section name: .didata
                          Source: Installer.exe.0.drStatic PE information: section name: .didata
                          Source: Installer.exe.0.drStatic PE information: section name: .xdata
                          Source: BrowserHelper.dll.0.drStatic PE information: section name: .didata
                          Source: rtl250.bpl.0.drStatic PE information: section name: .didata
                          Source: vcl250.bpl.0.drStatic PE information: section name: .didata
                          Source: vclie250.bpl.0.drStatic PE information: section name: .didata
                          Source: OxComponentsRTL.bpl.0.drStatic PE information: section name: .didata
                          Source: AxComponentsRTL.bpl.0.drStatic PE information: section name: .didata
                          Source: AxComponentsVCL.bpl.0.drStatic PE information: section name: .didata
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00860006 push ecx; mov dword ptr [esp], edx2_2_0086000D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086C198 push esp; retn 0086h2_2_0086C20D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086C1BC push esp; retn 0086h2_2_0086C20D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086C24C push cs; ret 2_2_0086C2C9
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086C270 push cs; ret 2_2_0086C2C9
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_008775A8 push 00877600h; ret 2_2_008775F8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0087070C push ecx; mov dword ptr [esp], edx2_2_00870711
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00879E34 push ecx; mov dword ptr [esp], edx2_2_00879E3B
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00884E34 push ecx; mov dword ptr [esp], eax2_2_00884E36
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0086BF88 push esp; retn 0086h2_2_0086C20D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00875F5C push ecx; mov dword ptr [esp], edx2_2_00875F60
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BDA0BC push esp; retf 00BDh2_2_00BDB671
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C420BC push C300C6D3h; ret 2_2_00C43C1E
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C581B0 push eax; retn 00C5h2_2_00C581B1
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C20130 push ecx; mov dword ptr [esp], edx2_2_00C20131
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C5813C push eax; retn 00C5h2_2_00C581B1
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2C2D0 push edx; ret 2_2_00C2C2E5
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2C210 push edx; ret 2_2_00C2C2E5
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C30434 push es; ret 2_2_00C3068A
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C18604 push 0B5800C1h; retn 0000h2_2_00C18F2A
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BEE65C push ecx; mov dword ptr [esp], edx2_2_00BEE65D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BCE8A4 push ecx; mov dword ptr [esp], edx2_2_00BCE8A5
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C48830 pushad ; retf 00C4h2_2_00C48835
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C0CA5C push ecx; mov dword ptr [esp], edx2_2_00C0CA5D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BFAB28 push ecx; mov dword ptr [esp], edx2_2_00BFAB29
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C18DE0 push 0B5800C1h; retn 0000h2_2_00C18F2A
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C18D1C push 0B5800C1h; retn 0000h2_2_00C18F2A
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C18EBC push 0B5800C1h; retn 0000h2_2_00C18F2A
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BE2F10 push ecx; mov dword ptr [esp], edx2_2_00BE2F11
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C20F6C push ecx; mov dword ptr [esp], edx2_2_00C20F6D
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C1B1C8 push cs; retn 9C00h2_2_00C1B24D
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Downloader.exeJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Localizer.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bplJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\__setup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelperIV.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CFAHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsVCL.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vcl250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CommonForms.Site.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclimg250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclie250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsRTL.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\SetupHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\OxComponentsRTL.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\BrowserHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\DriverUpdater.exeJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vcl250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclimg250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclie250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\OxComponentsRTL.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsRTL.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsVCL.bplJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeFile created: C:\ProgramData\Outbyte\Driver Updater\2.x\Logs\InstallerInternal.logJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeFile created: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\EULA.rtfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C1EFB0 @Oxrtl@System@Processes@Processes@TWindow@GetIsIconic$qqrv,IsIconic,2_2_00C1EFB0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BDE7A8 @Oxrtl@System@Eventlog@TWindowsEventLog@OldClear$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,OpenEventLogW,ClearEventLogW,CloseEventLog,2_2_00BDE7A8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Contain functionality to detect virtual machines
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: QEMU QEMU QEMU QEMU 2_2_00C2AEA8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: QEMU QEMU 2_2_00C2AF8A
                          Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2AA28 RegQueryValueEx -> SystemBiosVersion/Date2_2_00C2AA28
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2ABA8 RegQueryValueEx -> SystemBiosVersion/Date2_2_00C2ABA8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2AEA8 RegQueryValueEx -> SystemBiosVersion/Date2_2_00C2AEA8
                          Contains functionality to detect virtual machines (IN, VMware)
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C2B2C0 in eax, dx2_2_00C2B2C0
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C1A394 rdtsc 2_2_00C1A394
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: @Oxrtl@Winapi@Advapi32@AdvApi32@EnumServicesStatus$qqruiuiuipvuiruit6t6,@Oxrtl@Winapi@Advapi32@AdvApi32@Proc$qqrx20System@UnicodeString,2_2_00C162E8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: @$xp$30Oxrtl@Winapi@Advapi32@AdvApi32,@Oxrtl@Winapi@Advapi32@AdvApi32@EnumServicesStatus$qqruiuiuipvuiruit6t6,@Oxrtl@Winapi@Advapi32@AdvApi32@Proc$qqrx20System@UnicodeString,2_2_00C162B4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: @Oxrtl@System@Processes@Processes@CheckStopProcessService$qqruijpqqr20System@UnicodeStringuiui47Oxrtl@System@Processes@TProcessStopServiceStageo$o,OpenSCManagerW,@Oxrtl@Winapi@Advapi32@AdvApi32@EnumServicesStatus$qqruiuiuipvuiruit6t6,@System@@TryFinallyExit$qqrv,@System@AllocMem$qqri,@Oxrtl@Winapi@Advapi32@AdvApi32@EnumServicesStatus$qqruiuiuipvuiruit6t6,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@UStrFromPWChar$qqrr20System@UnicodeStringpb,@System@Sysutils@TStringHelper@IsEmpty$qqrv,@System@@UStrToPWChar$qqrx20System@UnicodeString,OpenServiceW,QueryServiceStatusEx,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,QueryServiceStatus,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,ControlService,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,QueryServiceStatus,@Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv,@System@Math@Max$qqrxjxj,Sleep,QueryServiceStatus,@Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,Sleep,QueryServiceStatus,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,SetLastError,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@TryFinallyExit$qqrv,@System@@UStrClr$qqrpv,2_2_00C1D30C
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Downloader.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\__setup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CFAHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CommonForms.Site.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclie250.bplJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\BrowserHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelper.dllJump to dropped file
                          Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\DriverUpdater.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeAPI coverage: 0.5 %
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BF43D8 @Oxrtl@System@Fileutils@FileUtils@GetFileLastAccessTime$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,@System@Sysutils@FileDateToDateTime$qqri,2_2_00BF43D8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BF4454 @Oxrtl@System@Fileutils@FileUtils@GetFileLastModifiedTime$qqrx20System@UnicodeString,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,@System@Sysutils@FileDateToDateTime$qqri,2_2_00BF4454
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_0085A258 GetSystemInfo,2_2_0085A258
                          Source: Installer.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                          Source: Installer.exe, 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__VirtualBox Shared FoldersU
                          Source: Installer.exeBinary or memory string: @Oxrtl@System@Wmdetect@WMDetect@IsInsideQEMU$qqrv
                          Source: Installer.exeBinary or memory string: @Oxrtl@System@Wmdetect@WMDetect@IsInsideVMWare$qqrv
                          Source: Installer.exe, 00000002.00000002.3299208150.0000000006B69000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2176219587.0000000006B64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: Installer.exe, 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: vmQEMU
                          Source: Installer.exe, 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: vmVMWare
                          Source: Installer.exe, 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: QEMUHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierU
                          Source: SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000002.3258090694.00000000006D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C1A394 rdtsc 2_2_00C1A394
                          Source: Installer.exe, 00000002.00000002.3262782157.0000000000D01000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32
                          Source: Installer.exeBinary or memory string: Shell_TrayWnd
                          Source: Installer.exe, Installer.exe, 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: Progman
                          Source: Installer.exe, 00000002.00000002.3262782157.0000000000D01000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndU
                          Source: Installer.exe, 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndU
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: @Oxrtl@System@Utils@SysUtils@LocaleInformation$qqrxui,GetLocaleInfoW,@System@@UStrClr$qqrpv,@System@@UStrFromWArray$qqrr20System@UnicodeStringpbi,2_2_00BF0D24
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C0E950 @Oxrtl@System@Pipe@TPipeServer@Open$qqrv,@System@@UStrToPWChar$qqrx20System@UnicodeString,CreateNamedPipeW,ConnectNamedPipe,GetLastError,2_2_00C0E950
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00C355D8 @$xp$100System@Generics@Collections@%TObjectDictionary__2$uip44Oxrtl@Network@Traffic@TNetworkTrafficCounter%,@System@@ClassCreate$qqrpvzc,@System@@ClassCreate$qqrpvzc,@System@TObject@$bctr$qqrv,GetSystemTimeAsFileTime,@System@@AfterConstruction$qqrxp14System@TObject,2_2_00C355D8
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00BDEAD4 @Oxrtl@System@Eventlog@TWindowsEventLog@DateTimeFrom1970$qqrxj,GetTimeZoneInformation,@System@Sysutils@EncodeDate$qqrususus,@System@@_lldiv$qqrv,@System@@_llmod$qqrv,@System@@_lldiv$qqrv,@System@@_llmod$qqrv,@System@@_lldiv$qqrv,@System@@_llmod$qqrv,@System@Sysutils@TryEncodeTime$qqrususususr16System@TDateTime,2_2_00BDEAD4
                          Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exeCode function: 2_2_00860288 @Vcl@Imaging@Gifimg@TGIFHeader@SaveToStream$qqrp22System@Classes@TStream,@Vcl@Imaging@Gifimg@TGIFImage@GetVersion$qqrv,@Vcl@Imaging@Gifconsts@_sGIFErrorSaveEmpty,@System@LoadResString$qqrp20System@TResStringRec,@Vcl@Imaging@Gifimg@TGIFHeader@Prepare$qqrv,@Vcl@Imaging@Gifimg@TGIFColorMap@SaveToStream$qqrp22System@Classes@TStream,@System@@UStrClr$qqrpv,2_2_00860288

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire Infrastructure1
                          Valid Accounts                          		1
                          Service Execution                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		OS Credential Dumping2
                          System Time Discovery                          		Remote Services12
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          Data Encrypted for Impact
                          CredentialsDomainsDefault AccountsScheduled Task/Job1
                          Valid Accounts                          		1
                          Valid Accounts                          		2
                          Obfuscated Files or Information                          		LSASS Memory1
                          System Service Discovery                          		Remote Desktop Protocol1
                          Clipboard Data                          		21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          Windows Service                          		1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		Security Account Manager3
                          File and Directory Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive2
                          Non-Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Masquerading                          		NTDS24
                          System Information Discovery                          		Distributed Component Object ModelInput Capture3
                          Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script3
                          Process Injection                          		1
                          Valid Accounts                          		LSA Secrets1
                          Query Registry                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Access Token Manipulation                          		Cached Domain Credentials221
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                          Virtualization/Sandbox Evasion                          		DCSync311
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          Indicator Removal                          		/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe0%ReversingLabs
                          SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe3%VirustotalBrowse

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsRTL.bpl0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsVCL.bpl0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\BrowserHelper.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CFAHelper.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CommonForms.Site.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Downloader.exe0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\DriverUpdater.exe0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelper.dll3%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelperIV.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe3%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Localizer.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\OxComponentsRTL.bpl0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\SetupHelper.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\__setup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bpl0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vcl250.bpl0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclie250.bpl0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclimg250.bpl0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          SourceDetectionScannerLabelLink
                          outbyte.com0%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          https://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                          https://www.sqlite.org/copyright.html0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          https://outbyte.com/tools/software/info/0%Avira URL Cloudsafe
                          http://www.jrsoftware.org/00%Avira URL Cloudsafe
                          https://outbyte.com/driver-updater/update/0%Avira URL Cloudsafe
                          http://www.openssl.org4.0%Avira URL Cloudsafe
                          http://www.outbyte.com/driver-updater0%Avira URL Cloudsafe
                          https://www.certum.pl/CPS00%URL Reputationsafe
                          https://%s:%u/d.phph0%Avira URL Cloudsafe
                          http://www.outbyte.com/driver-updater0%VirustotalBrowse
                          http://crl.certum.pl/ca.crl0:0%Avira URL Cloudsafe
                          http://www.jrsoftware.org/00%VirustotalBrowse
                          https://outbyte.com/tools/software/info/0%VirustotalBrowse
                          https://outbyte.com/driver-updater/update/0%VirustotalBrowse
                          http://crl.certum.pl/ca.crl0:0%VirustotalBrowse
                          http://outbyte.com/en/support/contacts/0%Avira URL Cloudsafe
                          https://outbyte.com/sid/get/%0:s/0%Avira URL Cloudsafe
                          https://outbyte.com/tools/software/info/_Sie0%Avira URL Cloudsafe
                          https://account.outbyte.com/0%Avira URL Cloudsafe
                          https://debuglogs.outbyte.com/0%Avira URL Cloudsafe
                          http://outbyte.com/en/support/contacts/0%VirustotalBrowse
                          http://www.openssl.org/0%Avira URL Cloudsafe
                          https://mit-license.org0%Avira URL Cloudsafe
                          https://www.opera.com0%Avira URL Cloudsafe
                          https://debuglogs.outbyte.com/0%VirustotalBrowse
                          https://outbyte.com/sid/get/%0:s/0%VirustotalBrowse
                          https://outbyte.com/tools/software/info/_Sie0%VirustotalBrowse
                          https://outbyte.com/tools/software/info/RHai0%Avira URL Cloudsafe
                          https://account.outbyte.com/0%VirustotalBrowse
                          https://www.trustpilot.com/review/outbyte.com0%Avira URL Cloudsafe
                          https://mit-license.org0%VirustotalBrowse
                          http://www.outbyte.com/en/support.phpThttp://www.outbyte.com/en/checkforupdate/?product=driver-updat0%Avira URL Cloudsafe
                          http://www.openssl.org/0%VirustotalBrowse
                          http://www.jrsoftware.org/0%Avira URL Cloudsafe
                          https://www.opera.com0%VirustotalBrowse
                          https://outbyte.com/tools/software/info/RHai0%VirustotalBrowse
                          https://outbyte.com/support/contacts/0%Avira URL Cloudsafe
                          https://outbyte.com/tools/userdata/?product=driver-updater=0%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/HUn0%Avira URL Cloudsafe
                          http://www.outbyte.com/en/support.phpThttp://www.outbyte.com/en/checkforupdate/?product=driver-updat0%VirustotalBrowse
                          https://outbyte.com/driver-updater/afteruninstallb/0%Avira URL Cloudsafe
                          http://www.jrsoftware.org/0%VirustotalBrowse
                          http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.299200%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/0%VirustotalBrowse
                          https://customer.appesteem.com/certified?vendor=OUTBYBIhre0%Avira URL Cloudsafe
                          https://outbyte.com/software/outbyte-vpn/account0%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/HUn0%VirustotalBrowse
                          https://www.trustpilot.com/review/outbyte.com0%VirustotalBrowse
                          https://outbyte.com/support/contacts/NNormalmente0%Avira URL Cloudsafe
                          https://outbyte.com/driver-updater/afteruninstallb/0%VirustotalBrowse
                          https://outbyte.com/goblog/blog/why-update-computer-drivers/0%Avira URL Cloudsafe
                          https://outbyte.com/software/file-recovery/download/0%Avira URL Cloudsafe
                          https://outbyte.com/support/how-to-activate/0%Avira URL Cloudsafe
                          https://outbyte.com/software/outbyte-vpn/account0%VirustotalBrowse
                          https://outbyte.com/tools/software/info/bTiene0%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/NNormalmente0%VirustotalBrowse
                          https://www.certum.pl/repository.00%Avira URL Cloudsafe
                          https://outbyte.com/software/file-recovery/download/0%VirustotalBrowse
                          http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.299200%VirustotalBrowse
                          http://www.outbyte.com/en/support.php0%Avira URL Cloudsafe
                          https://outbyte.com/tools/software/info/bTiene0%VirustotalBrowse
                          https://outbyte.com/goblog/blog/why-update-computer-drivers/0%VirustotalBrowse
                          https://www.certum.pl/repository.00%VirustotalBrowse
                          https://outbyte.com/software/avarmor/download/0%Avira URL Cloudsafe
                          https://ssl.outbyte.com/v1/check0%Avira URL Cloudsafe
                          https://outbyte.com/support/livechat/0%Avira URL Cloudsafe
                          https://customer.appesteem.com/certified?vendor=OUTBYBIhre0%VirustotalBrowse
                          https://outbyte.com/support/faq/driver-updater/0%Avira URL Cloudsafe
                          http://www.outbyte.com/en/support.php0%VirustotalBrowse
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driver0%Avira URL Cloudsafe
                          https://outbyte.com/software/avarmor/download/0%VirustotalBrowse
                          http://outbyte.com/en/support/contacts/%http://www.outbyte.com/driver-updater0%Avira URL Cloudsafe
                          https://outbyte.com/support/how-to-activate/0%VirustotalBrowse
                          https://outbyte.com/tools/userdata/?product=driver-updater0%Avira URL Cloudsafe
                          https://debuglogs.outbyte.com/U0%Avira URL Cloudsafe
                          https://ssl.outbyte.com/v1/check0%VirustotalBrowse
                          https://outbyte.com/support/livechat/0%VirustotalBrowse
                          http://outbyte.com/en/support/contacts/%http://www.outbyte.com/driver-updater0%VirustotalBrowse
                          https://outbyte.com/tools/userdata/?product=driver-updater0%VirustotalBrowse
                          http://repository.certum.pl/l3.cer00%Avira URL Cloudsafe
                          https://api.sclpfybn.com/rest/v1/external/navigation/list0%Avira URL Cloudsafe
                          https://outbyte.com/privacy/:https://outbyte.com/tools/userdata/?product=driver-updater0%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/QUn0%Avira URL Cloudsafe
                          https://outbyte.com/software/##defs.ProductNameInternal##/purchase/?info0%Avira URL Cloudsafe
                          https://www.opera.com/eula/computers0https://outbyte.com/software/pc-repair/download/0%Avira URL Cloudsafe
                          https://www.opera.com/privacy0%Avira URL Cloudsafe
                          http://ocsp.certum.pl0.0%Avira URL Cloudsafe
                          https://outbyte.com/software/helpdesk/account%https://outbyte.com/support/livechat/0%Avira URL Cloudsafe
                          https://outbyte.com/0%Avira URL Cloudsafe
                          https://customer.appesteem.com/certified?vendor=OUTBY?Your0%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/AUn0%Avira URL Cloudsafe
                          http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.29920QJg0%Avira URL Cloudsafe
                          https://outbyte.com/sid/get/xco7KleGZQ/0%Avira URL Cloudsafe
                          https://customer.appesteem.com/certified?vendor=OUTBY0%Avira URL Cloudsafe
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverR0%Avira URL Cloudsafe
                          http://crl3.digicv0%Avira URL Cloudsafe
                          https://du.outbyte.com/api/0%Avira URL Cloudsafe
                          https://outbyte.com/sid/ip/driver-updater/bOur0%Avira URL Cloudsafe
                          https://outbyte.com/support/contacts/eWindows0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          outbyte.com
                          		45.33.97.245
                          		truefalseunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://outbyte.com/tools/userdata/?product=driver-updaterfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/sid/get/xco7KleGZQ/false
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.jrsoftware.org/0SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/software/info/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.openssl.org4.Installer.exe, 00000002.00000002.3311551438.000000000A200000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/driver-updater/update/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.outbyte.com/driver-updaterSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.00000000027A6000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.apache.org/licenses/LICENSE-2.0Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://%s:%u/d.phphSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.00000000072CE000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3275278121.00000000015E1000.00000020.00000001.01000000.0000000D.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.sqlite.org/copyright.htmlInstaller.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.certum.pl/ca.crl0:SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://outbyte.com/en/support/contacts/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.00000000027A6000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.outbyte.com/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/software/info/_SieSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/sid/get/%0:s/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://debuglogs.outbyte.com/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3291632311.0000000003921000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.openssl.org/Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://mit-license.orgInstaller.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.opera.comSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/software/info/RHaiSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.trustpilot.com/review/outbyte.comSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jrsoftware.org/Installer.exe, 00000002.00000003.2194934494.0000000006BD2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.outbyte.com/en/support.phpThttp://www.outbyte.com/en/checkforupdate/?product=driver-updatSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2019118283.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/contacts/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/userdata/?product=driver-updater=Installer.exe, 00000002.00000002.3258954583.000000000098B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/contacts/HUnSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/driver-updater/afteruninstallb/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.29920SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.0000000002764000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://customer.appesteem.com/certified?vendor=OUTBYBIhreSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/outbyte-vpn/accountSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/contacts/NNormalmenteSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/goblog/blog/why-update-computer-drivers/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/file-recovery/download/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/how-to-activate/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/software/info/bTieneSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.certum.pl/repository.0SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.outbyte.com/en/support.phpSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2079825565.00000000027A6000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/avarmor/download/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ssl.outbyte.com/v1/checkSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2098057068.0000000006EFF000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.0000000006F76000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2082086460.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000002.3327010670.00000000FFCF0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/livechat/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/faq/driver-updater/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://outbyte.com/en/support/contacts/%http://www.outbyte.com/driver-updaterSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2019118283.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://debuglogs.outbyte.com/USecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2098057068.0000000006EFF000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2095786000.0000000006F76000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2082086460.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000002.3327010670.00000000FFCF0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://repository.certum.pl/l3.cer0SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.sclpfybn.com/rest/v1/external/navigation/listSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/privacy/:https://outbyte.com/tools/userdata/?product=driver-updaterSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/contacts/QUnSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.opera.com/eula/computers0https://outbyte.com/software/pc-repair/download/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/##defs.ProductNameInternal##/purchase/?infoSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.opera.com/privacySecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.certum.pl0.SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/helpdesk/account%https://outbyte.com/support/livechat/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://customer.appesteem.com/certified?vendor=OUTBY?YourSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000003.2098057068.0000000006EFF000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000000.2082086460.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Installer.exe, 00000002.00000003.2090687498.0000000006B35000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3327010670.00000000FFCF0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://outbyte.com/support/contacts/AUnSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.outbyte.com/en/checkforupdate/?product=driver-updater&version=2.3.3.29920QJgInstaller.exe, 00000002.00000002.3307935681.0000000007674000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://customer.appesteem.com/certified?vendor=OUTBYSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverRSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl3.digicvInstaller.exe, 00000002.00000003.2129846043.0000000006B3A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://du.outbyte.com/api/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/sid/ip/driver-updater/bOurSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/support/contacts/eWindowsSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.certum.pl/l3.crl0aSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://customer.appesteem.com/certified?vendor=OUTBYTSuaSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/refunds/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/avarmor/accountSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverYSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/privacy/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driverUSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/en/support/livechat/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=driver_SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/feedback/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/how-to-uninstall/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/phones/?product=driver-updaterSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ssl.outbyte.com/v1/check-https://account.outbyte.com/site/current-timeSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=drivereSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/goblog/blog/why-update-computer-drivers/%https://account.outbyte.com/check/keySecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/pc-repair/accountSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/tools/software/info/RYouSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://customer.appesteem.com/certified?vendor=OUTBY2LaSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/feedback/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://net.geo.opera.com/opera/stable/windows?utm_source=outbyte&utm_medium=pb&utm_campaign=drivermSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/licensecheck/Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/products/1https://outbyte.com/driver-updater/afterinstallb/MZPSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://du.outbyte.com/api/info/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/lp/48discount/?t=%0:dSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/products/1https://outbyte.com/driver-updater/afterinstallb/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bis.outbyte.com/rest/v1/external/navigation/list/https://outbyte.com/support/faq/driver-updaSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://outbyte.com/en/support/contacts/%http://www.outbyte.com/driver-updater%http://www.outbyte.comSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2019118283.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/goblog/blog/outbyte-pc-repair-ultimate-guide/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.certum.pl/CPS0SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2013941037.000000007FDBA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2015672908.000000000660D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2016354535.00000000025FE000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://outbyte.com/support/contacts/PEinSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/driver-updater/after-uninstall/?activated=%0:dSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/driver-updater/afterinstall/SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/driver-updater/renew/?key=%0:snYouSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://customer.appesteem.com/certified?vendor=OUTBYUSuSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outbyte.com/software/file-recovery/accountSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.outbyte.com/upgrade/annual-subscriptionSecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe, 00000000.00000003.2066785746.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, Installer.exe, 00000002.00000002.3310553895.000000000822C000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          45.33.97.245
                          		outbyte.comUnited States
                          		63949LINODE-APLinodeLLCUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1446951
                          Start date and time:2024-05-24 04:31:14 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 43s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                          Detection:SUS
                          Classification:sus26.evad.winEXE@3/30@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 172.217.16.206
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, www.google-analytics.com
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          45.33.97.245SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                            SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                              XD1VfNqrYH.exeGet hashmaliciousCryptOne, MofksysBrowse
                                Unconfirmed 145779.exeGet hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  outbyte.comSecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                  • 45.33.97.245
                                  SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                  • 45.33.97.245
                                  Pdb5q2RdXm.exeGet hashmaliciousCryptOne, MofksysBrowse
                                  • 45.33.97.245
                                  XD1VfNqrYH.exeGet hashmaliciousCryptOne, MofksysBrowse
                                  • 45.33.97.245
                                  Pdb5q2RdXm.exeGet hashmaliciousCryptOne, MofksysBrowse
                                  • 45.33.97.245
                                  XD1VfNqrYH.exeGet hashmaliciousCryptOne, MofksysBrowse
                                  • 45.33.97.245
                                  aZw4wnb0vd.exeGet hashmaliciousUnknownBrowse
                                  • 45.33.97.245
                                  Unconfirmed 145779.exeGet hashmaliciousUnknownBrowse
                                  • 45.33.97.245

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  LINODE-APLinodeLLCUShttp://172.104.75.98/owa/Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                  • 172.104.75.98
                                  http://cardiolog.siteGet hashmaliciousUnknownBrowse
                                  • 139.162.57.105
                                  http://waithebattology.siteGet hashmaliciousUnknownBrowse
                                  • 139.162.57.105
                                  http://waithebattology.siteGet hashmaliciousUnknownBrowse
                                  • 139.162.57.105
                                  https://filesonline.phibraimplementos.com.br/?username=dveon@bigge.com&gclid=EAIaIQobChMIycO8zICjgQMVjiJECB0P2wITEAEYASAAEgKIsvD_BwEGet hashmaliciousHTMLPhisherBrowse
                                  • 69.164.194.201
                                  FRA.0038222.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 139.162.5.234
                                  https://dazyorganic.com/Get hashmaliciousHTMLPhisherBrowse
                                  • 66.228.52.194
                                  http://info.ipreo.com/Privacy-Policy.htmlGet hashmaliciousUnknownBrowse
                                  • 139.162.185.124
                                  New Order.docGet hashmaliciousFormBookBrowse
                                  • 45.33.6.223
                                  file.exeGet hashmaliciousCMSBruteBrowse
                                  • 173.230.139.246

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  37f463bf4616ecd445d4a1937da06e19DNSBench.exeGet hashmaliciousUnknownBrowse
                                  • 45.33.97.245
                                  DNSBench.exeGet hashmaliciousUnknownBrowse
                                  • 45.33.97.245
                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                  • 45.33.97.245
                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                  • 45.33.97.245
                                  xff.cmdGet hashmaliciousGuLoader, XWormBrowse
                                  • 45.33.97.245
                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                  • 45.33.97.245
                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                  • 45.33.97.245
                                  xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                  • 45.33.97.245
                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                  • 45.33.97.245
                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                  • 45.33.97.245

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Outbyte\Driver Updater\2.x\Logs\CheckSerialNumber.log

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):988
                                  Entropy (8bit):3.302663958300473
                                  Encrypted:false
                                  SSDEEP:24:QH01OQbFatIorYxpMnOSEdropMnOpNIlc:g0ktIoUxinOHdroinOTYc
                                  MD5:4A2FEA1EE6F7FBE3436DEC78E75B6F8C
                                  SHA1:ABBE163E2F6615A41BA456845C7D5BAFA9FB132C
                                  SHA-256:8895824995620542299B37EC092E8F7E46825C85B553B29CBBFB103A9FC39A35
                                  SHA-512:AE322E499FE98269D380B3A69B4B2A6FD5921227090364E8045245C4397FD69EBA20D792BC309F632C6253D70F3E7B982C6799DB5530FFF222C32E98E76DF1DB
                                  Malicious:false
                                  Reputation:low
                                  Preview:..2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...1.6.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .R.e.g.I.n.f.o.E.x.t. . . . . . . . . . . . . . . . .E.r.r.o.r. .o.p.e.n. .p.r.o.t.e.c.t.i.o.n. .r.e.g.i.s.t.r.y. .k.e.y. .".\.S.O.F.T.W.A.R.E.\.C.l.a.s.s.e.s.\.C.L.S.I.D.\.{.6.F.B.F.6.1.0.F.-.C.2.E.8.-.6.2.2.F.-.6.F.8.0.-.5.B.D.3.D.9.C.8.E.6.6.3.}.\.V.e.r.s.i.o.n.".:. .(.0.x.0.0.0.0.0.0.0.2.). .T.h.e. .s.y.s.t.e.m. .c.a.n.n.o.t. .f.i.n.d. .t.h.e. .f.i.l.e. .s.p.e.c.i.f.i.e.d.....2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...1.6.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .P.r.o.t.e.c.t.i.o.n.L.i.b.r.a.r.y. . . . . . . . . .E.r.r.o.r. .l.o.a.d. .p.r.o.t.e.c.t.i.o.n. .i.n.f.o. .".{.C.4.8.C.B.2.4.5.-.2.9.2.9.-.4.7.2.4.-.9.E.E.C.-.3.B.C.C.B.4.8.C.7.8.D.E.}.".....2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...1.6.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .P.r.o.t.e.c.t.i.o.n.L.i.b.r.a.r.y. . . . . . . . . .F.i.x. .t.r.i.a.l. .m.o.d.e.....

                                  C:\ProgramData\Outbyte\Driver Updater\2.x\Logs\InstallerInternal.log

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):5568
                                  Entropy (8bit):3.4797838586085073
                                  Encrypted:false
                                  SSDEEP:96:7kZNkJKk1jkZrjkJyjkvkZNkAkPI5k745ks5kg5kJT5kA5kZ95kt5kak7dkBkVka:YQb1QFQ8Q8QLP37HL/YfiIF7KOSMm2Bb
                                  MD5:8CD563EE2B309170B3F2353FFC26CDEA
                                  SHA1:8455F1C2142E210EB2E66D1A90BA86886D0F699B
                                  SHA-256:7DA4DB92D28748D8CEB802BF1CDC931B51A943E5A875E62FC9F92A2544708C0E
                                  SHA-512:E269B1F0CF2FE647AF30BAC5F4E3B9BDAED1F353AD806FD6A47F7DC60076BEF0AD5AC41CEABB6CC8691145B55A5861A290BD500C43012E1CD38D7CBBC15C992E
                                  Malicious:false
                                  Reputation:low
                                  Preview:..2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...2.7.6. .I.n.s.t.a.l.l.e.r...e.x.e. . . . . . . . . . . . . . . . . . .P.r.o.j.e.c.t.T.r.a.c.k.i.n.g.P.r.o.d.u.c.t.I.n.f.o.I.V.*.*.*. .L.o.a.d.B.y.R.e.g.i.s.t.r.y. . . . . . . . .*.*.*.....2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...2.9.1. .I.n.s.t.a.l.l.e.r...e.x.e. . . . . . . . . . . . . . . . . . .P.r.o.j.e.c.t.T.r.a.c.k.i.n.g.P.r.o.d.u.c.t.I.n.f.o.I.V.D.O.N.E.:. .L.o.a.d.B.y.R.e.g.i.s.t.r.y.(.).:. .S.I.D.:. .,. .L.o.a.d.e.d.:. .F.a.l.s.e.....2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...2.9.1. .I.n.s.t.a.l.l.e.r...e.x.e. . . . . . . . . . . . . . . . . . .P.r.o.j.e.c.t.T.r.a.c.k.i.n.g.P.r.o.d.u.c.t.I.n.f.o.I.V.....2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...3.0.7. .G.o.o.g.l.e.A.n.a.l.y.t.i.c.s.H.e.l.p.e.r.I.V...d.l.l. . . . .P.r.o.j.e.c.t.T.r.a.c.k.i.n.g.P.r.o.d.u.c.t.I.n.f.o.I.V.*.*.*. .L.o.a.d.B.y.R.e.g.i.s.t.r.y. . . . . . . . .*.*.*.....2.3...0.5...2.0.2.4. .2.2.:.3.2.:.1.6...3.0.7. .G.o.o.g.l.e.A.n.a.l.y.t.i.c.s.H.e.l.p.e.r.I.V...d.l.l. . . . .P.r.

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsRTL.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):2082984
                                  Entropy (8bit):6.669471163940495
                                  Encrypted:false
                                  SSDEEP:24576:Mfc1je5vDRlDcu6JwhlZlOcHrM8sYg5WyI7+:R18B6Jwhwcrfm5Wk
                                  MD5:C3A7D193162A47EE3E83DC39ABA8C5F1
                                  SHA1:BADD1DE3C7C75DDD5D63BF7A77DE468722C65F8F
                                  SHA-256:78849FB6DD5B547EE9B968CDD1A47DFD6808A34338667979B198742F3F2BE761
                                  SHA-512:1317D7C4442D6B2EF4D1D0713C8F41B067E7CF8D28D08077B0760B36B7CF0AA8886620324A786386AAB903ECAA034058CFC7A7BD7238DD9F30CF03DF6E630BD8
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...y..e.................h..........\..............P................................)T .................................7............P...............l...\......................................................................<....................text....a.......b.................. ..`.itext..d............f.............. ..`.data....3.......4...l..............@....bss.....................................idata..............................@....didata.<............\..............@....edata..7............b..............@..@.rdata..a............D..............@..@.reloc...............F..............@..B.rsrc........P......................@..@.............p......................@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\AxComponentsVCL.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):9262760
                                  Entropy (8bit):7.203282220550326
                                  Encrypted:false
                                  SSDEEP:98304:qHvC8IkaA+gicmJ36nUDbRNrY8TCfvLZl1OFgY97DG83JfhAS:qPzhrmJ36nUDPpCfvLZlNYNDFFhAS
                                  MD5:20DE92A935D8D45D012AB9198E9CC7D8
                                  SHA1:65FE4E87A9F180DB8638452BFE1A61F854BBFCE3
                                  SHA-256:A0572C9047256BC8C509A9602907975E3BEBEBC35926D7BA8540E92CC1430D35
                                  SHA-512:CC6C7EC1304011813D41C1D23537D33E84741FF8FB1C115552BE9D89D60C1530F5C7787FBEDDB31AD5A88A8F81DD7374B2808FAE98D0C97DCE07A245E17E7603
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......e..................-..._.......-...... -....P.........................p.......c...............................`0..R....-.&G...pN.L.>..............\....I...............I.!.....................................-..(..../..d...................text...l.,.......,................. ..`.itext...(....,..*....,............. ..`.data....]... -..^....-.............@....bss....$.....-..........................idata..&G....-..H...f-.............@....didata..d..../..f..../.............@....edata...R...`0..T....0.............@..@.rdata..f.....I......hI.............@..@.reloc........I......jI.............@..B.rsrc...L.>..pN...>...M.............@..@.............@.....................@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\BrowserHelper.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):2240680
                                  Entropy (8bit):6.729455010595743
                                  Encrypted:false
                                  SSDEEP:24576:CDwWyx+MaIaZ2wqpzJMsvX52S2juh2RV505OcFMrITY8WDKqpIeWke+9fsdGs0wm:9+MaIaZ2wqlJn4juqm5lCrzeeWf+9sC
                                  MD5:CC3F6C9EAAD920E1A68B5ED657036E73
                                  SHA1:A1D37DA7B0B96448944B9899D77354DC23C4863B
                                  SHA-256:5D0C1F8199E143DA7896B40CCCD6E674A5221852FE13E5F2F8ED950EAE66A596
                                  SHA-512:7A6BC7877F8EB48C433C97E288D45521F43F18B1A0E03AEEE9375576A27061853D6A0932BD529D75185C17B1BD8655741F059BE28BBB5C71670C91CF967D414E
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...qE.e............................H.............@..........................p"......;"..........................................?...0 ..;............!..\.......)..............................................................F....................text............................... ..`.itext..`........................... ..`.data....F.......H..................@....bss.... 6...P...........................idata...?.......@...(..............@....didata.F............h..............@....edata...............j..............@..@.rdata..E............l..............@..@.reloc...).......*...n..............@..B.rsrc....;...0 ..<..................@..@.............` .....................@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CFAHelper.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):100008
                                  Entropy (8bit):6.5453631202633265
                                  Encrypted:false
                                  SSDEEP:1536:9u3Na6z5PVSr7BesdVdCRgDoqYa/jqY/q0d7HxqncDJ7A7xL:QNrYrlesdVzsqYa/j7/q0duYJe
                                  MD5:BD866825AB85E37959F40C9F30042BBC
                                  SHA1:7C94AD8EF5B955654B8BFD391B99A0B1D5ABB1D4
                                  SHA-256:D8763EC791685229B03ADC37501F0717F807CED821F8130471D255A291AF03C7
                                  SHA-512:F733A78D4B7479A9233A7D22716591005ACA32905B3C18A11BCC9FD488266B2D3E51FD1238E4EA651055108AFA19D12E31601450BB3824836BA97F7B3860EEF7
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....0.e.................l..........H.............@.................................g...........................................$%...0...............*...\... ..d.......................................................$............................text...dh.......j.................. ..`.itext..`............n.............. ..`.data................p..............@....bss....."...............................idata..$%.......&...x..............@....edata..............................@..@.rdata..E...........................@..@.reloc..d.... ......................@..B.rsrc........0......................@..@.............@......................@..@................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\CommonForms.Site.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):348328
                                  Entropy (8bit):7.1920696815259015
                                  Encrypted:false
                                  SSDEEP:6144:ZjceqDRN12QRY1b94PjneGfVriu3Rya2Ga0v3nawKn/hy/O6a:yeqDRGQRYz4PTe9u3RPta0vKrc/5a
                                  MD5:2CA11DB4D0C2A737187C002F731E014A
                                  SHA1:DC4ADC97C6364B8048DA0E10E5C533C7B54B1ED1
                                  SHA-256:7230F57DF4B2B8B91E10DC66EFCFC3096306D29A5513B0EAB96024F4EE465CD4
                                  SHA-512:1DE2277DF5C0E86FAAD95C8E6DD31BFB62EFBD7410EF6629B5D850E41A3A124C279C2633B16C30126197F0036240EAB66CF9CF36E120C3B0984A2FD7E17D5381
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L..../.e.....................x......X........ ....@.................................3|.......................................`......@...................\.......-..................................................tj...............................text............................... ..`.itext..p........................... ..`.data...X.... ......................@....bss....`#...0...........................idata......`......................@....edata..............................@..@.rdata..E...........................@..@.reloc...-..........................@..B.rsrc........@......................@..@.xdata...t.......v...~.................@................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Data\main.ini

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:Generic INItialization configuration [CustomDllSurrogate]
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):4.92557199019145
                                  Encrypted:false
                                  SSDEEP:24:8nPotpNIdTfkH51kGuSAGUQenJZ/n2iWm/K0WaXnVDz:8tRfYFuSpUQen3/n2upWaXnVDz
                                  MD5:1222FE3B63384757B322D6504C37D444
                                  SHA1:E2EA1911982E8DE26757B863F4A65463EA0FDE42
                                  SHA-256:7853BDE1900A821B07E2060FE04902C38DE9597DD763C0CEA75FEC7F83CD11E6
                                  SHA-512:8F86E6D1835D012541BBC28042CB6774DE705698A2CE4340B20F92B7C3077027A9B8A45C4030EF84E951204FD941CBB7E0CC94F8DC7DE0C770BDEAA8B4B1D4DF
                                  Malicious:false
                                  Reputation:low
                                  Preview:[Common]..BaseApp = DriverUpdater.exe..AppUserModelID = Outbyte.DriverUpdater.2..AppUserProductName = Driver Updater..MessageUninstallClose = 13BAB384-7788-4C1F-92CD-CC6009A88457..MessageLanguageChanged = 85DE3DA5-504D-4574-8DF1-2EBA40F226B3..MessageSettingsChanged = A76DC8F0-6569-4A85-95D7-BE0FA65E27D5..ProductMutex = 8D622ABC-7F4F-49CF-A95A-86F8A21753BA_global_outbyte_driver updater....; ===============================================..; COM surrogate parameters (currently disabled)..; ===============================================..;[CustomDllSurrogate]..;SuppressExceptionsClassLibraries = 67EABA29-89CD-450E-A9CC-8EC44CCFCED1....[CommonForms]..LogoMedium = RES_ABOUT_ICON..LogoSmall = RES_ABOUT_ICON..LogoLarge = RES_ABOUT_ICON..MoneyBack = mbm100percent..ShowLogo = []..EnterSerialStyle = eddsSuppo

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Downloader.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):260776
                                  Entropy (8bit):6.586684828757847
                                  Encrypted:false
                                  SSDEEP:3072:M64pwLiZ/ftan3m5dl+Mxjw+i9mXqBehIp2CULwbLBCvYWmfaGju3dGyId/xsqYT:M6mpZNMmLEee2bYWJ9Yd4alnA
                                  MD5:6A3B746EEDCAAF4A39D1FA3E8DD1CC25
                                  SHA1:BC1CBC13503B8D62BEDF0F816D10A0F8EB65B74E
                                  SHA-256:B8019C7A777CB3C2AA2A37CB5DC622DC1CB42BDCF4DA07BE7DFF5DCC35BCACD0
                                  SHA-512:5B482EF7AAC625640E8762718BF8D99649D22B487285A9093505F691B4D966257829DE31AF62C5922E169FDF48F44C10388EDACE2F27F30D047662497468A2EF
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......e............................|.............@..............................................@...................@..s.......bS...`..0................\...........................................................................................text...8........................... ..`.itext.............................. ..`.data...............................@....bss....D................................idata..bS.......T..................@....edata..s....@......................@..@.rdata..E....P......................@..@.rsrc...0....`......................@..@.............p......................@..@........................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\DriverUpdater.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):8200872
                                  Entropy (8bit):7.327852759294853
                                  Encrypted:false
                                  SSDEEP:196608:YX6rUIZaj61wZhYbFHVS66xZNr4gP1nFQW+tuWy:YX6rUII61wZhYbR8PjNl
                                  MD5:8A520F86384958FB76E084F556056B50
                                  SHA1:B2935226F66AF0EA849E449869496F89FD2EFE37
                                  SHA-256:1F31162D1F0E346B1DA0AF8D11826893DFDCA8465E6C98236DD03946884D3487
                                  SHA-512:9F373CE32A58B5AE9ABFB7B1E8AC447E3B8BE1C403748E6992AF7B00EB7A200220462413C3CBFEFD4A8BFBD54F4F60F96F7A04E4ED9E87D36460E80E18B340B8
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....j.f..................4..HG.......4...... 4...@...........................}.......}..........@...................@9......05......p9...B...........|..\...................................`9......................m5. <...09......................text.....3.......3................. ..`.itext...;....3..<....3............. ..`.data... .... 4.......4.............@....bss.....C....4..........................idata.......05.......4.............@....didata......09.......8.............@....edata.......@9.......8.............@..@.tls.........P9..........................rdata..]....`9.......8.............@..@.rsrc.....B..p9...B...8.............@..@.xdata...t....|..v...P{................@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\EULA.rtf

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
                                  Category:dropped
                                  Size (bytes):56906
                                  Entropy (8bit):5.260831038039761
                                  Encrypted:false
                                  SSDEEP:1536:n9dDjvBeeim09F4ZL+/BkIxyOhMxBz6LCrMGOQH7eod:9Vj5eeime/BLxy0MxBWLVQHVd
                                  MD5:C8D22E22F0D65D6E12215FDB684E0351
                                  SHA1:ADA8306A2EF4BC41193EE225DC62EDCEC1D479E1
                                  SHA-256:FDD970229CF6FDA7794C74F8048CAA473309784F3A0B77DA661024F556846CE9
                                  SHA-512:26C45D846EE29106086AD0FA60420B63B3154D5667D80698189796B8F49853FA293A91A2379C46CBAE6C0203D8E9A152CDE4B2EE2F7F03C7AD81FE115E74B68B
                                  Malicious:false
                                  Reputation:low
                                  Preview:{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049\deflangfe1049{\fonttbl{\f0\fswiss\fprq2\fcharset204 Arial;}{\f1\fswiss\fprq2\fcharset204 Calibri;}{\f2\fnil\fcharset0 Calibri;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;\red17\green85\blue204;\red55\green55\blue55;\red93\green43\blue255;}..{\*\generator Riched20 10.0.17763}{\*\mmathPr\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\widctlpar\sl276\slmult1\qc\cf1\b\f0\fs20 END USER LICENCE AGREEMENT\par..\par....\pard\widctlpar\sl276\slmult1 THIS END USER LICENCE AGREEMENT ("AGREEMENT") IS BETWEEN OUTBYTE COMPUTING PTY LTD (SYDNEY) AND ITS AFFILIATES HEREINAFTER "OUTBYTE" AND THE END USER ("YOU"). \par..\par..TO INSTALL AND USE SOFTWARE AND SERVICES BY OUTBYTE YOU MUST ACCEPT THE TERMS OF THE END USER LICENCE AGREEMENT BELOW. \par..\par..PLEASE READ THIS AGREEMENT CAREFULLY. BY DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING ALL OR ANY PORTION OF OUTBYTE SOFTWARE OR SERVICES YOU AGREE TO

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelper.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):134824
                                  Entropy (8bit):6.609940960230062
                                  Encrypted:false
                                  SSDEEP:3072:8Ocsh9g9cKnQgcVF0vilvWsqYaimj7/cXooLy:8ON9g9EViqlvHaimsoZ
                                  MD5:91F90884180ACF968DACADCF50AA74B8
                                  SHA1:7E1F9452DFD4ED8DE29DE08BBC3AA4BA4782F965
                                  SHA-256:0574277FB7C0298917077A32B3ADA793A994686E724DEBFBAAAFCD8AFF358D9C
                                  SHA-512:77FDB04E714D01BAA0F3326CEB2A8FE340B966948C71859993595B78B1FC41B8DC9AE00B8A6B4DAD8CB0F45CAAC9DD526632D4383D81F6339078813485A69BFA
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 3%
                                  Reputation:low
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.e..........................................@..........................@......8................................`...........B.......................\......,....................................................................................text...p........................... ..`.itext.............................. ..`.data...............................@....bss....."...............................idata...B.......D..................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..,...........................@..B.rsrc...............................@..@.....................*..............@..@................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\GoogleAnalyticsHelperIV.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):273064
                                  Entropy (8bit):6.669230055346637
                                  Encrypted:false
                                  SSDEEP:3072:cYQfiN0DWFGFktZgwIz4gy0ADrhE3342ie97vCOzRc5sVqwuDVLEZUJ53J1sqYaL:c/iN0DiQ8D4I2jVHuDVLRsaQASoj
                                  MD5:73B390D24B06F5B17DD4C183E5FC2AA0
                                  SHA1:478982B5CB05DDA43226B61F8B96A0FEB6B8B394
                                  SHA-256:76D7EF3511F3CC5AEC32CDCF29B59A7138E193C850B774BFCACE8128B75194DE
                                  SHA-512:97D666C29BE04E8A9ADF64C9D5586822F3601291CE8AB53E792B0E8C8929D24636957E71A3BA42809A023935818BA3BA8811B66D4CA516EC132A588D39F8AC08
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......e.................B..........@U.......`....@..........................P.......P...............................0..................................\...P...5......................................................`............................text....:.......<.................. ..`.itext..X....P.......@.............. ..`.data........`.......F..............@....bss....,$...p...........................idata...............P..............@....edata.......0......................@..@.rdata..E....@......................@..@.reloc...5...P...6..................@..B.rsrc..............................@..@.....................&..............@..@................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):2875560
                                  Entropy (8bit):7.141233949183785
                                  Encrypted:false
                                  SSDEEP:24576:PGWT74FlNb6PsL6+WmAumwJSZRhBSTQCSnc/WOWFIYsh0S9Po6cKr6eXir66pDIu:H4FlJ602oBT1jKu0Y+YUFDxayvP55
                                  MD5:2F1908B8473BF08AFF928A95EE9ADF2D
                                  SHA1:FAD3A05535AFC1903AAFE25043E01151E1CA1203
                                  SHA-256:A9C97F9BDDE97F6A761CAE877E4D90B9E07253C5FE6E683708423E1CB90A535C
                                  SHA-512:AC7E8F14340ED8A1CC4993A72964424B566E13062DC83BEBAED8C4836DB4C7E116E78270F65B62716D51BE7D8182512310C1406B6D572EDEBCFBFC8C5051E29F
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 3%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...!j.f.....................r......P.............@..........................0,.......,..........@................... ...........b...P...\............+..\...................................@...........................%...........................text............................... ..`.itext.............................. ..`.data..............................@....bss....x:...`...........................idata...b.......d...B..............@....didata.............................@....edata....... ......................@..@.tls.........0...........................rdata..]....@......................@..@.rsrc....\...P...^..................@..@.xdata...t....*..v....*................@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):956072
                                  Entropy (8bit):6.570549901854017
                                  Encrypted:false
                                  SSDEEP:12288:Wu84dfPhl1cAr1D1TW+5QJPuA236eqDpZi6ehRRTL:9Xd3hXcArZQJWA23TspZi91
                                  MD5:95D95FE50BEE00F87946A2CD1D43FB66
                                  SHA1:E56D2FC1566A59F5A557DD89AAE2041A23047C09
                                  SHA-256:ADC52E27A490B387C9DFBF9562D309C7A588C5732CFE3A90B45268A5ECA94C5E
                                  SHA-512:FCA84AC09D5DB8D5B3633257E529F292F61C0E8B549AE9C5766192C157B57C829F55158311434E4BA8FC81929D5C82BB9BBE1DE74E44C0015B01FA3CB35001D1
                                  Malicious:false
                                  Yara Hits:
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\InstallerUtils.dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....|.e.................V...........i.......p....@..................................................................0..........V.......hE...........:...\...P...V..................................................0...h.... .......................text...4J.......L.................. ..`.itext.......`.......P.............. ..`.data....)...p...*...Z..............@....bss....@_...............................idata..V...........................@....didata...... ......................@....edata.......0......................@..@.rdata..E....@......................@..@.reloc...V...P...X..................@..B.rsrc...hE.......F..................@..@.....................8..............@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\deu.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):296669
                                  Entropy (8bit):3.799952795255017
                                  Encrypted:false
                                  SSDEEP:3072:CUdKHaxXDaE9DOikDdQQ1a/kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcy8:Q1/rov0ug0q
                                  MD5:A2352B514C8E9C6AAB9BF666336CC3A2
                                  SHA1:B419CC35FE1CFDBC3868433DC6A6DCBEB8ABA054
                                  SHA-256:3E972D678566983AD5D78644E400B20121946E110263B1890D525E299F952B1C
                                  SHA-512:858C0A26F1E7D9ABB3A97CCFB789C6ECA50C546F05D3EA783AE01EE41CF06AD01EA3160A6178C839777FF645F515D9EA1A7F410EA5EA84F2D8692F3F1738545C
                                  Malicious:false
                                  Preview:....E.N.U.......L....V......t........W...........u......o>...q.......^..Q........w..M...c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U...........!.... ... ..q!...!..."..G"..q"...#...%...%...&...)...)..C)...*...-.........../.../.../...0..%0..W1...1...1...1...2...2...2...2..#3...3..!5..c5...5...6...6..)7..G7..e7...8...8...8...9..I9..]9..I:..]:...:..K;...;...<..W<...=...?..c?..-@..aA...A..]B...B...B...B...C...C...C..'D...D...D...D..;E...E...E...F..)G..YG...G...G

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\enu.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):273179
                                  Entropy (8bit):3.8093763667934875
                                  Encrypted:false
                                  SSDEEP:3072:CRKc//kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcymBtk/Y1Gm5uvccEA9D:8KfpUvH+8snWkoj
                                  MD5:9455ECD37BE8EE2D3949A4A34EDE2DD0
                                  SHA1:6F5C773F713929F7A54DFFC000954E32B98C7761
                                  SHA-256:074673C79FC8606B5A87CB5A52F4A91218831DC53B8E63A3D8E4EDB41357D2DE
                                  SHA-512:2E1CB3017502983C02B823608D2984F1A8BCAC86B0181DA7A2240C0C80746F8839D8FEF43B33D7DB522B3A07F1CADDF69C1B5F62193E14EC59DA349B242A9CFD
                                  Malicious:false
                                  Preview:....E.N.U.......L....M......t........N..........Fi......i7..H(.......V..._.......t..3...c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U...............A ..k ... ...!..s!...!...!..."...$...$...%...'...'...'..9)...+...+..a,..!-.._-..m-...-...-..............-/..O/.../.../.../...0...0...1...1...2...3..93..m3...3...3...4...4...4...5..'5..=5...5...5..u6...6...6..s7...7...9...:..C:...:...;..C<...<...<...<...<..)=...=...=...=..=>..S>...>...>...>..3?..%@..i@...@...@...@

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\esp.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):295489
                                  Entropy (8bit):3.774303045705742
                                  Encrypted:false
                                  SSDEEP:3072:glG1S/kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcymBtk/Y1Gm5uvccEA98:0G1HZcRNHizW1SaY4Q
                                  MD5:5DD75EF12DE58410DD3275591F49113C
                                  SHA1:B9AF532774F344506F3DC4123723A4B9FF49CEDA
                                  SHA-256:7818791650723D977F72E96332B333F7CDA310EE541A16E968205CF40F36709E
                                  SHA-512:D101DC7BD82694D9D1495F4E319377185CE211D800183A7984A597FDAB6049DA09D7EDB662DCAD168AD27717C3A7C6FE50DCB0CAA2AC6A6CD20EB3E2D97F3A29
                                  Malicious:false
                                  Preview:....E.N.U.......L...OS......t.......ET...........p.......>...o.......\..........fw......c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U...........I.... ... ..]!...!...!..."..3"..c#..3%...%...&...(...(...(..]*..s-...-.........../..'/..9/..W/..u0...0...0...1..31...1...1...1...1...2..o3...3...3...4..?5..{5...5...5...6...6...7..'7..E7..W7..!8..58...8..=9...9...:..9:...;...<..-=...=...>..s?...?...?...@..'@..}@...@...A..iA...A...A..UB...B...B...C...D..CD..gD...D...D

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\fra.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):298365
                                  Entropy (8bit):3.7884286038599626
                                  Encrypted:false
                                  SSDEEP:3072:gWE/kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcymBtk/Y1Gm5uvccEA9lIy:tnQVBwa8O
                                  MD5:13DB89C58F0E6E632F3D036D753EA7FB
                                  SHA1:70CD567D4538F76FBCCF45346F8AAB6CB98F6EF7
                                  SHA-256:B64A6A0C7FBEF9FCE62FEBDD227F7BEE7EF344A62116B4DF90AB25FEDE7D22E8
                                  SHA-512:4B144F80D0B0119584D9A8B77D47E56E7078BFDCE137CCBD5746CB8586F3A711D4ABC10B3D78DA883C75F69BDB2E00C347DBA385AB6116A096956202C24806D8
                                  Malicious:false
                                  Preview:....E.N.U.......L...-V......t...-...#W..........Pu......_?...v......._..u.......4x..I...c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U...........-.... ... ..o!...!..."..?"..a"...#..o%...%..Q'...)..%)..c)..++......5......../.../.../...0..'0..s1...1...1...2..C2...2...3...3..53...3...4...5..[5..}6...6...7..!7..?7..18..E8..s8...8...8...8...9...9..Q:...:...;...;...;..e=..y>...>...?...@...A...A..=B..UB..gB...B..?C..YC...C...D..!D..oD...D...D...E...F..uF...F...F...F

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\ita.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):293535
                                  Entropy (8bit):3.7730959127192856
                                  Encrypted:false
                                  SSDEEP:3072:pgmxLd/kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcymBtk/Y1Gm5uvccEAb:KyuWU5G
                                  MD5:152C0C480E5D2FF5EC5EF0BE40284184
                                  SHA1:E83533A4F9DFA5F20B7CDA2138127434DA1DA089
                                  SHA-256:A3A490B68F5699350EBF90DA5C5E5EC01C7940EE4CA8A4E9D39150E579A19C7C
                                  SHA-512:1C269142B14BD94CDCBFB45DE9C3BBE7CFD78177CB6ADDBC843221EEDC64CF5B0867149D754C575A5B4E1E23264CE9C9D97B9022CA8D9A3D56A3C146AA6DD78A
                                  Malicious:false
                                  Preview:....E.N.U.......L....U......t........V...........s.......<..>k.......\..M........v......c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U................ ... ..G!..i!...!...!..."..m#..E%...%...'...)...)..O)...*..%...Y......../..50..I0..[0..}0...1...1...1...2..S2...2...3...3..C3...4...5..E5...5...6...6...7..'7..C7...8...8...8...8...8...9...9...9...:...:..);...;...;..i=..w>...>..U?..M@...@..EA...A...A...A...A...B...B...B..;C..UC...C...D..SD...D...E...E...F..OF..{F

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\jpn.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):232497
                                  Entropy (8bit):4.644795422592016
                                  Encrypted:false
                                  SSDEEP:3072:JpTDR/kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcymBtk/Y1Gm5uvccEA9a:HTDIW3MBxfpCaZqJLOmW
                                  MD5:827C25F3AF9E89FA53219AEB1D373FA9
                                  SHA1:D91F761032A9961F5CF3C9C9E2FBB45449E73A09
                                  SHA-256:5AA8C0536A41DD65520AFF319BC37C38784BF779147CD860F2B0802C97EAC5CB
                                  SHA-512:4E4AC76497621A51F9E6344723522C056CAB251857EA2F58697C76F71DAB2C88D82DFB639124F9E837CDC0EA9C4FD1A5FECA805F5EF93CCE12DEC2D4CAF50079
                                  Malicious:false
                                  Preview:....E.N.U.......L...Q<......t.......G=......vX...Q......-,..X........E...........o......c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U.............................../ ..? ..W ... ..K"..."..!#...#...#...$...$..%&..5&..y&...&...&...'...'..3'...'...(...(..9(..S(...(...(...(...(..%)...)...)...)...*...*...*...*...+...+...+...,..',..?,..I,...,...,...-..7-..W-...-...-.../...0..30...0..51...1...1...1...1...1...2..e2..s2...2...2...2...3..93..M3..s3..74..i4..{4...4...4

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Lang\ptb.lng

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:BALANCE NS32000 .o not stripped version 101
                                  Category:dropped
                                  Size (bytes):290252
                                  Entropy (8bit):3.7969492042652444
                                  Encrypted:false
                                  SSDEEP:3072:UaRiH/kjwPWGnvUTqQN5+5ZvxYthHwRjP9VLQddstitIcymBtk/Y1Gm5uvccEA9j:F/3egTYT
                                  MD5:208DAC0479E8E7C4C54D64ADE7B42498
                                  SHA1:3DBC6FF80060D064AF138713041C16F1D4579028
                                  SHA-256:AC7677BA57DA17649D8281EAA1385DA4FBFD9BC7FD7FCFFF39A82937149CB98F
                                  SHA-512:E6CFCA0E5E920EFCA95E278E8861C55085EEF1F61D5D627E00022E6370A53F3B31443979112EBD4116A3E383C65BD5D8B0819CD97C0BCBDF6E347C163C0828BE
                                  Malicious:false
                                  Preview:....E.N.U.......L....R......t...w....S..........Pp.......;..H_......([...........w......c.o.m.m.o.n.f.o.r.m.s...r.o.u.t.i.n.e...d.e.b.u.g.h.e.l.p.e.r...P.C.D.r.i.v.e.r.U.p...r.e.s.c.u.e.c.e.n.t.e.r.f.o.r.m...S.e.t.u.p.C.u.s.t.o.m...s.h.a.r.e.d...k...\...............\...............\...........3...v...........9...|...........;...t...........3...t...........C...............3...\...........3...............k...........2...w...........*...[...............C...............[........... ...k...........@...w........... ..._...........,...c...........H...............H...............\...............\...............T...............l...............p...........5...............U...........#...w ... ..7!..[!...!...!..."..E#...%..S%...&..7(..=(..u(...*...,...-...-..m.................../0..W0..k0...0...0..w1...1...1...1..u2..Y3...3...3...4..55..q5...5...5...6...6...7../7..U7..g7..A8..Q8...8..Q9...9...:..A:...;...<...=...=...>..g?...?...?...@..1@...@...A../A..{A...A...A..KB...B...B...C...C..YD...D...D...D

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Localizer.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):196776
                                  Entropy (8bit):6.6792568602374205
                                  Encrypted:false
                                  SSDEEP:3072:auRLNVf3d9vHremu6J2ME12VUenRV0OuVmHQuFsqYaBhj7/d24h8Z:jwqpLVjnRVxwhu8aBhIik
                                  MD5:858416CCE9C98C40050DE9AA06AF2022
                                  SHA1:4948D0CCC91EAAD1ABF5BBF5BE7023B4FED6F97B
                                  SHA-256:E88C68ECE877C2C0B2D8C41EFD40D3C8AB1F2957EA8E11493A373744C13E0573
                                  SHA-512:D576F53227CA18BA8BDFB567052EADEB9CE353351B80CCDAB35838C804BC61F429E439AAD5F559E60699996DDAA72C3D01990558F57B52D0DC34D9ED5CC29C6F
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....2.e.................L...T.......d.......p....@.......................... ......a................................ ...........n...`...................\...@...................................................... ................................text...TD.......F.................. ..`.itext.......`.......J.............. ..`.data........p.......P..............@....bss.....#...............................idata...n.......p...\..............@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.......@... ..................@..B.rsrc........`......................@..@....................................@..@................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\OxComponentsRTL.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1264808
                                  Entropy (8bit):6.643801895024053
                                  Encrypted:false
                                  SSDEEP:24576:eOd7NWM6Sahe/Vdz1j8afhLdIWqJq1YPh:eIIA/nz1cJfp
                                  MD5:EAA639D3B6FE692BEB942C27D7D2724B
                                  SHA1:B51AEB650F5DB4C82229AD23921DCBE41A5C1340
                                  SHA-256:654D5C7C5D256CE188B821F598BE9CBCDFE61D6414B6D1FBCB62D1483D8C8AB9
                                  SHA-512:6DF81BDD6EF6122E492F098EFDE8AF2E0E1BD39FFB43E602D6300E20DA21A9B22F6B7F5B4C146D582177A7677F67B4D2EEC714685FAFDE24C46214E963E1C59E
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.e.....................R....................@..........................`..........................................f................J...............\......x...................................................h...<............................text............................... ..`.itext.............................. ..`.data...............................@....bss.....................................idata..............................@....didata.............................@....edata..f...........................@..@.rdata..a...........................@..@.reloc..x...........................@..B.rsrc....J.......L..................@..@............. ......................@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\SetupHelper.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3362816
                                  Entropy (8bit):6.743282627262014
                                  Encrypted:false
                                  SSDEEP:49152:TpRNoYRRspwvkiV8THITkeABK6OSCDxioNphoMDC1Z:NRCIRshiV8IYISCDxiA9DC
                                  MD5:7A29A34755754B7541AFCD5BF1801341
                                  SHA1:24C6A94BCC4EFBA674F3252D0A38A556374E9A9D
                                  SHA-256:139470E7E2FFE39DAF8BB722CFEE05BEA1E7CECF6FD6CCFF31431A897DE9D1C1
                                  SHA-512:1FE7BF3739630D7293B67B89B97A60AD048BCC5F3686B892DEBCE4B6E368888C04DE5282D33E87DB36310AFBEF6BBCFD1D743B39858A6E432FE92FD1771811C8
                                  Malicious:false
                                  Yara Hits:
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\SetupHelper.dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....Z.e.................,).. ......$?)......@)...@..........................04......&4...............................+.......+.B!...P/.......................+..e....................................................+.......+......................text.....).......)................. ..`.itext..<....0)...... )............. ..`.data........@)......0).............@....bss....(y....+..........................idata..B!....+.."....*.............@....didata.......+.......+.............@....edata........+.......+.............@..@.rdata..E.....+.......+.............@..@.reloc...e....+..f....+.............@..B.rsrc........P/......~..............@..@.............p1.......0.............@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\__setup\_setup64.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):6144
                                  Entropy (8bit):4.720366600008286
                                  Encrypted:false
                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):10604200
                                  Entropy (8bit):6.659776257993777
                                  Encrypted:false
                                  SSDEEP:98304:GrPcd7oJhMeF+JH4m3r3PtjvcHZKbcX/d+XuJSLu1:GQ1ZJYe3P9c9PzWk
                                  MD5:481B636BD54E231810C7D2C045D70168
                                  SHA1:CE6FEFC5525AD08EBA947F1781A248141A846F77
                                  SHA-256:4722EF802CE0F9971EE37D56CB821800C11048C4BF72D81B6702CA7690AB531B
                                  SHA-512:C1D4490E63394F438ADBD055868A254F2CD0AB5BDD8F32F92D2D1050C01B91A0764B9391335FE9D4A73FB766CC0A12EDFC2B96597D4FDADE5898DDFCB841F2A2
                                  Malicious:false
                                  Yara Hits:
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\is-8997833.tmp\rtl250.bpl, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....{Y.................$]..JD.....@4]......@]....P.........................`......................................a..j7..P`..+...P...............r...\......x............p...................................... X`.......`..s...................text...\.\.......\................. ..`.itext..HD....\..F....\............. ..`.data....f...@]..h...(].............@....bss.........._..........................idata...+...P`..,...._.............@....didata..s....`..t...._.............@....edata...j7...a..l7..0`.............@..@.rdata..b....p......................@..@.reloc..x...........................@..B.rsrc........P.......f..............@..@.............`.......r..............@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vcl250.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):4059816
                                  Entropy (8bit):6.736788063379502
                                  Encrypted:false
                                  SSDEEP:49152:73WQ4ED/9aSr4TUpgZmhXQIP2mrzwFrAj7Bo0kL3udI+Wy:7GQkTofzuAj7BhAS
                                  MD5:841026051B1D109DF5808266CA610C6E
                                  SHA1:A1523033BB2BA78D1AD58736D1300B074F62CC25
                                  SHA-256:2DBAA8B91E2E9FBB1E9A9AFAFA192386C30C2CBC87DA9AF77A763E11122A1E17
                                  SHA-512:EAE1594A758F0F4DEFCE13582A455041DDB0ABE8442FA7DDC2AFE139A2AAE939A4767B1CA936C7B6EAF6777847D453CA3C1AF254FD59611B3BBC8D9A30077D9B
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....{Y.................x'......... .'.......'....P......................... ?.....W&>...............................+.......)..d...0<...............=..\....8..{............8.%...................................($)..#...p+.z....................text....W'......X'................. ..`.itext..(....p'.. ...\'............. ..`.data...\(....'..*...|'.............@....bss....$=....'..........................idata...d....)..f....'.............@....didata.z....p+.......*.............@....edata........+.......*.............@..@.rdata..j.....8......,7.............@..@.reloc...{....8..|....7.............@..B.rsrc........0<.......:.............@..@............. ?.......=.............@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclie250.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1098408
                                  Entropy (8bit):6.764715415971798
                                  Encrypted:false
                                  SSDEEP:24576:JFo/3f7F/ti9VcGJp1HbrqSJIMGCsw3QvEe:JFo/5c9VFVfNw
                                  MD5:6539840764CAF2DEA0C749ACFE340203
                                  SHA1:8E1CEAE6107662BEDDA0FC6B9DD5277421F999DD
                                  SHA-256:FA03A4E41CD6FF0E0DBB01C45E378E720A47FB156BF49A125BF31F376177D379
                                  SHA-512:6DE6A48B57C2D1206938526B11DBE12525A4F435E80B41B17510F5D91C8F5627F826FEBD903CC3109E0B41BD78AA9DB41705E13F9C1B29056884E6A9830C00CF
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....{Y...........................................P.................................c..................................n....0..F....................f...\......................-....................................<...............................text............................... ..`.itext.............................. ..`.data....Q.......R..................@....bss....l.... ...........................idata..F....0......................@....didata.............................@....edata..n...........................@..@.rdata..r............,..............@..@.reloc..............................@..B.rsrc................L..............@..@.....................f..............@..@........................................................

                                  C:\Users\user\AppData\Local\Temp\is-8997833.tmp\vclimg250.bpl

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):373928
                                  Entropy (8bit):6.70366686334798
                                  Encrypted:false
                                  SSDEEP:6144:cdJVpo6Pb6So4ZmCY6wAnAGgDPFLYU1hHXRn5c1zOVFvdcy3s:cNpNhmN6dAGgDtz1hHXx8zuvdcy8
                                  MD5:EB89B73CD72B9077CA542B0D2582F20E
                                  SHA1:7244F3FACD7C2F061A9ADB2085D4F7F05551732A
                                  SHA-256:1C2C45A932484BC94850911E27942E461709DC5FF7747020267D984E4E404AA2
                                  SHA-512:2E2D184CEA520675072610A6FDC26D0B6D683D286B9FF7766B179A473FA15B4C8CFFA3865FE8EF434E88695AC122AAAFF84516F2AEA3D07AD7A78BD9D0F2643F
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....{Y..........................................@..................................=...............................P..C........]...p...&...........X...\...0..D:........... ..)....................................................................text............................... ..`.itext.............................. ..`.data...H...........................@....bss....X................................idata...].......^..................@....edata..C....P.......$..............@..@.rdata..n.... ......................@..@.reloc..D:...0...<..................@..B.rsrc....&...p...&...2..............@..@.....................X..............@..@................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.990434728612355
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.53%
                                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  File name:SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  File size:22'391'760 bytes
                                  MD5:bfbb46c049e5d57500c3f5cdb1ba7f45
                                  SHA1:c58483fb9fe53e411c03be9d2d7b73bbe48793e4
                                  SHA256:351b5948fc7f05d1d6ecf2c46ccc82ad540859d9130be307e6bf22b41da1a766
                                  SHA512:b38198bb6a0b608c9d743bd481aa30fb7ab5df7f6d505002ae218cac716db4d673f3de37809f3fa2ee6d5c175ce72540edbbb6d2d6c25f81b1b69e280e3a2882
                                  SSDEEP:393216:xsT6+lrfqHjdxzVBVrij/jWMBncv83coV8GA8dvQa6dYN2yxOpgL+/zxazZ:xs++yxpajjaUZVb/d4a6dYN2yn+N2
                                  TLSH:0F37336200804829D14207708DED6CA0A92F3F2D797674DA50F73AF9CB76B553E64EAF
                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                  File Icon

                                  Icon Hash:0b0331323131030b

                                  Static PE Info

                                  General

                                  Entrypoint:0x424530
                                  Entrypoint Section:.itext
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x65CE5A0B [Thu Feb 15 18:38:03 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:0
                                  File Version Major:5
                                  File Version Minor:0
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:0
                                  Import Hash:4d65eb009a5bed7efce0091931f34eb4

                                  Authenticode Signature

                                  Signature Valid:true
                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 13/03/2024 01:00:00 22/07/2026 01:59:59
                                  Subject Chain
                                  • CN=Outbyte Computing Pty Ltd, O=Outbyte Computing Pty Ltd, L=Sydney, S=New South Wales, C=AU, SERIALNUMBER=615 979 765, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=AU
                                  Version:3
                                  Thumbprint MD5:AD06DFDF2B3AC7CECD39DCAC218E54B0
                                  Thumbprint SHA-1:921CB44AAEA86D49F2EFC51EED24D361C2A388EC
                                  Thumbprint SHA-256:C7E530157D42D6FC36399347E2FC9573A445FC781F3117608378C30FD7906653
                                  Serial:0C1FCA992FF447CA61AD5B16F5A9BF09

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  add esp, FFFFFFF0h
                                  push ebx
                                  push esi
                                  push edi
                                  mov eax, 00421A54h
                                  call 00007F41094593F6h
                                  xor edx, edx
                                  push ebp
                                  push 004245AFh
                                  push dword ptr fs:[edx]
                                  mov dword ptr fs:[edx], esp
                                  mov eax, dword ptr [00421920h]
                                  call 00007F410946F752h
                                  xor eax, eax
                                  push ebp
                                  push 0042459Eh
                                  push dword ptr fs:[eax]
                                  mov dword ptr fs:[eax], esp
                                  mov eax, dword ptr [00421280h]
                                  call 00007F410946F482h
                                  mov eax, dword ptr [004265C8h]
                                  cmp dword ptr [eax], 01h
                                  jne 00007F410947227Bh
                                  mov eax, dword ptr [004265C8h]
                                  xor edx, edx
                                  mov dword ptr [eax], edx
                                  xor eax, eax
                                  pop edx
                                  pop ecx
                                  pop ecx
                                  mov dword ptr fs:[eax], edx
                                  push 004245A5h
                                  mov eax, dword ptr [00421920h]
                                  call 00007F410946F6F8h
                                  ret
                                  jmp 00007F4109453F8Ah
                                  jmp 00007F4109472260h
                                  xor eax, eax
                                  pop edx
                                  pop ecx
                                  pop ecx
                                  mov dword ptr fs:[eax], edx
                                  jmp 00007F41094722B4h
                                  jmp 00007F4109453DF1h
                                  add al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  mov eax, C800412Ah
                                  inc ebp
                                  inc edx
                                  add byte ptr [eax-2CFFBEDEh], cl
                                  inc ebp
                                  inc edx
                                  add byte ptr [ecx+004265C8h], ah
                                  xor edx, edx
                                  mov dword ptr [eax], edx
                                  jmp 00007F410947228Bh
                                  mov ebx, eax
                                  push 00000010h
                                  push 00424608h
                                  mov eax, dword ptr [ebx+04h]
                                  call 00007F4109454EB1h
                                  push eax
                                  push 00000000h
                                  call 00007F4109459E55h
                                  call 00007F41094540E0h
                                  mov eax, dword ptr [004265C8h]
                                  mov eax, dword ptr [eax]

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x2f0000x74.edata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2d0000xcda.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x4abc4.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1554f280x5ca8
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000x3170.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x310000x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x2d2700x1e4.idata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2e0000x1f4.didata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x228f00x22a00c4935c77b6dcccda129dacc031676833False0.4612336416967509data6.360820668179134IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .itext0x240000x6300x800ea0ef8df4fb0583c656244e027e1de80False0.51904296875data5.1288400265571745IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .data0x250000x17b00x180082a719c709b9ae43588552ca35077efaFalse0.3797200520833333data3.6303909168087305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .bss0x270000x5d240x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata0x2d0000xcda0xe00c7c00dd46505e21dd513c2ac9202b397False0.3607700892857143PGP symmetric key encrypted data - Plaintext or unencrypted data4.769465557918692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .didata0x2e0000x1f40x2002bda83a1c125a384429521517bd37097False0.4375firmware 100 v0 (revision 1927348736) (\341\002 , version 38080.16384.25792 (region 2296381952), 0 bytes or less, UNKNOWN1 0x88e00200, at 0 0 bytes , at 0 0 bytes , at 0xd0284000 1210597376 bytes3.4701416920633124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .edata0x2f0000x740x2001ca939239ba48e913fe26249e944a5d3False0.1875data1.3476582570627142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .tls0x300000x140x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rdata0x310000x5d0x200f6e17015bec9014de691418fb1506860False0.189453125data1.3579391515601507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x320000x31700x320080b14d8a68da7b649c2e18a2cab8570eFalse0.5965625data6.5280223641545065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .rsrc0x360000x4abc40x4ac00c7a527816fa3ce3236cf91ad0bcaceafFalse0.05898568143812709data2.710913938703717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x3650c0x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.03393792348433293
                                  RT_ICON0x785340x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1483402489626556
                                  RT_ICON0x7aadc0x1348Device independent bitmap graphic, 34 x 68 x 32, image size 4896EnglishUnited States0.21211507293354942
                                  RT_ICON0x7be240x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.22068480300187618
                                  RT_ICON0x7cecc0xb20Device independent bitmap graphic, 26 x 52 x 32, image size 2808EnglishUnited States0.2752808988764045
                                  RT_ICON0x7d9ec0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.2872950819672131
                                  RT_ICON0x7e3740x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.3540697674418605
                                  RT_ICON0x7ea2c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.40070921985815605
                                  RT_STRING0x7ee940x4cdata0.5263157894736842
                                  RT_STRING0x7eee00x260data0.3256578947368421
                                  RT_STRING0x7f1400x1b4data0.518348623853211
                                  RT_STRING0x7f2f40xccdata0.6274509803921569
                                  RT_STRING0x7f3c00x198data0.5612745098039216
                                  RT_STRING0x7f5580x31cdata0.41457286432160806
                                  RT_STRING0x7f8740x354data0.4107981220657277
                                  RT_STRING0x7fbc80x2b8data0.4367816091954023
                                  RT_RCDATA0x7fe800x10data1.5
                                  RT_RCDATA0x7fe900x200data0.654296875
                                  RT_RCDATA0x800900x65dataEnglishAustralia0.7326732673267327
                                  RT_GROUP_ICON0x800f80x76dataEnglishUnited States0.7372881355932204
                                  RT_VERSION0x801700x354dataEnglishAustralia0.4518779342723005
                                  RT_MANIFEST0x804c40x700XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishAustralia0.39732142857142855

                                  Imports

                                  DLLImport
                                  kernel32.dllSetFileAttributesW, EnterCriticalSection, QueryDosDeviceW, SetFilePointer, GetACP, GetExitCodeProcess, LoadResource, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, GetTickCount, FindNextFileW, GetFullPathNameW, VirtualFree, GetFileSize, GetStartupInfoW, ExitProcess, GetFileAttributesW, InitializeCriticalSection, GetCurrentProcess, VirtualAlloc, RtlUnwind, GetCPInfo, GetCommandLineW, GetSystemInfo, GetProcAddress, LeaveCriticalSection, EnumSystemLocalesW, GetStdHandle, GetLogicalDriveStringsW, FileTimeToLocalFileTime, GetVersionExW, VerifyVersionInfoW, GetModuleHandleW, FreeLibrary, GetWindowsDirectoryW, FileTimeToDosDateTime, ReadFile, GetDiskFreeSpaceW, VerSetConditionMask, GetUserDefaultUILanguage, FindFirstFileW, CreateProcessW, UnmapViewOfFile, SetLastError, GetModuleFileNameW, GetLastError, FindResourceW, lstrlenW, SetEndOfFile, QueryPerformanceCounter, CompareStringW, WideCharToMultiByte, MapViewOfFile, MultiByteToWideChar, FindClose, LoadLibraryW, LoadLibraryA, GetVolumeInformationW, ResetEvent, SetEvent, CreateFileW, GetLocaleInfoW, GetDriveTypeW, GetVersion, DeleteFileW, RaiseException, FormatMessageW, SwitchToThread, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, DeleteCriticalSection, TlsGetValue, IsValidLocale, TlsSetValue, CreateDirectoryW, LockResource, LoadLibraryExW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, CreateEventW, GetThreadLocale, Sleep, SetThreadLocale
                                  version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                  user32.dllCharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, TranslateMessage, CharLowerBuffW, LoadStringW, CharUpperW, PeekMessageW, GetSystemMetrics, DispatchMessageW, MessageBoxW
                                  oleaut32.dllSysAllocStringLen, SysFreeString, SysReAllocStringLen
                                  netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                  advapi32.dllRegQueryValueExW, RegCloseKey, RegOpenKeyExW

                                  Exports

                                  NameOrdinalAddress
                                  __dbk_fcall_wrapper20x40b598
                                  dbkFCallWrapperAddr10x42a628

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States
                                  EnglishAustralia

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 24, 2024 04:32:17.363089085 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:17.363125086 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:17.363629103 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:17.381036043 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:17.381052971 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.047079086 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.047285080 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.076185942 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.076208115 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.077107906 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.077241898 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.080404997 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.122514963 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.203279018 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.203358889 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.203372955 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.203442097 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.203459024 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.203511953 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.206258059 CEST49705443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.206312895 CEST4434970545.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.207175016 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.207220078 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.207458973 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.207459927 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.207492113 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.951931000 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.952074051 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.952614069 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.952635050 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:18.952898979 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:18.952915907 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.069305897 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.069464922 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.069910049 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.087354898 CEST49706443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.087393999 CEST4434970645.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.131190062 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.131221056 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.131299973 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.131889105 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.131905079 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.794821978 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.798034906 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.808621883 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.808634043 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.808784008 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.808789015 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.958756924 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.958834887 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.958848953 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.958895922 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.958920002 CEST4434970745.33.97.245192.168.2.5
                                  May 24, 2024 04:32:19.958970070 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.959610939 CEST49707443192.168.2.545.33.97.245
                                  May 24, 2024 04:32:19.959623098 CEST4434970745.33.97.245192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 24, 2024 04:32:17.340697050 CEST6437653192.168.2.51.1.1.1
                                  May 24, 2024 04:32:17.358325958 CEST53643761.1.1.1192.168.2.5
                                  May 24, 2024 04:32:26.339338064 CEST53635801.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  May 24, 2024 04:32:17.340697050 CEST192.168.2.51.1.1.10x9ba0Standard query (0)outbyte.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  May 24, 2024 04:32:17.358325958 CEST1.1.1.1192.168.2.50x9ba0No error (0)outbyte.com45.33.97.245A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • outbyte.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.54970545.33.97.2454435776C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  TimestampBytes transferredDirectionData
                                  2024-05-24 02:32:18 UTC100OUTGET /tools/userdata/?product=driver-updater HTTP/1.1
                                  Host: outbyte.com
                                  Cache-Control: no-cache
                                  2024-05-24 02:32:18 UTC246INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 24 May 2024 02:32:18 GMT
                                  Content-Type: application/json; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Accept-CH: Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version
                                  2024-05-24 02:32:18 UTC23INData Raw: 64 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 30 7d 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: d{"success":0}0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.54970645.33.97.2454435776C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  TimestampBytes transferredDirectionData
                                  2024-05-24 02:32:18 UTC81OUTGET /sid/get/xco7KleGZQ/ HTTP/1.1
                                  Host: outbyte.com
                                  Cache-Control: no-cache
                                  2024-05-24 02:32:19 UTC246INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 24 May 2024 02:32:19 GMT
                                  Content-Type: application/json; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Accept-CH: Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version
                                  2024-05-24 02:32:19 UTC62INData Raw: 33 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 30 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 27 74 20 66 69 6e 64 20 53 49 44 20 78 63 6f 37 4b 6c 65 47 5a 51 22 7d 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: 33{"success":0,"message":"Can't find SID xco7KleGZQ"}0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.54970745.33.97.2454435776C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  TimestampBytes transferredDirectionData
                                  2024-05-24 02:32:19 UTC75OUTGET /tools/ipInfo/ HTTP/1.1
                                  Host: outbyte.com
                                  Cache-Control: no-cache
                                  2024-05-24 02:32:19 UTC298INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Fri, 24 May 2024 02:32:19 GMT
                                  Content-Type: application/json; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Cache-Control: private, max-age=0, must-revalidate
                                  Accept-CH: Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version
                                  2024-05-24 02:32:19 UTC146INData Raw: 38 37 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 7b 22 63 6f 64 65 22 3a 22 4e 41 22 2c 22 6e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 7d 2c 22 63 6f 75 6e 74 72 79 22 3a 7b 22 63 6f 64 65 22 3a 22 55 53 22 2c 22 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 7d 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 7d 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: 87{"ip":"8.46.123.175","continent":{"code":"NA","name":"North America"},"country":{"code":"US","name":"United States"},"city":"New York"}0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:22:32:04
                                  Start date:23/05/2024
                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5457.1790.16701.exe"
                                  Imagebase:0x400000
                                  File size:22'391'760 bytes
                                  MD5 hash:BFBB46C049E5D57500C3F5CDB1BA7F45
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Yara matches:
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2066785746.0000000007158000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2012630901.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2015672908.0000000006363000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2016354535.0000000002350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2013941037.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:22:32:11
                                  Start date:23/05/2024
                                  Path:C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-8997833.tmp\Installer.exe" /spid:5876 /splha:35562336
                                  Imagebase:0x400000
                                  File size:2'875'560 bytes
                                  MD5 hash:2F1908B8473BF08AFF928A95EE9ADF2D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Yara matches:
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.3301930565.0000000007261000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.3275278121.00000000015E1000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 3%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:0.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:1
                                    Total number of Limit Nodes:0
                                    execution_graph 131554 bc8a60 GetUserDefaultGeoName

                                    Executed Functions

                                    Function 00875A20 Relevance: 68.5, APIs: 34, Strings: 5, Instructions: 244COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 875a20-875a23 1 875a28-875a2d 0->1 1->1 2 875a2f-875a73 @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv @System@@AStrCmp$qqrv 1->2 4 875a75-875a93 @System@LoadResString$qqrp20System@TResStringRec @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString 2->4 5 875a98-875aaa @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui 2->5 6 875d57-875d71 @System@@UStrArrayClr$qqrpvi 4->6 7 875aaf-875ac1 5->7 8 875ac3-875aca @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui 7->8 9 875acf-875ae0 7->9 8->9 11 875b12-875b30 @Vcl@Imaging@Pngimage@ByteSwap$qqrxi 9->11 12 875ae2-875b0d @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui @System@LoadResString$qqrp20System@TResStringRec @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString 9->12 14 875b86-875b8a 11->14 15 875b32-875b4f @System@@UStrFromArray$qqrr20System@UnicodeStringpci @System@@UStrEqual$qqrv 11->15 12->11 17 875b8c-875ba9 @System@@UStrFromArray$qqrr20System@UnicodeStringpci @System@@UStrEqual$qqrv 14->17 18 875bab-875bc8 @System@@UStrFromArray$qqrr20System@UnicodeStringpci @System@@UStrEqual$qqrv 14->18 15->14 16 875b51-875b81 @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui @System@LoadResString$qqrp20System@TResStringRec @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString 15->16 16->6 17->18 19 875bca-875be0 17->19 18->19 20 875be5-875c02 @System@@UStrFromArray$qqrr20System@UnicodeStringpci @System@@UStrEqual$qqrv 18->20 25 875cff-875d1c @System@@UStrFromArray$qqrr20System@UnicodeStringpci @System@@UStrEqual$qqrv 19->25 21 875c04 20->21 22 875c08-875c43 call 8702c8 @Vcl@Imaging@Pngimage@TPNGPointerList@SetItem$qqruipxv @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui 20->22 21->22 28 875c45-875c4c 22->28 29 875c4e 22->29 25->7 27 875d22-875d37 @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui 25->27 27->6 30 875d39-875d52 @System@LoadResString$qqrp20System@TResStringRec @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString 27->30 31 875c50-875c52 28->31 29->31 30->6 32 875c54-875c68 @System@@UStrFromArray$qqrr20System@UnicodeStringpci 31->32 33 875c99-875cc4 @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui call 8716dc 31->33 32->33 34 875c6a-875c94 @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui @System@LoadResString$qqrp20System@TResStringRec @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString 32->34 35 875cc7-875cc9 33->35 34->33 36 875cd5-875cdd 35->36 37 875ccb-875cd3 35->37 36->25 37->27
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv.VCLIMG250(00000000,00875D72,?,?,?,?,00000000,00000000), ref: 00875A4D
                                    • @System@@AStrCmp$qqrv.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875A6E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875A7D
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875A8E
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875AAA
                                      • Part of subcall function 0087084C: @System@@GetMem$qqri.RTL250.BPL(00000000,038D2148,00870789,?,?,0087021B), ref: 00870863
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875ACA
                                      • Part of subcall function 0087084C: @System@@ReallocMem$qqrrpvi.RTL250.BPL(00000000,038D2148,00870789,?,?,0087021B), ref: 0087087A
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875AEF
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875AFC
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875B0D
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875B15
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875B3D
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875B4A
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875B5E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875B6B
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875B7C
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875B97
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875BA4
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875BB6
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875BC3
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875BF0
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875BFD
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetItem$qqruipxv.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875C22
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(?,?,?,?,00000000,00000000), ref: 00875C34
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,?,?,?,00000000,00000000), ref: 00875C5F
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00875C76
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00875C83
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00875C94
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(?,00000000,00875CDF,?,?,?,?,?,00000000,00000000), ref: 00875CB8
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,?,00000000,00000000), ref: 00875D0A
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,?,00000000,00000000), ref: 00875D17
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(?,?,00000000,00000000), ref: 00875D2E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000), ref: 00875D41
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,?,00000000,00000000), ref: 00875D52
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00875D79,00000000), ref: 00875D6C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Imaging@Pngimage@Vcl@$System@@$Unicode$String$List@$Pointer$Array$qqrr20FromImage@Size$qqrxuiStringpci.$Class20Equal$qqrv.Error$qqrp17LoadMetaRaiseRec.String$qqrp20$Item$qqrui$ArrayByteChunks$qqrvClearClr$qqrpvi.Cmp$qqrv.Item$qqruipxvMem$qqri.Mem$qqrrpvi.ReallocSwap$qqrxi
                                    • String ID: $IDAT$IEND$IHDR$cHRM
                                    • API String ID: 2269015693-1212866595
                                    • Opcode ID: 29a4697ad4ae7c0e0bb4b347398c3b6eaf23a610298b10dd2b9e52a49e286799
                                    • Instruction ID: 116b232e184a19e1df982a68bb3d6a1f0eff2790c5238c985fc64206be3a0dd7
                                    • Opcode Fuzzy Hash: 29a4697ad4ae7c0e0bb4b347398c3b6eaf23a610298b10dd2b9e52a49e286799
                                    • Instruction Fuzzy Hash: 0AA12E34A00609CFDB14EB98C585AADB7B5FF88310F60C0A5E908EB359DB70EE45CB52
                                    Function 008716DC Relevance: 19.6, APIs: 13, Instructions: 104COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@LoadFromStream$qqrp22System@Classes@TStreamx27System@%StaticArray$ci$i4$%i.VCLIMG250(?,00000000,0087183D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00871708
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(00000000,00870FD7), ref: 00870F40
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870F6A
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F7D
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F8C
                                      • Part of subcall function 00870F18: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?), ref: 00870FAB
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?), ref: 00870FBC
                                      • Part of subcall function 00870F18: @System@@UStrClr$qqrpv.RTL250.BPL(00870FDE), ref: 00870FD1
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0087183D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00871727
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,00000000,0087183D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00871738
                                      • Part of subcall function 00874CA4: @System@@UStrAddRef$qqrpv.RTL250.BPL(?,?,?,00870A23), ref: 00874CB1
                                      • Part of subcall function 00874CA4: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CCB
                                      • Part of subcall function 00874CA4: @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CD0
                                      • Part of subcall function 00874CA4: @System@@UStrClr$qqrpv.RTL250.BPL(00874CF2,?,?,?,00870A23), ref: 00874CE5
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250(?,00000000,0087183D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00871759
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250(?,00000000,0087183D,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0087176A
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00871797
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250 ref: 008717A8
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00871844,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00871837
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Imaging@Vcl@$L250$Pngimage@$String$System@@$LoadRaiseUnicode$ByteClass20Error$qqrp17Image@MetaRec.StaticString$qqrp20Swap$qqrxiSystem@%$Array$uci$i65536$%iChunk@Clr$qqrpv.Pngimage@update_crc$qqruip32$ArrayArray$ci$i4$%iClasses@Clr$qqrpvi.Data$qqrxuiExcept$qqrv.Exception@$bctr$qqrx20FromRef$qqrpv.ResizeStream$qqrp22Streamx27String.Sysutils@
                                    • String ID:
                                    • API String ID: 2437407354-0
                                    • Opcode ID: 135ab70f6575e66b2720d1da200b998cc05367ae6e80c13674c5fa32d7c29a29
                                    • Instruction ID: 67017d48704cfc8af6571bf1a8e5486e0a8f652d58cdec29d8a50df2fd66c749
                                    • Opcode Fuzzy Hash: 135ab70f6575e66b2720d1da200b998cc05367ae6e80c13674c5fa32d7c29a29
                                    • Instruction Fuzzy Hash: D6417E74600B448FCB21DB6CC884AAAB7E1FF45301F10842AE999D775ACAB0FD44CB56
                                    Function 00BC8AB4 Relevance: 15.1, APIs: 10, Instructions: 67COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BC8AC7
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL ref: 00BC8AD0
                                    • @Oxrtl@System@Win@Osinfo@OSInfo@IsWindows10Version$qqr37Oxrtl@System@Win@Osinfo@TWin10Versiont1.OXCOMPONENTSRTL ref: 00BC8AE7
                                      • Part of subcall function 00BC7870: @Axrtl@System@Win@Osinfo@OSInfo@OSVersionValue$qqrv.AXCOMPONENTSRTL.BPL(00000000,00BC78C5,?,?,?,00000000,00000000,00000000,00000000), ref: 00BC7890
                                      • Part of subcall function 00BC7870: @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC78CC,?,?,00000000,00000000,00000000,00000000), ref: 00BC78BF
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00BC8AF7
                                    • @Oxrtl@Winapi@Kernel32@Kernel32@GetUserDefaultGeoName$qqrpbui.OXCOMPONENTSRTL(00000000,00BC8B62), ref: 00BC8B12
                                      • Part of subcall function 00BC8A60: @Oxrtl@Winapi@Kernel32@Kernel32@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00BC8A70
                                      • Part of subcall function 00BC8A60: GetUserDefaultGeoName.KERNEL32 ref: 00BC8A75
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00BC8B62), ref: 00BC8B1D
                                    • @System@@ReallocMem$qqrrpvi.RTL250.BPL(00000000,00BC8B62), ref: 00BC8B2D
                                    • @Oxrtl@Winapi@Kernel32@Kernel32@GetUserDefaultGeoName$qqrpbui.OXCOMPONENTSRTL(00000000,00BC8B62), ref: 00BC8B37
                                    • @System@Sysutils@StrPas$qqrpxb.RTL250.BPL(00000000,00BC8B62), ref: 00BC8B47
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00BC8B69), ref: 00BC8B5C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Kernel32@System@@$Osinfo@Oxrtl@Win@$Axrtl@DefaultInfo@UnicodeUserWinapi@$Name$qqrpbui$Asg$qqrr20Exit$qqrv.FinalizeFinallyFreeMem$qqri.Mem$qqrpv.Mem$qqrrpvi.NamePas$qqrpxb.Proc$qqrx20ReallocRecord$qqrpvt1.StringString.Stringx20Sysutils@Value$qqrv.VersionVersion$qqr37Versiont1Versiont1.Win10WindowsWindows$qqr39Windows10
                                    • String ID:
                                    • API String ID: 4150994669-0
                                    • Opcode ID: b2adf3145ab204adb26e7ac870b21828cc10c6087827f480579e483c496edbd1
                                    • Instruction ID: 41a9a23a7b60f4b664b88299e5906bf748f4a9271173bc32f84af737a47267dc
                                    • Opcode Fuzzy Hash: b2adf3145ab204adb26e7ac870b21828cc10c6087827f480579e483c496edbd1
                                    • Instruction Fuzzy Hash: C011E071B046049FD710EBAAE892F5EB3E9DB82750B6044FEF400A7352DE36EE019290
                                    Function 00BC8A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • @Oxrtl@Winapi@Kernel32@Kernel32@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00BC8A70
                                      • Part of subcall function 00BC88FC: @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL(615014F8,00BC8341,00000001,?,?,?,?,00000001), ref: 00BC8906
                                    • GetUserDefaultGeoName.KERNEL32 ref: 00BC8A75
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Kernel32@System@Unicode$Axrtl@Call$qqrx20DefaultDllroutines@NameOxrtl@Proc$qqrx20Routines@StringStringt1.UserWinapi@
                                    • String ID: GetUserDefaultGeoName
                                    • API String ID: 1480603370-1633773607
                                    • Opcode ID: e3b1041dd7b0af3ab2f2aeeb36694c1381651941d31114c26a18438f101cd331
                                    • Instruction ID: 4d7af69350506397a6a4700382740316ec5cc9f12558859b8f9ac165a961836c
                                    • Opcode Fuzzy Hash: e3b1041dd7b0af3ab2f2aeeb36694c1381651941d31114c26a18438f101cd331
                                    • Instruction Fuzzy Hash: D6C0486220A2382A221461EE2C81DA7BACCD98A2B838501A6BA1CC2602AC825D0002F6
                                    Function 0087603C Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • @System@Classes@TResourceStream@$bctr$qqruix20System@UnicodeStringpb.RTL250.BPL(0000000A,?,00000000,00876087,?,00000000,00876102), ref: 00876075
                                    • @System@TObject@Free$qqrv.RTL250.BPL(008760EC,00000000,00876102), ref: 008760DF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Classes@Free$qqrv.Object@ResourceStream@$bctr$qqruix20Stringpb.Unicode
                                    • String ID:
                                    • API String ID: 966191105-0
                                    • Opcode ID: 435cd3b0b4dd823d3780f2f9a37701dec501c1c664b7647086f3919548b6e71a
                                    • Instruction ID: fb68d8db0b9e2ad827a4655881cbc4a9f9645a4cb7e29dc602d503a69aeb67d3
                                    • Opcode Fuzzy Hash: 435cd3b0b4dd823d3780f2f9a37701dec501c1c664b7647086f3919548b6e71a
                                    • Instruction Fuzzy Hash: 20019270614B04AFD712CF65CC6581ABBE8F74E710B92C4B4F814D3790E6369C20C950

                                    Non-executed Functions

                                    Function 00869C58 Relevance: 206.3, APIs: 137, Instructions: 780COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 67 869c58-869c9c 69 869ca2-869d26 @Vcl@Imaging@Gifimg@TGIFImage@SuspendDraw$qqrv @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 67->69 70 86a59e-86a5b8 @System@@UStrArrayClr$qqrpvi 67->70 71 869dd7-869ddb 69->71 72 869d2c-869d38 @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv 69->72 75 869fe6-869ff3 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 71->75 76 869de1-869df1 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 71->76 73 869d47-869d57 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 72->73 74 869d3a-869d42 @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv 72->74 73->71 78 869d59-869d5a 73->78 74->73 77 869ff6-869ffa 75->77 79 869df7-869df8 76->79 80 869ec1-869ed3 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 76->80 82 86a000-86a011 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 77->82 83 86a0c9-86a0d4 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 77->83 85 869d5c-869d73 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri 78->85 81 869dfa-869e11 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv 79->81 80->77 84 869ed9-869eda 80->84 86 869e17-869e57 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri * 2 @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri call 869c40 81->86 87 869eb9-869ebb 81->87 88 86a0d7-86a0e9 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 82->88 89 86a017-86a01d 82->89 83->88 90 869edc-869ef0 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri 84->90 91 869d75-869dce @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 85->91 92 869dd3-869dd5 85->92 86->87 113 869e59-869eb4 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparent$qqro MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 86->113 87->80 87->81 97 86a0ef-86a100 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 88->97 98 86a28a-86a28e 88->98 94 86a020-86a022 89->94 95 869ef6-869f0f @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv 90->95 96 869fdc-869fde 90->96 91->92 92->71 92->85 103 86a024-86a035 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri 94->103 104 86a050-86a052 94->104 95->96 105 869f15-869f2a @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv 95->105 96->90 99 869fe4 96->99 100 86a106-86a121 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 97->100 101 86a241-86a285 MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 97->101 107 86a294-86a2a5 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 98->107 108 86a3d1-86a3dc @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 98->108 99->77 111 86a1f6-86a20a @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv 100->111 112 86a127-86a14b @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 100->112 101->98 103->104 114 86a037-86a04e @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv 103->114 115 86a054-86a070 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri * 2 @Vcl@Imaging@Gifimg@TGIFFrame@Merge$qqrp28Vcl@Imaging@Gifimg@TGIFFrame 104->115 116 86a075-86a0c1 MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 104->116 105->96 117 869f30-869f6b @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetBoundsRect$qqrv @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetBoundsRect$qqrv @System@Types@IntersectRect$qqrr18System@Types@TRectrx18System@Types@TRectt2 105->117 109 86a3df-86a3f1 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 107->109 110 86a2ab-86a2c2 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv 107->110 108->109 125 86a3f7-86a408 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 109->125 126 86a515-86a529 @System@ExceptObject$qqrv 109->126 118 86a3c5-86a3c9 110->118 119 86a2c8-86a2dc @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv 110->119 123 86a237-86a23b 111->123 124 86a20c-86a223 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 111->124 120 86a1d5-86a1e7 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFList@Delete$qqri 112->120 121 86a151-86a175 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 112->121 113->87 114->104 122 86a01f 114->122 115->116 116->89 127 86a0c7 116->127 117->96 128 869f6d-869f7a @System@Types@EqualRect$qqrrx18System@Types@TRectt1 117->128 118->110 132 86a3cf 118->132 119->118 129 86a2e2-86a320 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@Crop$qqrv @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv 119->129 131 86a1ec-86a1f0 120->131 121->120 130 86a177-86a19b @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 121->130 122->94 123->100 123->101 124->123 133 86a225-86a232 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @System@TObject@Free$qqrv 124->133 136 86a40e-86a41f @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri 125->136 137 86a4cc-86a510 MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 125->137 134 86a532 126->134 135 86a52b-86a530 126->135 127->88 138 869f93-869fd7 MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 128->138 139 869f7c-869f8e @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetDisposal$qqr34Vcl@Imaging@Gifimg@TDisposalMethod 128->139 140 86a322-86a324 129->140 141 86a37c-86a3c0 MulDiv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 129->141 130->120 142 86a19d-86a1c1 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 130->142 131->111 131->112 132->109 133->123 143 86a534-86a56e @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 134->143 135->143 144 86a481-86a495 @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv 136->144 145 86a421-86a43b @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv 136->145 137->126 138->96 139->138 146 86a326-86a33b @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv 140->146 147 86a36f-86a377 @Vcl@Imaging@Gifimg@TGIFList@Delete$qqri 140->147 141->118 142->131 148 86a1c3-86a1c5 142->148 143->70 149 86a497-86a4ae @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 144->149 150 86a4c2-86a4c6 144->150 151 86a43d-86a449 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 145->151 152 86a44b-86a454 @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv 145->152 146->147 154 86a33d-86a36a @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetDelay$qqrus 146->154 147->141 148->120 155 86a1c7-86a1d3 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 148->155 149->150 156 86a4b0-86a4bd @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @System@TObject@Free$qqrv 149->156 150->136 150->137 151->144 151->152 152->144 153 86a456-86a45f @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetUserInput$qqrv 152->153 153->144 157 86a461-86a46a @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv 153->157 154->147 155->120 155->131 156->150 158 86a46c-86a478 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 157->158 159 86a47a-86a47c @System@TObject@Free$qqrv 157->159 158->144 158->159 159->144
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@SuspendDraw$qqrv.VCLIMG250 ref: 00869CA5
                                    • @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(00000000,0086A58C), ref: 00869CBB
                                      • Part of subcall function 0086B1D0: @System@TObject@Free$qqrv.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,0086989E,?,008698DD,0086981D), ref: 0086B1FF
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869CD0
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869CE1
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869CF6
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869D14
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869D2F
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869D3D
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869D4D
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869D67
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869D7D
                                    • MulDiv.KERNEL32(00000000,00000064,?), ref: 00869D94
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,?,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869DA8
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00869DB9
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000064,?,?,?,?,?,00000000,00000000,00000000), ref: 00869DCE
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869DE7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E05
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E0A
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E1F
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E30
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E38
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E46
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E61
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparent$qqro.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869E6B
                                    • MulDiv.KERNEL32(00000000,00000064,?), ref: 00869E7A
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000), ref: 00869E8E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000), ref: 00869E9F
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000), ref: 00869EB4
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869EC7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869EE7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869EFE
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F06
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F1E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F23
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F38
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBoundsRect$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F40
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F4E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBoundsRect$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F56
                                    • @System@Types@IntersectRect$qqrr18System@Types@TRectrx18System@Types@TRectt2.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F64
                                    • @System@Types@EqualRect$qqrrx18System@Types@TRectt1.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F73
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F84
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetDisposal$qqr34Vcl@Imaging@Gifimg@TDisposalMethod.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869F8E
                                    • MulDiv.KERNEL32(00000000,00000064,?), ref: 00869F9D
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000), ref: 00869FB1
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000), ref: 00869FC2
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000), ref: 00869FD7
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 00869FEC
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A006
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A02C
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A03F
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A047
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A05C
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A06A
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Merge$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A070
                                    • MulDiv.KERNEL32(00000000,00000064,?), ref: 0086A07F
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000), ref: 0086A093
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000), ref: 0086A0A4
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000), ref: 0086A0B9
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A0CF
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A0DD
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A0F5
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A10E
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A116
                                    • @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A139
                                      • Part of subcall function 00862E3C: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250 ref: 00862E46
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A144
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A159
                                    • @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A163
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A16E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A17F
                                    • @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A189
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A194
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1A5
                                    • @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1AF
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1BA
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1CD
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1DD
                                    • @Vcl@Imaging@Gifimg@TGIFList@Delete$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1E7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A1FE
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A203
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A214
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A21C
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A22D
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A232
                                    • MulDiv.KERNEL32(?,00000064,?), ref: 0086A24B
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000), ref: 0086A25F
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,?,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000), ref: 0086A270
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,?,00000064,?,00000000,0086A56F,?,?,?,?,00000000), ref: 0086A285
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A29A
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A2B6
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A2BB
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A2D0
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A2D5
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A2EA
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A2F2
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A302
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Crop$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A307
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A314
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A319
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A32F
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A334
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A348
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A350
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A361
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetDelay$qqrus.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A36A
                                    • @Vcl@Imaging@Gifimg@TGIFList@Delete$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A377
                                    • MulDiv.KERNEL32(00000000,00000064,?), ref: 0086A386
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000), ref: 0086A39A
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000), ref: 0086A3AB
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000064,?,00000000,0086A56F,?,?,?,?,00000000), ref: 0086A3C0
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A3D7
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A3E5
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A3FD
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A12F
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A416
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A429
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A433
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A443
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A44D
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetUserInput$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A458
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A463
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A472
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A47C
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A489
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A48E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A49F
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A4A7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A4B8
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00000000,0086A56F,?,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A4BD
                                    • MulDiv.KERNEL32(?,00000064,?), ref: 0086A4D6
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000,00000000), ref: 0086A4EA
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,?,00000064,?,00000000,0086A56F,?,?,?,?,00000000,00000000), ref: 0086A4FB
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,?,00000064,?,00000000,0086A56F,?,?,?,?,00000000), ref: 0086A510
                                    • @System@ExceptObject$qqrv.RTL250.BPL(0086A576,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A522
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,0086A576,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A543
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,0086A576,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A554
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,0086A576,?,?,?,00000000,00000000,00000000,00000000,0086A58C), ref: 0086A569
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0086A5C0), ref: 0086A5B3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$List@$System@$Frame$qqriImageL250$Count$qqrv$System@@Types@$ControlExtension@Frame@Graphic$CallDynaInst$qqrv.LoadRec.Rect$qqriiii.StringString$qqrp20$Transparent$qqrv$Class$qqrxp14Class.Empty$qqrvExtensionExtension$qqriFree$qqrv.Image@MetaObject@Objectp17$ColorDelay$qqrvDisposal$qqrv$BoundsDelete$qqriDraw$qqrvItem$qqriMap$qqrvRect$qqrv$ArrayClr$qqrpvi.Crop$qqrvDelay$qqrusDisposalDisposal$qqr34EqualExceptFrameIndex$qqrvInput$qqrvIntersectMerge$qqrp28MethodObject$qqrv.Rect$qqrr18Rect$qqrrx18Rectrx18Rectt1.Rectt2.StopSuspendTransparentTransparent$qqroUser
                                    • String ID:
                                    • API String ID: 2234378177-0
                                    • Opcode ID: 70899d58194de8839938d756dd5c2e0bcca65b65867fa8e996054a309c8fd988
                                    • Instruction ID: 1ce2f6a25b3d43ff2c994b5729bbadd6a54b6d0393ef5da6da23ed632ecfd8ae
                                    • Opcode Fuzzy Hash: 70899d58194de8839938d756dd5c2e0bcca65b65867fa8e996054a309c8fd988
                                    • Instruction Fuzzy Hash: 2D52F875A102089FCB00EBA9C981AAE77F9FF44304F5250A4F941EB366DA75EE05CB52
                                    Function 00BE83F4 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 319COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BE883E,?,00000020,00000003,?,?,00BE8F96,00C6C280), ref: 00BE8438
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BE883E,?,00000020,00000003,?,?,00BE8F96,00C6C280), ref: 00BE845C
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BE883E,?,00000020,00000003,?,?,00BE8F96,00C6C280), ref: 00BE8469
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BE883E,?,00000020,00000003,?,?,00BE8F96,00C6C280), ref: 00BE8477
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000008,00000000,00BE8F96,00000000), ref: 00BE84E2
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BE880B,?,00000008,00000000,00BE8F96,00000000), ref: 00BE84F7
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000001,00000000,00BE880B,?,00000008,00000000,00BE8F96,00000000), ref: 00BE850C
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL ref: 00BE8517
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL ref: 00BE8528
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00BE8536
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BE8845), ref: 00BE882A
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00BE8845), ref: 00BE8838
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Array$String.System@Unicode$Len$qqrx20$Clear$qqrrpvpv.High$qqrpxv.$Char$qqrx20Clr$qqrpvi.Length$qqrpxv.Length$qqrv.
                                    • String ID: .dll
                                    • API String ID: 3589434011-2738580789
                                    • Opcode ID: 3fbec3ebb7d1c9e26471c56c8c14b86abd032e228796c12e621b1b9589e21302
                                    • Instruction ID: 7a66f2db776e0b6ca4bbf10509568e4c1e812a91f40a063c866ff9eef3d7923f
                                    • Opcode Fuzzy Hash: 3fbec3ebb7d1c9e26471c56c8c14b86abd032e228796c12e621b1b9589e21302
                                    • Instruction Fuzzy Hash: 42C16B74E002499FDB10DFA9D881BEEB7F1EF49310F5085AAE858F7251DB349D828B61
                                    Function 00BF1180 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 181pipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF15D2), ref: 00BF11B9
                                      • Part of subcall function 00BC292C: @System@@FillChar$qqrpvic.RTL250.BPL(00BF11CB,00000000,00BF15D2), ref: 00BC292E
                                    • CreatePipe.KERNEL32(?,?,0000000C,0000FFFF), ref: 00BF11EF
                                    • GetCurrentProcess.KERNEL32(000F01FF,?,00000000,00BF15A2,?,?,?,0000000C,0000FFFF), ref: 00BF1213
                                    • OpenProcessToken.ADVAPI32(00000000,000F01FF,?,00000000,00BF15A2,?,?,?,0000000C,0000FFFF), ref: 00BF1219
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,000F01FF,?,00000000,00BF15A2,?,?,?,0000000C,0000FFFF), ref: 00BF1222
                                    • DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?,00000000,00BF157B,?,00000000,000F01FF,?,00000000,00BF15A2,?,?), ref: 00BF124D
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,000F01FF,00000000,00000002,00000001,?,00000000,00BF157B,?,00000000,000F01FF,?,00000000,00BF15A2,?,?), ref: 00BF1256
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,000F01FF,00000000,00000002,00000001,?,00000000,00BF157B,?,00000000,000F01FF,?,00000000,00BF15A2,?,?), ref: 00BF125B
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF15D9,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF15BC
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF15D9,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF15C4
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(00BF15D9,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF15CC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Clr$qqrpv.Exit$qqrv.Finally$ProcessSystem@TokenUnicode$Asg$qqrr20Char$qqrpvic.CreateCurrentDuplicateFillOpenPipeString.Stringx20
                                    • String ID: D
                                    • API String ID: 3630118270-2746444292
                                    • Opcode ID: d6f52c8b4617132ba69c65b54c529fa3403b5febbf0f56bddeb60edba91938b5
                                    • Instruction ID: b86e3283a6a16d1c8b6c98de3035d80471fa09b0ec4710d90a8afd326d754023
                                    • Opcode Fuzzy Hash: d6f52c8b4617132ba69c65b54c529fa3403b5febbf0f56bddeb60edba91938b5
                                    • Instruction Fuzzy Hash: 18616471A0020CAFDB11EFA9CC91FADB7F9EB49300F5089A9F604F3651DB749A458B10
                                    Function 00874F68 Relevance: 42.7, APIs: 28, Instructions: 742windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,008758B1), ref: 00874FEC
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 008750B6
                                    • CreateCompatibleDC.GDI32(00000000), ref: 008750E1
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000), ref: 008750FA
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000), ref: 0087510E
                                    • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00875128
                                    • DeleteObject.GDI32(00000000), ref: 00875146
                                    • DeleteDC.GDI32(00000000), ref: 0087514F
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0087515F
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00875173
                                    • SelectObject.GDI32(00000000,00000000), ref: 00875180
                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 008751AF
                                    • @System@@TRUNC$qqrv.RTL250.BPL(?,?,00000000,00000000,00000000,?,?,?,?,?,00CC0020,00000000,00000000,00000000,00000000,?), ref: 00875292
                                    • @System@@TRUNC$qqrv.RTL250.BPL(?,?,00000000,00000000,00000000,?,?,?,?,?,00CC0020,00000000,00000000,00000000,00000000,?), ref: 008753CC
                                    • @System@@TRUNC$qqrv.RTL250.BPL ref: 00875454
                                    • @System@@TRUNC$qqrv.RTL250.BPL ref: 00875601
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 0087564C
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00875663
                                    • @System@@TRUNC$qqrv.RTL250.BPL ref: 008756A7
                                    • @Vcl@Imaging@Pngimage@TChunkPLTE@GetPaletteItem$qqruc.VCLIMG250 ref: 00875775
                                    • @Vcl@Imaging@Pngimage@TChunkPLTE@GetPaletteItem$qqruc.VCLIMG250 ref: 008757AA
                                    • @Vcl@Imaging@Pngimage@TChunkPLTE@GetPaletteItem$qqruc.VCLIMG250 ref: 008757DF
                                    • @System@@TRUNC$qqrv.RTL250.BPL ref: 00875824
                                    • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 0087586F
                                    • SelectObject.GDI32(00000000,?), ref: 0087587C
                                    • DeleteObject.GDI32(00000000), ref: 00875885
                                    • DeleteDC.GDI32(00000000), ref: 0087588E
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(008758B8), ref: 008758AB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Imaging@Pngimage@Vcl@$C$qqrv.$Meta$DeleteObjectString$ChunkImage@Item$qqrucList@Palette$ClassClass$qqrp17Class20CreateError$qqrp17FromItemLoadRaiseRec.SelectString$qqrp20Unicode$ArrayChar$qqrpvic.Class$qqrxp14Class.Clr$qqrpv.Clr$qqrpvi.CompatibleFillHeader$qqrvItem$qqruiObjectp17Section
                                    • String ID:
                                    • API String ID: 1753166836-0
                                    • Opcode ID: 63bff4d60e9a6a9065b8968a8ff67fba70f5eb5b607b72bf2b5e887bc4185bc0
                                    • Instruction ID: 46c0a40ed7c92afb95922f2933ca06e67db8893e050a6590ab3a85bfd7f97a17
                                    • Opcode Fuzzy Hash: 63bff4d60e9a6a9065b8968a8ff67fba70f5eb5b607b72bf2b5e887bc4185bc0
                                    • Instruction Fuzzy Hash: 80529D71E046598FCB15CFA8C881BEDBBF2FF45301F1481AAE458EB39AC6749945DB20
                                    Function 00BD303C Relevance: 42.2, APIs: 28, Instructions: 240COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Cryptrsa@CryptRSA@PemToBin$qqrx20System@UnicodeStringr24System@%DynamicArray$uc%.OXCOMPONENTSRTL(00000000,00BD330A), ref: 00BD306F
                                      • Part of subcall function 00BD2A90: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000007,00000000,C6FE63FC,C6FE63F8,C6FE63F4), ref: 00BD2AAF
                                      • Part of subcall function 00BD2A90: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00000007,00000000,C6FE63FC,C6FE63F8,C6FE63F4), ref: 00BD2AB7
                                      • Part of subcall function 00BD2A90: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000007,00000000,C6FE63FC,C6FE63F8,C6FE63F4), ref: 00BD2ABF
                                      • Part of subcall function 00BD2A90: @System@@DynArraySetLength$qqrv.RTL250.BPL(?), ref: 00BD2ADF
                                      • Part of subcall function 00BD2A90: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000007,C6FE63FC,C6FE63FC,C6FE63F8,C6FE63F4), ref: 00BD2AFA
                                      • Part of subcall function 00BD2A90: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000007,C6FE63FC,C6FE63FC,C6FE63F8,C6FE63F4), ref: 00BD2B01
                                    • @Oxrtl@System@Cryptrsa@CryptRSA@Asn1ToPrivate$qqrx24System@%DynamicArray$uc%r24System@%DynamicArray$uc%.OXCOMPONENTSRTL(00000000,00BD330A), ref: 00BD308C
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00BD3311,00BD330A), ref: 00BD32F1
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00BD3311,00BD330A), ref: 00BD3304
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@System@@$CryptUnicode$DynamicString.System@%$ArrayArray$uc%BinaryCryptrsa@Len$qqrx20Oxrtl@String$Array$qqrpvt1ui.Array$uc%r24Asn1Bin$qqrx20Char$qqrx20Clear$qqrrpvpv.FinalizeLength$qqrv.Private$qqrx24Stringr24
                                    • String ID:
                                    • API String ID: 2165240641-0
                                    • Opcode ID: facdb57ecfcc06c84104aa30aae665b623077c011801c5b441a908d24acbb08d
                                    • Instruction ID: d357d554bc4fe6e14f65421f5e04fe9e4718b3b8432f4660f8f135068c61b01b
                                    • Opcode Fuzzy Hash: facdb57ecfcc06c84104aa30aae665b623077c011801c5b441a908d24acbb08d
                                    • Instruction Fuzzy Hash: 04916F74A041099FDB00EBA4D891FAEF7F5EF49710F6084AAE405E7352EB349E05CB61
                                    Function 00C32388 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 210COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,00000000), ref: 00C32408
                                    • @System@Sysutils@IntToStr$qqrj.RTL250.BPL(00000000,00000000), ref: 00C32414
                                    • @Axrtl@Winapi@Winsock2@WinSock2@Inet_NtoA$qqr29Axrtl@Winapi@Winsock2@TInAddr.AXCOMPONENTSRTL.BPL(?,00000001,00000000), ref: 00C32444
                                    • @System@@UStrFromPChar$qqrr20System@UnicodeStringpc.RTL250.BPL(?,?,00000001,00000000), ref: 00C32452
                                    • @Axrtl@Winapi@Iphlpapi@IPHelper@IcmpCreateFile$qqrv.AXCOMPONENTSRTL.BPL ref: 00C32461
                                    • GetLastError.KERNEL32(?,00000000,00000000), ref: 00C32477
                                    • @System@Sysutils@IntToStr$qqrj.RTL250.BPL(00000000,00000000,?,00000000,00000000), ref: 00C32483
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00C3264F), ref: 00C3263A
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C3264F), ref: 00C32642
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Axrtl@System@System@@Winapi@$ErrorLastStr$qqrj.Sysutils@Winsock2@$A$qqr29Addr.ArrayChar$qqrr20Clr$qqrpv.Clr$qqrpvi.CreateFile$qqrv.FromHelper@IcmpInet_Iphlpapi@Sock2@Stringpc.Unicode
                                    • String ID: GetHostByName$IcmpCreateFile$IcmpSendEcho
                                    • API String ID: 3786600488-2107758453
                                    • Opcode ID: ddf5f563c0d057fc0dd71bfd3f1b368c3c9d6990636245dcb3165b6a114d35ff
                                    • Instruction ID: b256473a569a409200cafe95c38ddded2d9e16643dacbb4dd1fc28f9afd479ce
                                    • Opcode Fuzzy Hash: ddf5f563c0d057fc0dd71bfd3f1b368c3c9d6990636245dcb3165b6a114d35ff
                                    • Instruction Fuzzy Hash: C771ED71A10209AFDF04DFA4C892FEEB7B9EF48710F608166F515EB255DB30AE458B90
                                    Function 00878CBC Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 352windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?,?,?,?,008782B2), ref: 00878CF9
                                    • @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00879165,?,00000000,00879194,?,?,?,?,?,008782B2), ref: 00878D43
                                    • @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(?,?,?,00000000,00879165,?,00000000,00879194,?,?,?,?,?,008782B2), ref: 00878D62
                                    • @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL ref: 00878D7F
                                    • @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL ref: 00878D8E
                                    • @System@Classes@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878DA6
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878DC0
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(00000000,00879154,?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000), ref: 00878DF9
                                    • DeleteObject.GDI32(?), ref: 00878E12
                                    • @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00879154,?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000), ref: 00878E34
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL(?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878E57
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 00878E6F
                                    • @Vcl@Graphics@TBitmap@GetPixelFormat$qqrv.VCL250.BPL ref: 00878EE4
                                      • Part of subcall function 00878B30: CreatePalette.GDI32 ref: 00878BCD
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 00878F1A
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00878FF2
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 0087904E
                                    • @Vcl@Graphics@TBitmap@GetPixelFormat$qqrv.VCL250.BPL ref: 00879072
                                    • @System@ExceptObject$qqrv.RTL250.BPL(0087915B), ref: 008790ED
                                    • @System@Classes@Rect$qqriiii.RTL250.BPL(?,00000000,?,?,0087915B), ref: 00879120
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,?,?,00000000,?,?,0087915B), ref: 0087913A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Graphics@Vcl@$Bitmap@$Pixel$Scanline$qqri.$Format$qqr25Format.System@$CallClasses@DynaFormat$qqrv.Handle$qqrp9Inst$qqrv.P__.Rect$qqriiii.System@@$Bitmap@$bctr$qqrv.CopyCreateDeleteE__.ExceptObjectObject$qqrv.PalettePalette$qqrp10
                                    • String ID: d
                                    • API String ID: 2435802421-2564639436
                                    • Opcode ID: 3fc4dc0e9b70866398d0b24b1ae300e0556f8864efefcc0cfb2c5e47c0c163cb
                                    • Instruction ID: e1fc3df39a049fbaf54003e993cb12401673af0016d615a8b2d92ea22a5d65fb
                                    • Opcode Fuzzy Hash: 3fc4dc0e9b70866398d0b24b1ae300e0556f8864efefcc0cfb2c5e47c0c163cb
                                    • Instruction Fuzzy Hash: CAE10370A40119DFDB50DB68C989AAEB7F2FF49304F6081A5E808E7355DB30EE85CB51
                                    Function 00C133F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,00C135DE,?,?,00000000,00000000,00000012), ref: 00C13433
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00000000,?,00000000,0000001C,00000000,00C135DE,?,?,00000000,00000000,00000012), ref: 00C13459
                                    • @System@GetMemory$qi.RTL250.BPL(?,00000000,0000001C,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0000001C,00000000,00C135DE,?,?), ref: 00C1347E
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,0000001C,?,?,?,00000000,00000000,00C135C0,?,00000000,0000001C,00000000,00000000,?,00000000,00000000), ref: 00C134C5
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,0000001C,?,?,?,00000000,00000000,00C135C0,?,00000000,0000001C,00000000,00000000,?,00000000,00000000), ref: 00C134CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$Exit$qqrv.Finally$Char$qqrpvic.FillMemory$qi.System@
                                    • String ID: D@)
                                    • API String ID: 3795754735-974728039
                                    • Opcode ID: f0ccc8ca4450dd120c11eedaeb03d8934b9d575f3ccdea15218554ea07322cff
                                    • Instruction ID: b190eeb1d6c05fc29250312381a3dff2c508b6eb4d256d68e27ed30bb5a7dcc2
                                    • Opcode Fuzzy Hash: f0ccc8ca4450dd120c11eedaeb03d8934b9d575f3ccdea15218554ea07322cff
                                    • Instruction Fuzzy Hash: 33516F71A40249AEEB11EBA4DC42FEEB7FCEB09B04F500465B610F71C1D6759A449B61
                                    Function 0085D95E Relevance: 18.1, APIs: 12, Instructions: 145COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085D97E
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085D997
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085D9B0
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085D9C9
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085D9E2
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085D9FB
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085DA14
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085DA2D
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085DA46
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085DA5F
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085DA78
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085DA91
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Char$qqrpvic.FillL250System@@
                                    • String ID:
                                    • API String ID: 4233932837-0
                                    • Opcode ID: 8fa43f58b24e686fdb4d4b763aac19abf52227d72eda17d6f6f0ae2b7b3c221d
                                    • Instruction ID: fc8dd5b9e52db4fcbc2047404b5302d696d668234fa3a81992410d8aa2a27846
                                    • Opcode Fuzzy Hash: 8fa43f58b24e686fdb4d4b763aac19abf52227d72eda17d6f6f0ae2b7b3c221d
                                    • Instruction Fuzzy Hash: A9517F71B415448BCB48DF2DC98278933E2BF88216B4DC4B9EC59CF70AEE39D8558B94
                                    Function 00BD33B8 Relevance: 18.1, APIs: 12, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Cryptrsa@CryptRSA@GenerateTextKey$qqrx20System@UnicodeStringuiruit3.OXCOMPONENTSRTL(?,?,00000000,00BD34C6), ref: 00BD33F9
                                    • @System@Sysutils@TEncoding@GetUTF8$qqrv.RTL250.BPL(00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD3419
                                    • @System@Sysutils@TEncoding@GetBytes$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD3423
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD342B
                                    • @Axrtl@Winapi@Advapi32@AdvApi32@CryptEncrypt$qqruiuiiuipucpuiui.AXCOMPONENTSRTL.BPL(?,?,?,00000000,00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD3449
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL(?,?,?,?,00000000,00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD3464
                                    • @System@Netencoding@TNetEncoding@GetBase64Encoding$qqrv.RTL250.BPL(00000000,?,?,?,?,00000000,00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD346A
                                    • @System@Netencoding@TNetEncoding@EncodeBytesToString$qqrpxucxi.RTL250.BPL(?,?,?,?,00000000,00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD3473
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD347E
                                    • @Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui.AXCOMPONENTSRTL.BPL(00BD34A2,00000000,00000000,00BD349B,?,00000000,00BD34C6), ref: 00BD3495
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Encoding@Unicode$CryptSystem@@$Advapi32@Api32@ArrayAxrtl@Netencoding@String.Sysutils@Winapi@$Asg$qqrr20Base64BytesBytes$qqrx20Context$qqruiui.Cryptrsa@EncodeEncoding$qqrv.Encrypt$qqruiuiiuipucpuiui.F8$qqrv.GenerateHigh$qqrpxv.Key$qqrx20Length$qqrpxv.Oxrtl@ReleaseString$qqrpxucxi.Stringuiruit3Stringx20Text
                                    • String ID:
                                    • API String ID: 3333301661-0
                                    • Opcode ID: 3173422b84d25af02ad92da187a8244a19bdc64ae30a5eee8dfb0c3c57d938fd
                                    • Instruction ID: e2c35bb3c06c6f1d1dc1b2aa35e36c4f08a10bb360945a9d0c95bded85b6e0a2
                                    • Opcode Fuzzy Hash: 3173422b84d25af02ad92da187a8244a19bdc64ae30a5eee8dfb0c3c57d938fd
                                    • Instruction Fuzzy Hash: A7317035A00108AFD705EBA9D852E9EB7F9EB49710F5584BAE404E3352EA349E04CB51
                                    Function 0086B71C Relevance: 15.1, APIs: 10, Instructions: 117clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClipboardData.USER32(00000000), ref: 0086B749
                                    • GlobalSize.KERNEL32(00000000), ref: 0086B76C
                                    • GlobalLock.KERNEL32(00000000,00000000,0086B893), ref: 0086B777
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,0086B800,?,00000000,00000000,0086B893), ref: 0086B793
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,00000000,0086B800,?,00000000,00000000,0086B893), ref: 0086B7BD
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0086B7E9,?,00000000,00000000,0086B893), ref: 0086B7DC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Global$ClipboardDataFree$qqrv.LockMove$qqrpxvpvi.Object@Object@$bctr$qqrv.Size
                                    • String ID:
                                    • API String ID: 3048766656-0
                                    • Opcode ID: 6947a85ac8669bf4ea5044384638180d9d854863d59496e601d00f65b23fe2d9
                                    • Instruction ID: 1cf7a403a4ec483385efaadf5c35921ec9e3d4b1fb02d4cb691d52489144179f
                                    • Opcode Fuzzy Hash: 6947a85ac8669bf4ea5044384638180d9d854863d59496e601d00f65b23fe2d9
                                    • Instruction Fuzzy Hash: CE419C34A00608AFCB01EFA8D89596EB7F9FB49744F9244B5F800D77A1DB35AD84CB50
                                    Function 0085919C Relevance: 13.6, APIs: 9, Instructions: 55windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 008591C2
                                    • FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 008591E8
                                    • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL250.BPL(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 00859202
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 00859214
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 00859219
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 0085922B
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 0085923D
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00859265,?,00000000,?,00859280,00000000,0085EEA2), ref: 00859242
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085926C,00000000,?,00859280,00000000,0085EEA2), ref: 0085925F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Unicode$Except$qqrv.Exception@$bctr$qqrx20RaiseString.Sysutils@$ArrayArray$qqrr20Clr$qqrpvi.ErrorFormatFromLastLoadMessageRec.StringString$qqrp20Stringpbi.
                                    • String ID:
                                    • API String ID: 2852416802-0
                                    • Opcode ID: 6cd85fc715cf78880451314db5610fb52d86943ea8d6b88dacf357e278086c94
                                    • Instruction ID: 0078dc818ae79794db6a477909c8f73ece2d2aa73162e21e7bcd47a66d6b0b4c
                                    • Opcode Fuzzy Hash: 6cd85fc715cf78880451314db5610fb52d86943ea8d6b88dacf357e278086c94
                                    • Instruction Fuzzy Hash: 051186306443159FDF51EB68CC86BA973E8FB48302F5040B5FE68D7692EF746D888A52
                                    Function 00BD23F4 Relevance: 10.6, APIs: 7, Instructions: 87encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,?,?), ref: 00BD240F
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(00000000,00000000,?,?,?), ref: 00BD2436
                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,00BD23E2), ref: 00BD2467
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00BD24CA,?,?,?,?), ref: 00BD2485
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00BD23E2,00000000,00BD24CA,?,?,?,?), ref: 00BD249A
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?), ref: 00BD24AA
                                    • LocalFree.KERNEL32(?,00BD24D1), ref: 00BD24C4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$ArraySystem@$Classes@Clear$qqrrpvpv.CryptDataExit$qqrv.FinallyFreeLength$qqrv.LocalMove$qqrpxvpvi.Position$qqrxj.Stream@Unprotect
                                    • String ID:
                                    • API String ID: 1777957679-0
                                    • Opcode ID: eb99ae8e11a18ec87aab0b0c9d9c4b06b2d8af85c2f776e5346073ff29ba0f53
                                    • Instruction ID: fbbbc88f95aad349984fb81a2f57bcf7a30b01ebc8fb7523d172adfaeec80248
                                    • Opcode Fuzzy Hash: eb99ae8e11a18ec87aab0b0c9d9c4b06b2d8af85c2f776e5346073ff29ba0f53
                                    • Instruction Fuzzy Hash: C02171757002446FE710DFA8DC81B5AF7E8EB99700F1084BAFE08E7391EA759D448B61
                                    Function 00BD2330 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00000000,00BD23E2), ref: 00BD2358
                                    • @Oxrtl@System@Crypt@Crypt@DPAPIDecode$qqrp28System@Classes@TMemoryStreamr24System@%DynamicArray$uc%p34Axrtl@Winapi@Crypt32@TCyptoAPIBLOBxui.OXCOMPONENTSRTL(?,00000000,00BD23E2), ref: 00BD2368
                                      • Part of subcall function 00BD23F4: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,?,?), ref: 00BD240F
                                      • Part of subcall function 00BD23F4: @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(00000000,00000000,?,?,?), ref: 00BD2436
                                      • Part of subcall function 00BD23F4: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,00BD23E2), ref: 00BD2467
                                      • Part of subcall function 00BD23F4: @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00BD24CA,?,?,?,?), ref: 00BD2485
                                    • @System@Sysutils@TEncoding@GetString$qqrx24System@%DynamicArray$uc%.RTL250.BPL(00000000,00BD23BF,?,?,00000000,00BD23E2), ref: 00BD238D
                                    • @System@Sysutils@TEncoding@GetDefault$qqrv.RTL250.BPL(00000000,00BD23BF,?,?,00000000,00BD23E2), ref: 00BD2394
                                    • @System@Sysutils@TEncoding@GetString$qqrx24System@%DynamicArray$uc%.RTL250.BPL(00000000,00BD23BF,?,?,00000000,00BD23E2), ref: 00BD239E
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00BD23C6,?,00000000,00BD23E2), ref: 00BD23B9
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00BD23E9), ref: 00BD23DC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$ArrayClear$qqrrpvpv.DynamicEncoding@System@%Sysutils@$Array$uc%.Classes@Crypt@String$qqrx24$Array$uc%p34Axrtl@BxuiClr$qqrpv.CryptCrypt32@CyptoDataDecode$qqrp28Default$qqrv.Exit$qqrv.FinallyMemoryOxrtl@Position$qqrxj.Stream@Streamr24UnprotectWinapi@
                                    • String ID:
                                    • API String ID: 884769995-0
                                    • Opcode ID: 9cc1a07d68359d709733b9b971d873eeb387ef118c6d27bcf80f2e22c477d53b
                                    • Instruction ID: a4854f4e3f2ad7143e6e6d4b018fd73cfc514a6c4e0c6861ea9cb82aafa22502
                                    • Opcode Fuzzy Hash: 9cc1a07d68359d709733b9b971d873eeb387ef118c6d27bcf80f2e22c477d53b
                                    • Instruction Fuzzy Hash: 32110834204644AFDB05DF58DC9285EF7E8FB8D720BA185FAF804D3391EA389E00D954
                                    Function 00860288 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetVersion$qqrv.VCLIMG250(00000000,0086034B), ref: 008602AB
                                      • Part of subcall function 008698E0: @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086990B
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0086034B), ref: 008602BE
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@Prepare$qqrv.VCLIMG250(00000000,0086034B), ref: 008602FB
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@SaveToStream$qqrp22System@Classes@TStream.VCLIMG250 ref: 00860330
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00860352), ref: 00860345
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Gifimg@Imaging@L250Vcl@$System@@$Classes@Clr$qqrpv.ColorCount$qqrvExcept$qqrv.Exception@$bctr$qqrx20Header@Image@List@LoadMap@Prepare$qqrvRaiseRec.SaveStreamStream$qqrp22StringString$qqrp20String.Sysutils@UnicodeVersion$qqrv
                                    • String ID: GIF
                                    • API String ID: 2550685060-881873598
                                    • Opcode ID: a011ad47dea6414f91618d6a8e8459e7e02b2bd58e2c3d071f244854413628d6
                                    • Instruction ID: abff3ab749807e19169856b3eb44b97e6cda658f73e36d6031bdc5814bd767bc
                                    • Opcode Fuzzy Hash: a011ad47dea6414f91618d6a8e8459e7e02b2bd58e2c3d071f244854413628d6
                                    • Instruction Fuzzy Hash: F021A234604748DFCB16DFA8C8919AE77F1FF49701B0148A4E894DB3A2DB71AE05CB59
                                    Function 00BD3320 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Winapi@Advapi32@AdvApi32@CryptAcquireContext$qqrruix20System@UnicodeStringt2uiui.AXCOMPONENTSRTL.BPL(F0000000,00000001), ref: 00BD333B
                                    • @Axrtl@Winapi@Advapi32@AdvApi32@CryptCreateHash$qqruiuiuiuipui.AXCOMPONENTSRTL.BPL(?,00000000,F0000000,00000001), ref: 00BD3357
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Advapi32@Api32@Axrtl@CryptWinapi@$AcquireContext$qqrruix20CreateHash$qqruiuiuiuipui.Stringt2uiui.System@Unicode
                                    • String ID:
                                    • API String ID: 3309775050-0
                                    • Opcode ID: 1f177e831583f8291be9e6f07aaa40109a1f97733b28cf10b3866285a40ced44
                                    • Instruction ID: c75178e66efbc39592ce7e3c8ce85bcde87841e032b17e8e6147687446a2a4dd
                                    • Opcode Fuzzy Hash: 1f177e831583f8291be9e6f07aaa40109a1f97733b28cf10b3866285a40ced44
                                    • Instruction Fuzzy Hash: 6011A131314105AFDB48D629CEA1F6BA2E99B48B60F2044BAF605C7342FE60DF015269
                                    Function 00BD2178 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,?,00BD1E6C), ref: 00BD2197
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Char$qqrpvic.FillL250System@@
                                    • String ID: -$=$=
                                    • API String ID: 4233932837-1427177397
                                    • Opcode ID: dae2abca2663cb2ce678f2c4a0698529669aa71b96634dc3d5fbcaba4fdf2e1b
                                    • Instruction ID: b37a84ed2e11a956f161ba81aca8a6f815fccb4345a7a42440b5231c84549bd8
                                    • Opcode Fuzzy Hash: dae2abca2663cb2ce678f2c4a0698529669aa71b96634dc3d5fbcaba4fdf2e1b
                                    • Instruction Fuzzy Hash: 17412624A082A85BEB118B61C0803FC77F7DF96312F4585F3D89897393E63D8685DBA0
                                    Function 00C1C0A4 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Processes@Processes@TProcess@ProcessHandle$qqrxuixo.OXCOMPONENTSRTL ref: 00C1C0B4
                                      • Part of subcall function 00C1C588: @Oxrtl@System@Processes@Processes@TProcess@GetID$qqrv.OXCOMPONENTSRTL(?,?,?,?,00C1CCB0), ref: 00C1C596
                                      • Part of subcall function 00C1C588: OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,?,?,00C1CCB0), ref: 00C1C5A4
                                    • @Oxrtl@System@Processes@Processes@TerminateProcess$qqruiuijpqqr20System@UnicodeStringuiui47Oxrtl@System@Processes@TProcessStopServiceStageo$o.OXCOMPONENTSRTL(00002710,00000000,00000000,00C1C116), ref: 00C1C0E7
                                    • GetLastError.KERNEL32(00002710,00000000,00000000,00C1C116), ref: 00C1C0F0
                                    • CloseHandle.KERNEL32(00000000,00C1C11D,00C1C116), ref: 00C1C110
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Processes@$System@$Oxrtl@$Process$Process@$CloseD$qqrvErrorHandleHandle$qqrxuixoLastOpenProcess$qqruiuijpqqr20ServiceStageo$oStopStringuiui47TerminateUnicode
                                    • String ID:
                                    • API String ID: 2552219578-0
                                    • Opcode ID: 3721049300179b84eb52e670217b637992963831b1ca0e565c5b0cf9a0d7b6b3
                                    • Instruction ID: 84987a06ec7894a0ebee0384c17b532e78cfc42bd804bb5a37acf3ecc0955882
                                    • Opcode Fuzzy Hash: 3721049300179b84eb52e670217b637992963831b1ca0e565c5b0cf9a0d7b6b3
                                    • Instruction Fuzzy Hash: 2B01F231A88208EFDB04EFB4D88369EB7E4E70A350F6044B9F405E3681DA355AC1B614
                                    Function 00BF43D8 Relevance: 6.0, APIs: 4, Instructions: 41filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(?), ref: 00BF43F5
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00BF43FB
                                    • FindClose.KERNEL32(00000000,00000000,?), ref: 00BF4406
                                      • Part of subcall function 00BC24D4: FileTimeToLocalFileTime.KERNEL32(?,?,00BE0D9F), ref: 00BC24D6
                                    • @System@Sysutils@FileDateToDateTime$qqri.RTL250.BPL(00000000,00000000,?), ref: 00BF4440
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: File$DateFindL250System@Time$Char$qqrx20CloseFirstLocalString.System@@Sysutils@Time$qqri.Unicode
                                    • String ID:
                                    • API String ID: 563711416-0
                                    • Opcode ID: f77be5cb315564b0eb76801735291cbe0ff2dd68e2c2fd6381d4ed33ee2bf874
                                    • Instruction ID: 5c54abf1d40dae01cbb414f6f76541d4063ca85bd3829c2b11bba2c4a0bab27c
                                    • Opcode Fuzzy Hash: f77be5cb315564b0eb76801735291cbe0ff2dd68e2c2fd6381d4ed33ee2bf874
                                    • Instruction Fuzzy Hash: C601A53090020E57CB14EBA5CC46EDEB7F8AF44315F504AE59514E3251FB759A498B91
                                    Function 00BDA0BC Relevance: 4.7, Strings: 1, Instructions: 3497COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: pen
                                    • API String ID: 0-422601471
                                    • Opcode ID: 03c0273030215b846685976a2df7c7e4524e7f6c96e66e4c03e6ce56cfb1857d
                                    • Instruction ID: 560390be47550f3bf6004300ccab1341a3738f3c01df996c29cc9df0ca6f6443
                                    • Opcode Fuzzy Hash: 03c0273030215b846685976a2df7c7e4524e7f6c96e66e4c03e6ce56cfb1857d
                                    • Instruction Fuzzy Hash: AD43BD6180E7C09FD32397205A76A65BFB5EB23314B0E05DBC8C19B3A3F609591AD367
                                    Function 00C420BC Relevance: 4.4, Instructions: 4446COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 99717329b74c19f2e928aba1b269b978f6796626d3f15cf487d5d446083148c3
                                    • Instruction ID: 3b7ff458394582b930954a61fe0a2adca8eb529f81f111161a0037957434e260
                                    • Opcode Fuzzy Hash: 99717329b74c19f2e928aba1b269b978f6796626d3f15cf487d5d446083148c3
                                    • Instruction Fuzzy Hash: 66738AA240E7C15FD7178B7449B66A1BFB5BE63210B1E05CBD0C28F0B3E2185A5BD726
                                    Function 00C162B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Winapi@Advapi32@AdvApi32@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,?,?,?,?), ref: 00C16310
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL(?,00C16315,?,?,?,?,?,?,?,?), ref: 00C16362
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@Unicode$Advapi32@Api32@Axrtl@Call$qqrx20Dllroutines@Oxrtl@Proc$qqrx20Routines@StringStringt1.Winapi@
                                    • String ID: EnumServicesStatusW
                                    • API String ID: 2929002494-905759125
                                    • Opcode ID: f45f1d79c9b8abeaff42401f2eaffbce8592510079d48d1d618909a233d8b3a0
                                    • Instruction ID: bea46008613f8c587411943bb8bf3992dba4478d1f32fd1b8677dd940771f130
                                    • Opcode Fuzzy Hash: f45f1d79c9b8abeaff42401f2eaffbce8592510079d48d1d618909a233d8b3a0
                                    • Instruction Fuzzy Hash: B501A772208284AFC711DEAD9C40DD77FFCEF8B265B0500A6F568CB162C220AD45D3B1
                                    Function 00C162E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Winapi@Advapi32@AdvApi32@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,?,?,?,?), ref: 00C16310
                                      • Part of subcall function 00C16358: @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL(?,00C16315,?,?,?,?,?,?,?,?), ref: 00C16362
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@Unicode$Advapi32@Api32@Axrtl@Call$qqrx20Dllroutines@Oxrtl@Proc$qqrx20Routines@StringStringt1.Winapi@
                                    • String ID: EnumServicesStatusW
                                    • API String ID: 2929002494-905759125
                                    • Opcode ID: 25edcf07ec8a03a2dc46c8c564ef2b5e9dbb19dd8714353e1d91e1a261477ca0
                                    • Instruction ID: 6b83e12bd3a21ef94679590b9046ee6022b5e5fb8140351bfc994c9c3f3482a4
                                    • Opcode Fuzzy Hash: 25edcf07ec8a03a2dc46c8c564ef2b5e9dbb19dd8714353e1d91e1a261477ca0
                                    • Instruction Fuzzy Hash: AAE0E5B3200158BF4740DD9E9C80D9BBBDCEA8E260B004021BA1CC3210C521DC5097B0
                                    Function 00C42044 Relevance: 3.3, Strings: 1, Instructions: 2002COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 80
                                    • API String ID: 0-3581352139
                                    • Opcode ID: 2d472f826ce36962af289483d08d9310abbba2702095654def80e0fe37a36b1b
                                    • Instruction ID: 7d44bb25a44c66fd6a3c733a60c22aebdd929f81435626443d93770eec8a2a43
                                    • Opcode Fuzzy Hash: 2d472f826ce36962af289483d08d9310abbba2702095654def80e0fe37a36b1b
                                    • Instruction Fuzzy Hash: B7E26AA240E7C59FC7179B749CA66A1BFB4AE2320071E05CBC4C1CF0B3E628595AD766
                                    Function 00C2B2C0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: hXMV$hXMV
                                    • API String ID: 0-400149659
                                    • Opcode ID: c64d2ca64d11c73536a97103e5dc17d5252ad477ec3aed4af751c08477998250
                                    • Instruction ID: 5cb9faec08c265b49373c31bb884b641072089d7db72722d7cd60cda048d3005
                                    • Opcode Fuzzy Hash: c64d2ca64d11c73536a97103e5dc17d5252ad477ec3aed4af751c08477998250
                                    • Instruction Fuzzy Hash: FAF0277220C7947EF3094157FC71A6BBBECD78A720F704476F40482990E9176C018130
                                    Function 00857B7C Relevance: 2.5, Instructions: 2528COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1f5b8510d69a1698d01dbb9febce1054c47219ab81c3888cff276b538e6962f
                                    • Instruction ID: 37cce57e301b91c9b6f819f1d046aa6e922ca5303b2b14d01db49d423d808d04
                                    • Opcode Fuzzy Hash: c1f5b8510d69a1698d01dbb9febce1054c47219ab81c3888cff276b538e6962f
                                    • Instruction Fuzzy Hash: 7B13336144E7C58FC7238BB899662A57FB1EE13225B0E85DBC8C0DF0B3D618191ED762
                                    Function 00854358 Relevance: 1.7, Instructions: 1682COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 657fe63692c56f4faad1830a0ca44871452a8487c35f83803155f5cd6e7e3035
                                    • Instruction ID: e66289e18778976f4d6fba712dbedec230ba8910fa7a72d05baf150f9cb9f4b0
                                    • Opcode Fuzzy Hash: 657fe63692c56f4faad1830a0ca44871452a8487c35f83803155f5cd6e7e3035
                                    • Instruction Fuzzy Hash: DFC2246104E3C18FC7134BB889A26A27FB5EE1321571E55DBC8C1CF0B3D21859AEE766
                                    Function 0085A258 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemInfo.KERNEL32(00000002), ref: 0085A268
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: InfoSystem
                                    • String ID:
                                    • API String ID: 31276548-0
                                    • Opcode ID: 10e7f241d7ce0db0a4f4bf022d30b9868be48cc2423240e91d7932991895a3e5
                                    • Instruction ID: 67738988a1141e7a4412289122d3a4de1e99d3baf6504a07e0d1749a1ea0c4a5
                                    • Opcode Fuzzy Hash: 10e7f241d7ce0db0a4f4bf022d30b9868be48cc2423240e91d7932991895a3e5
                                    • Instruction Fuzzy Hash: 58F09671D0510D9FCB15DF99C4C589DB7B4FB56302F504399D804EB342EB71A599C782
                                    Function 00BD32BC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Winapi@Advapi32@AdvApi32@CryptReleaseContext$qqruiui.AXCOMPONENTSRTL.BPL(00BD32DB,00000000,00BD32D4,?,F0000000,00000001,00000000,00BD330A), ref: 00BD32CE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Advapi32@Api32@Axrtl@Context$qqruiui.CryptReleaseWinapi@
                                    • String ID:
                                    • API String ID: 1858279025-0
                                    • Opcode ID: 3aa3718cc24d36dce5bb2215c380f50dd13ba94470a8a5a3846bbe44d20e7c68
                                    • Instruction ID: 224905ee5e63aef9e06ae1805d5b5eacf5f5a8fe312b556fdff11ee2cdea82b6
                                    • Opcode Fuzzy Hash: 3aa3718cc24d36dce5bb2215c380f50dd13ba94470a8a5a3846bbe44d20e7c68
                                    • Instruction Fuzzy Hash: 66C09B3575C5404E770DD755BC21529A3E1F7C47213A584B6E004C16A1EE7459064414
                                    Function 0086C80C Relevance: .4, Instructions: 430COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 46d707a57e1279720b7dd2c1652a3815f5e8426b7e2cbedc2ad3babfccbfff93
                                    • Instruction ID: 7dfde942043ba6d37f983589857d6b1d9321e0b94a8c2176ece70a5698f0dde2
                                    • Opcode Fuzzy Hash: 46d707a57e1279720b7dd2c1652a3815f5e8426b7e2cbedc2ad3babfccbfff93
                                    • Instruction Fuzzy Hash: D7E1666244E7C58FC7139BB44A662A57FB1FE03210B0B05CBD4C2CF0B3E658996AD766
                                    Function 00885558 Relevance: .2, Instructions: 238COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b78ef68ab46fd1be50533aeeb96ac80c7cb997e5b18fd83c7bb904b26f130eba
                                    • Instruction ID: 22c4ee717cb4eb2f6c3875308172e522b83abf12b3b9c1553c3331879c56ad7d
                                    • Opcode Fuzzy Hash: b78ef68ab46fd1be50533aeeb96ac80c7cb997e5b18fd83c7bb904b26f130eba
                                    • Instruction Fuzzy Hash: 9AB160B15042008FE74CCF19D489B417BE1BF49318F1AC0AAD9098F2A7D7BAD985CF95
                                    Function 00888D80 Relevance: .2, Instructions: 228COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1f68d78e22a8d7f67fc5fedda417ec3748e4095ee218f4b616e150b6c73f14f2
                                    • Instruction ID: 8e789eba833883379f29e69574b99ccb8901990076f47014ab8af20d5bd73aa9
                                    • Opcode Fuzzy Hash: 1f68d78e22a8d7f67fc5fedda417ec3748e4095ee218f4b616e150b6c73f14f2
                                    • Instruction Fuzzy Hash: 03A17331E482958BC701CFAEC8D16BEFFF3AF99205B1E819AD484AB353C2B55511DB60
                                    Function 00883F24 Relevance: .2, Instructions: 197COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e01022a932d31c4192c805bf7ec2df9f469405e9d22d0c5e242775cdec550b3
                                    • Instruction ID: 9eb80e67738d17839c6cfbb59be2194adc98a6640d5fc1e40512cfabead1cb78
                                    • Opcode Fuzzy Hash: 8e01022a932d31c4192c805bf7ec2df9f469405e9d22d0c5e242775cdec550b3
                                    • Instruction Fuzzy Hash: C7819F756045818FD718CF29C4946A6FFE2EF9A308F29D0E9C489CF366C672D945CB90
                                    Function 00C1A394 Relevance: .2, Instructions: 153COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6792b662c92275b1e5ed0e3d1c3ba94c51cfd35c03db1aaa8c3f0df3f5d217f3
                                    • Instruction ID: 78051d80c162791af4514da8c52673c4738c5be5175e1bc11625f82ea02f0f64
                                    • Opcode Fuzzy Hash: 6792b662c92275b1e5ed0e3d1c3ba94c51cfd35c03db1aaa8c3f0df3f5d217f3
                                    • Instruction Fuzzy Hash: 6C418EB140F7C05FDB135B208D69AE27F65EE23744B1A41CBD0929B0B3D2585C8AA76B
                                    Function 00C6B1AC Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 86adc42836ef1bca847320b9e87e9cbf108699cf4675d4610e3943f4836a5a8a
                                    • Instruction ID: f98f9a7a34f6b87848bfd3832c3a3dda0c484c1f5f18d4a6b04a05b01f5b43b6
                                    • Opcode Fuzzy Hash: 86adc42836ef1bca847320b9e87e9cbf108699cf4675d4610e3943f4836a5a8a
                                    • Instruction Fuzzy Hash:
                                    Function 00C6B1BC Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e9df1b419aa7dee1dcb0fb8cb8bfc70aeeeaf66e351169d9f1d457b006f0d701
                                    • Instruction ID: 741de7e217a1cccd0f1afa1fd654ed63b921c175051dd71a7c2ad1b08d998e3d
                                    • Opcode Fuzzy Hash: e9df1b419aa7dee1dcb0fb8cb8bfc70aeeeaf66e351169d9f1d457b006f0d701
                                    • Instruction Fuzzy Hash:
                                    Function 00BCC318 Relevance: 96.6, APIs: 49, Strings: 6, Instructions: 318threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 299 bcc318-bcc31c 300 bcc321-bcc326 299->300 300->300 301 bcc328-bcc3b4 @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString * 4 @System@Generics@Collections@%TList__1$69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication%%@Clear$qqrv @System@@UStrLen$qqrx20System@UnicodeString 300->301 302 bcc6cd-bcc724 @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% @System@@UStrArrayClr$qqrpvi * 2 @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% * 4 @System@@UStrClr$qqrpv 301->302 303 bcc3ba-bcc3d9 @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2 @System@Sysutils@FileExists$qqrx20System@UnicodeStringo 301->303 303->302 304 bcc3df-bcc3fc @System@Ioutils@TFile@OpenRead$qqrx20System@UnicodeString 303->304 305 bcc69c-bcc6a8 304->305 306 bcc402-bcc42e @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% @System@Classes@TStreamAdapter@$bctr$qqrp22System@Classes@TStream31System@Classes@TStreamOwnership 304->306 305->302 307 bcc430 306->307 308 bcc433-bcc453 @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID @System@@CheckAutoResult$qqrl 306->308 307->308 310 bcc67f-bcc694 @System@Sysutils@FreeAndNil$qqrpv 308->310 311 bcc459-bcc46b 308->311 312 bcc46d-bcc472 @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui 311->312 313 bcc477-bcc492 @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% @System@@CheckAutoResult$qqrl 311->313 312->313 315 bcc498-bcc583 @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex82System@%DelphiInterface$55Axrtl@Typelibrary@Appxpackaging@IAppxManifestProperties%x20System@UnicodeString @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex82System@%DelphiInterface$55Axrtl@Typelibrary@Appxpackaging@IAppxManifestProperties%x20System@UnicodeString @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex82System@%DelphiInterface$55Axrtl@Typelibrary@Appxpackaging@IAppxManifestProperties%x20System@UnicodeString @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString @System@@CheckAutoResult$qqrl * 2 @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetLogoFileName$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackage20System@UnicodeString @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% 313->315 316 bcc58b-bcc58f 313->316 317 bcc59b-bcc5b6 @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% @System@@CheckAutoResult$qqrl 316->317 318 bcc591-bcc596 @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui 316->318 321 bcc5bc-bcc5ca 317->321 322 bcc662-bcc677 @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% 317->322 318->317 324 bcc62c-bcc643 @System@@CheckAutoResult$qqrl 321->324 326 bcc5cc-bcc5d0 324->326 327 bcc645-bcc65a @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% 324->327 328 bcc5dc-bcc60a @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface% @System@@CheckAutoResult$qqrl @Oxrtl@System@Appxpackages@TAppxUtils@TAppxApplication@$bctr$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex83System@%DelphiInterface$56Axrtl@Typelibrary@Appxpackaging@IAppxManifestApplication% 326->328 329 bcc5d2-bcc5d7 @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui 326->329 331 bcc60c 328->331 332 bcc60f-bcc627 @System@Generics@Collections@%TList__1$69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication%%@Add$qqrx69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication% @System@@CheckAutoResult$qqrl 328->332 329->328 331->332 332->324
                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC357
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC36A
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC384
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC397
                                    • @System@Generics@Collections@%TList__1$69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication%%@Clear$qqrv.OXCOMPONENTSRTL(?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC3A2
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC3AD
                                    • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL250.BPL(?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC3C8
                                    • @System@Sysutils@FileExists$qqrx20System@UnicodeStringo.RTL250.BPL(?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC3D2
                                    • @System@Ioutils@TFile@OpenRead$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725,?,?,?,?,00000006,00000000,00000000), ref: 00BCC3F0
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725), ref: 00BCC413
                                    • @System@Classes@TStreamAdapter@$bctr$qqrp22System@Classes@TStream31System@Classes@TStreamOwnership.RTL250.BPL(00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725), ref: 00BCC425
                                    • @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID.RTL250.BPL(00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725), ref: 00BCC43B
                                    • @System@@CheckAutoResult$qqrl.RTL250.BPL(?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725), ref: 00BCC44A
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(00000000,00BCC678,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC472
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCC678,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC47A
                                    • @System@@CheckAutoResult$qqrl.RTL250.BPL(?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000), ref: 00BCC489
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex82System@%DelphiInterface$55Axrtl@Typelibrary@Appxpackaging@IAppxManifestProperties%x20System@UnicodeString.OXCOMPONENTSRTL(?,00000000,00BCC584,?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC4B5
                                      • Part of subcall function 00BCCA50: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00000000,00BCCAB7), ref: 00BCCA78
                                      • Part of subcall function 00BCCA50: @System@@CheckAutoResult$qqrl.RTL250.BPL ref: 00BCCA84
                                      • Part of subcall function 00BCCA50: @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL ref: 00BCCA8F
                                      • Part of subcall function 00BCCA50: @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex20System@UnicodeString.OXCOMPONENTSRTL ref: 00BCCA9C
                                      • Part of subcall function 00BCCA50: @System@@UStrClr$qqrpv.RTL250.BPL(00BCCABE), ref: 00BCCAB1
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,00000000,00BCC584,?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC4C3
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex82System@%DelphiInterface$55Axrtl@Typelibrary@Appxpackaging@IAppxManifestProperties%x20System@UnicodeString.OXCOMPONENTSRTL(?,?,00000000,00BCC584,?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC4D7
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,00000000,00BCC584,?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC4E5
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetPropertyString$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackagex82System@%DelphiInterface$55Axrtl@Typelibrary@Appxpackaging@IAppxManifestProperties%x20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,00000000,00BCC584,?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC4F9
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,00000000,00BCC584,?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC507
                                    • @System@@CheckAutoResult$qqrl.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC51E
                                    • @System@@CheckAutoResult$qqrl.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC542
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC54D
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@AppxGetLogoFileName$qqrp49Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackage20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC55B
                                      • Part of subcall function 00BCC968: @System@@UStrAddRef$qqrpv.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560,?,?,?,?,00000000,00000000,00000000), ref: 00BCC981
                                      • Part of subcall function 00BCC968: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL250.BPL(00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560,?,?,?,?), ref: 00BCC99C
                                      • Part of subcall function 00BCC968: @System@Sysutils@FileExists$qqrx20System@UnicodeStringo.RTL250.BPL(00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560,?,?,?,?), ref: 00BCC9A5
                                      • Part of subcall function 00BCC968: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560,?,?,?,?), ref: 00BCC9B3
                                      • Part of subcall function 00BCC968: @System@Sysutils@IntToStr$qqri.RTL250.BPL(.scale-,00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560), ref: 00BCC9C8
                                      • Part of subcall function 00BCC968: @System@Sysutils@ExtractFileExt$qqrx20System@UnicodeString.RTL250.BPL(?,.scale-,00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560), ref: 00BCC9D6
                                      • Part of subcall function 00BCC968: @System@@UStrCatN$qqrv.RTL250.BPL(?,?,.scale-,00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560), ref: 00BCC9E6
                                      • Part of subcall function 00BCC968: @System@Sysutils@ChangeFileExt$qqrx20System@UnicodeStringt1.RTL250.BPL(?,?,.scale-,00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560), ref: 00BCC9F3
                                      • Part of subcall function 00BCC968: @System@Sysutils@FileExists$qqrx20System@UnicodeStringo.RTL250.BPL(?,?,.scale-,00000000,00BCCA26,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560), ref: 00BCC9FC
                                      • Part of subcall function 00BCC968: @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BCCA2D,?,?,00000000,00000000,00000000,00000000,00000000,?,00BCC560,?,?,?,?,00000000,00000000), ref: 00BCCA20
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC569
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCC58B,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725), ref: 00BCC57E
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000), ref: 00BCC596
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000), ref: 00BCC59E
                                    • @System@@CheckAutoResult$qqrl.RTL250.BPL(?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000), ref: 00BCC5AD
                                    • @System@@CheckAutoResult$qqrl.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA), ref: 00BCC639
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCC662,?,00000000,00000000,00000000,00BCC695,?,00000000,00BCC6AA,?,?,?,?,?,00000000,00BCC725), ref: 00BCC655
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Unicode$System@@$Appx$String.$Appxpackages@DelphiOxrtl@Stringx20System@%$Utils@$Asg$qqrr20$AutoCheckInterface$17Result$qqrl.$FileIntfSysutils@$Axrtl@Clear$qqrr44Interface%.String$PropertyString$qqrp49Thread@$Appxpackaging@Classes@Exists$qqrx20Interface$55ManifestPackagex82Properties%x20Stringo.Typelibrary@$Cat3$qqrr20Char$qqrr20Check$qqrui.Ext$qqrx20FromSleepStreamStringpb.Stringt2.$Adapter@$bctr$qqrp22Application%%@ArrayCast$qqrr44ChangeChar$qqrx20Clear$qqrvClr$qqrpv.Clr$qqrpvi.Collections@%ExtractFile@Generics@Interface$42Interface%rx5_Interface%x44Ioutils@Len$qqrx20List__1$69LogoN$qqrv.Name$qqrp49OpenOwnership.Package20Packagex20Read$qqrx20Ref$qqrpv.Str$qqri.Stream31Stringt1.
                                    • String ID: AppxManifest.xml$Description$DisplayName$Framework$Logo$PublisherDisplayName
                                    • API String ID: 2840685956-1317673384
                                    • Opcode ID: e24a5cf1715f66a0842f3997fdb44215d3dfb89cfcbb9e489817be4795198317
                                    • Instruction ID: 1c826111c40b955a94f20bcae0b3bea7014e508f9303b0bd08cbdfcd08604eef
                                    • Opcode Fuzzy Hash: e24a5cf1715f66a0842f3997fdb44215d3dfb89cfcbb9e489817be4795198317
                                    • Instruction Fuzzy Hash: D8C10B35A00249AFDB00EBA8D992F9EB7F9EF59304F5044E9F404B7662D730AD15CB64
                                    Function 008690D4 Relevance: 67.8, APIs: 45, Instructions: 281windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 505 8690d4-869119 @Vcl@Imaging@Gifimg@TCustomGIFRenderer@Initialize$qqrv @Vcl@Graphics@TBitmap@GetCanvas$qqrv 508 86917d-869182 505->508 509 869194-86919f 508->509 510 869184-869192 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 508->510 512 8691a5-8691ac 509->512 513 8693a3-8693a7 509->513 510->509 511 86911b-86913e @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 510->511 514 869140-869141 511->514 515 86917a 511->515 518 8691b1-8691c1 @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv 512->518 519 8691ae 512->519 516 8693f1-869435 @Vcl@Graphics@TBitmap@GetCanvas$qqrv @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor @Vcl@Graphics@TBitmap@GetCanvas$qqrv @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle @Vcl@Graphics@TBitmap@GetCanvas$qqrv * 2 513->516 517 8693a9-8693b3 @Vcl@Imaging@Gifimg@TGIFImage@GetIsTransparent$qqrv 513->517 520 869143-869162 @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 514->520 515->508 537 86943a-869441 516->537 517->516 521 8693b5-8693ef @Vcl@Graphics@TBitmap@GetCanvas$qqrv * 3 @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1 517->521 522 8691f7-8691fa 518->522 523 8691c3-8691c4 518->523 519->518 526 869176-869178 520->526 527 869164-869174 @Vcl@Imaging@Gifimg@TCustomGIFRenderer@SetLoopMax$qqri 520->527 521->537 524 869200-869204 522->524 525 8692d1-8692e6 @System@TObject@Free$qqrv 522->525 529 8691cb-8691de @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri 523->529 524->525 530 86920a-869248 @Vcl@Graphics@TBitmap@$bctr$qqrv @Vcl@Imaging@Gifimg@TGIFImage@GetIsTransparent$qqrv 524->530 531 8692eb-8692ee 525->531 526->515 526->520 527->515 533 8691e0-8691e9 @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv 529->533 534 8691f1-8691f5 529->534 546 869286-8692cf @Vcl@Graphics@TBitmap@GetCanvas$qqrv @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle @Vcl@Graphics@TBitmap@GetCanvas$qqrv @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor @Vcl@Graphics@TBitmap@GetCanvas$qqrv * 2 530->546 547 86924a-869284 @Vcl@Graphics@TBitmap@GetCanvas$qqrv * 3 @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1 530->547 535 8692f4-869387 @Vcl@Graphics@TBitmap@$bctr$qqrv @Vcl@Graphics@TBitmap@GetCanvas$qqrv * 2 @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor @Vcl@Graphics@TBitmap@GetCanvas$qqrv @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle @Vcl@Graphics@TBitmap@GetCanvas$qqrv * 2 @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1 531->535 536 869389-86939e @System@TObject@Free$qqrv 531->536 533->534 538 8691eb-8691ee 533->538 534->522 534->529 535->513 536->513 538->534 546->531 547->531
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TCustomGIFRenderer@Initialize$qqrv.VCLIMG250 ref: 008690DF
                                      • Part of subcall function 00868D80: @Vcl@Imaging@Gifimg@TGIFImage@EffectiveBackgroundColor$qqrv.VCLIMG250 ref: 00868D86
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00869103
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00869124
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00869134
                                    • @Vcl@Imaging@Gifimg@TGIFExtensionList@GetExtension$qqri.VCLIMG250 ref: 0086914C
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 0086915B
                                    • @Vcl@Imaging@Gifimg@TCustomGIFRenderer@SetLoopMax$qqri.VCLIMG250 ref: 0086916A
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086918A
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 008691B7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 008691D4
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv.VCLIMG250 ref: 008691E2
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 00869211
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetIsTransparent$qqrv.VCLIMG250 ref: 00869241
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086924D
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00869260
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00869276
                                    • @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1.VCL250.BPL ref: 0086927F
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00869289
                                    • @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 00869293
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086929B
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 008692A6
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 008692AE
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 008692C4
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 008692E6
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 008692FB
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086932B
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086933A
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 00869345
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086934D
                                    • @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 00869357
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00869363
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00869379
                                    • @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1.VCL250.BPL ref: 00869382
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 0086939E
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetIsTransparent$qqrv.VCLIMG250 ref: 008693AC
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 008693B8
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 008693CB
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 008693E1
                                    • @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1.VCL250.BPL ref: 008693EA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Graphics@$L250$Bitmap@Canvas$qqrv.$Gifimg@Imaging@$System@$List@$Brush@$Canvas@Canvast1.CopyCount$qqrvImage@Rect$qqrrx18Rectp20Types@$Bitmap@$bctr$qqrv.BrushColor$qqr21Color.CustomFrame$qqriFree$qqrv.ImageObject@Renderer@Style$qqr24Style.Transparent$qqrvUitypes@$BackgroundClass$qqrxp14Class.Color$qqrvControlDisposal$qqrvEffectiveExtensionExtension$qqriExtension@GraphicInitialize$qqrvLoopMax$qqriMetaObjectp17System@@
                                    • String ID:
                                    • API String ID: 558454307-0
                                    • Opcode ID: 7346728b11cadc1032fc737053ab94aa26e881c8c6f62c51c722747310a23b63
                                    • Instruction ID: 3f2ada4c8cd6d21b1fbe1f5552170824fdc7b3ac3203cc359f4fce2cf4144965
                                    • Opcode Fuzzy Hash: 7346728b11cadc1032fc737053ab94aa26e881c8c6f62c51c722747310a23b63
                                    • Instruction Fuzzy Hash: 69B1F774204705CFC324EF2CC485A5ABBE5FF4A315B154969E986CB762DB31EC4ACB42
                                    Function 00864F40 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 362windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 582 864f40-864f71 583 8654b6-8654d3 @System@@UStrArrayClr$qqrpvi 582->583 584 864f77-864f7b 582->584 585 864f7d-864f85 @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv 584->585 586 864f8a-864f9a @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 584->586 585->583 587 865054-865064 @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 586->587 588 864fa0-864fb4 @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv 586->588 589 865346-865356 @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 587->589 590 86506a-86507e @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv 587->590 588->583 591 864fba-864fe1 @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv 588->591 592 86535c-86536e @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv 589->592 593 865489-865499 @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 589->593 590->583 600 865084-8650b4 @Vcl@Imaging@Gifimg@TGIFFrame@SetWidth$qqrxus @Vcl@Imaging@Gifimg@TGIFFrame@SetHeight$qqrxus @Vcl@Graphics@TBitmap@GetPixelFormat$qqrv 590->600 594 864fe3-864fea 591->594 595 864fff-86502d @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv @Vcl@Imaging@Gifimg@TGIFFrame@GetHasBitmap$qqrv 591->595 592->583 604 865374-8653a1 @Vcl@Graphics@TBitmap@$bctr$qqrv @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 592->604 597 8654ab-8654b1 @System@Classes@TPersistent@Assign$qqrp26System@Classes@TPersistent 593->597 598 86549b-8654a9 593->598 594->595 599 864fec-864ffa @System@Move$qqrpxvpvi 594->599 595->583 609 865033-86504f @Vcl@Imaging@Gifimg@TGIFFrame@NewBitmap$qqrv @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv 595->609 597->583 598->583 599->595 616 8650b6-8650dc @System@@FillChar$qqrpvic GetObjectW 600->616 617 86510e-865112 600->617 606 8653b5-8653d6 call 864b4c 604->606 607 8653a3-8653b3 @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass 604->607 618 865427-865447 @System@TObject@Free$qqrv 606->618 607->606 610 8653ef-865410 607->610 609->583 610->618 627 8650e3-8650e7 616->627 628 8650de-8650e0 616->628 619 865114-865118 617->619 620 86511a-865124 617->620 619->620 622 865166-865177 @Vcl@Imaging@Gifimg@TGIFFrame@NewBitmap$qqrv 619->622 623 865126-865130 620->623 624 865132 620->624 629 86517c-8651df @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv @System@Types@Rect$qqriiii @System@LoadResString$qqrp20System@TResStringRec @System@@CallDynaInst$qqrv 622->629 626 865134-865164 @Vcl@Imaging@Gifimg@ReduceColors$qqrp20Vcl@Graphics@TBitmap34Vcl@Imaging@Gifimg@TColorReduction30Vcl@Imaging@Gifimg@TDitherModeip10HPALETTE__ @Vcl@Graphics@TBitmap@GetPixelFormat$qqrv 623->626 624->626 626->629 627->617 630 8650e9-8650f0 627->630 628->627 632 8651e1-8651e3 629->632 633 8651e9-865217 call 859ff0 629->633 634 8650f2-8650f6 630->634 635 86510a 630->635 632->633 636 8651e5 632->636 642 865233-86523a call 864828 633->642 643 865219-86521b 633->643 637 865104-865108 634->637 638 8650f8-8650fc 634->638 635->617 636->633 637->617 638->617 640 8650fe-865102 638->640 640->617 651 865243-865258 @System@TObject@Free$qqrv 642->651 645 86521d-86521f 643->645 646 86522a-865231 call 8646fc 643->646 648 865221-865228 call 864550 645->648 649 86523c-865242 call 864964 645->649 646->651 648->651 649->651
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv.VCLIMG250(00000000,008654D4), ref: 00864F80
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008630EF), ref: 0086312E
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008630EF), ref: 00863136
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFFrame@FreeImage$qqrv.VCLIMG250(?,008630EF), ref: 0086313D
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFFrame@DoSetBounds$qqriiii.VCLIMG250(00000000,00000000,?,008630EF), ref: 0086314C
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFFrame@Dormant$qqrv.VCLIMG250(00000000,00000000,?,008630EF), ref: 00863158
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,008654D4), ref: 00864F93
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv.VCLIMG250(00000000,008654D4), ref: 00864FA3
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,008654D4), ref: 00864FAD
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv.VCLIMG250(00000000,008654D4), ref: 00864FD4
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000,008654D4), ref: 00864FFA
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,008654D4), ref: 00865004
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetHasBitmap$qqrv.VCLIMG250 ref: 00865026
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@NewBitmap$qqrv.VCLIMG250 ref: 00865036
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250 ref: 0086503D
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(008654DB), ref: 008654CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Frame@$Clear$qqrv$Bitmap$qqrvL250System@$ColorImage$qqrvSystem@@$ActiveArrayBounds$qqriiiiClass$qqrxp14Class.Clr$qqrpvi.Dormant$qqrvEmpty$qqrvFreeList@Map$qqrvMap@MetaMove$qqrpxvpvi.Objectp17
                                    • String ID: (
                                    • API String ID: 507104995-3887548279
                                    • Opcode ID: 4c35034de465493ea4234f09fd44e9ead388453f5d223f2870df07d96a2e634b
                                    • Instruction ID: 061960e80af53363e5a49d6e73bd7fc4d50b77dc533c3bf09ca907c940ffe491
                                    • Opcode Fuzzy Hash: 4c35034de465493ea4234f09fd44e9ead388453f5d223f2870df07d96a2e634b
                                    • Instruction Fuzzy Hash: C8D13874A00648EFDB10DFA8C995AADB7F5FF49301F2280A5E804EB352DB34AE45DB51
                                    Function 0086FDE8 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 269windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FE3A
                                    • CreateDIBitmap.GDI32(unkz,?,00000004,?,?,00000000), ref: 0086FE4F
                                    • SelectObject.GDI32(00000000,00000000), ref: 0086FE56
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FE8A
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FE96
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FEA2
                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0086FEB5
                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0086FEC5
                                    • CreateCompatibleBitmap.GDI32(unkz,?,?), ref: 0086FED3
                                    • SelectObject.GDI32(00000001,00000000), ref: 0086FEE3
                                    • SelectObject.GDI32(?,00000000), ref: 0086FEF3
                                    • SelectObject.GDI32(00000001,?), ref: 0086FF03
                                    • SetBkColor.GDI32(00000000,?), ref: 0086FF10
                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00000001,00000001,00CC0020), ref: 0086FF34
                                    • SetBkColor.GDI32(00000000,?), ref: 0086FF3E
                                    • BitBlt.GDI32(00000001,00000000,00000000,?,?,?,00000000,00000000,00330008), ref: 0086FF5A
                                    • BitBlt.GDI32(00000001,00000000,00000000,?,?,unkz,?,?,00CC0020), ref: 0086FF7A
                                    • BitBlt.GDI32(00000001,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0086FF96
                                    • StretchBlt.GDI32(00000000,00000000,00000000,00000001,00000001,00000001,00000000,00000000,?,?,008800C6), ref: 0086FFB7
                                    • StretchBlt.GDI32(00000001,00000000,00000000,?,?,00000000,00000000,00000000,00000001,00000001,00EE0086), ref: 0086FFD8
                                    • BitBlt.GDI32(unkz,?,?,?,?,00000001,00000000,00000000,00CC0020), ref: 0086FFF8
                                    • SelectObject.GDI32(00000001,?), ref: 00870005
                                    • DeleteObject.GDI32(00000000), ref: 0087000B
                                    • SelectObject.GDI32(?,?), ref: 00870018
                                    • DeleteObject.GDI32(00000000), ref: 0087001E
                                    • SelectObject.GDI32(00000001,00000000), ref: 0087002B
                                    • DeleteObject.GDI32(00000000), ref: 00870031
                                    • SelectObject.GDI32(00000000,?), ref: 0087003B
                                    • DeleteObject.GDI32(00000000), ref: 00870041
                                    • DeleteDC.GDI32(00000001), ref: 0087004A
                                    • DeleteDC.GDI32(00000001), ref: 00870053
                                    • DeleteDC.GDI32(?), ref: 0087005C
                                    • DeleteDC.GDI32(00000000), ref: 00870062
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Object$CreateDeleteSelect$Compatible$Bitmap$Stretch$Color
                                    • String ID: unkz
                                    • API String ID: 881050057-154485718
                                    • Opcode ID: d42835d07ea8870b569a624fb88f3cd10e905f52b1bed3ad5bea1b4a939560c1
                                    • Instruction ID: a80ce3cef8185106c598a9327fa90d1e3795d1cb91d92dc836971a8589033ae6
                                    • Opcode Fuzzy Hash: d42835d07ea8870b569a624fb88f3cd10e905f52b1bed3ad5bea1b4a939560c1
                                    • Instruction Fuzzy Hash: 1591ABB1A40218BEDB10EAECCC86FAEB7BCFB0A711F104455F614FB281C675A9048B75
                                    Function 0086FE1C Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 249windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FE3A
                                    • CreateDIBitmap.GDI32(unkz,?,00000004,?,?,00000000), ref: 0086FE4F
                                    • SelectObject.GDI32(00000000,00000000), ref: 0086FE56
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FE8A
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FE96
                                    • CreateCompatibleDC.GDI32(unkz), ref: 0086FEA2
                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0086FEB5
                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0086FEC5
                                    • CreateCompatibleBitmap.GDI32(unkz,?,?), ref: 0086FED3
                                    • SelectObject.GDI32(00000001,00000000), ref: 0086FEE3
                                    • SelectObject.GDI32(?,00000000), ref: 0086FEF3
                                    • SelectObject.GDI32(00000001,?), ref: 0086FF03
                                    • SetBkColor.GDI32(00000000,?), ref: 0086FF10
                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00000001,00000001,00CC0020), ref: 0086FF34
                                    • SetBkColor.GDI32(00000000,?), ref: 0086FF3E
                                    • BitBlt.GDI32(00000001,00000000,00000000,?,?,?,00000000,00000000,00330008), ref: 0086FF5A
                                    • BitBlt.GDI32(00000001,00000000,00000000,?,?,unkz,?,?,00CC0020), ref: 0086FF7A
                                    • BitBlt.GDI32(00000001,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0086FF96
                                    • StretchBlt.GDI32(00000000,00000000,00000000,00000001,00000001,00000001,00000000,00000000,?,?,008800C6), ref: 0086FFB7
                                    • StretchBlt.GDI32(00000001,00000000,00000000,?,?,00000000,00000000,00000000,00000001,00000001,00EE0086), ref: 0086FFD8
                                    • BitBlt.GDI32(unkz,?,?,?,?,00000001,00000000,00000000,00CC0020), ref: 0086FFF8
                                    • SelectObject.GDI32(00000001,?), ref: 00870005
                                    • DeleteObject.GDI32(00000000), ref: 0087000B
                                    • SelectObject.GDI32(?,?), ref: 00870018
                                    • DeleteObject.GDI32(00000000), ref: 0087001E
                                    • SelectObject.GDI32(00000001,00000000), ref: 0087002B
                                    • DeleteObject.GDI32(00000000), ref: 00870031
                                    • SelectObject.GDI32(00000000,?), ref: 0087003B
                                    • DeleteObject.GDI32(00000000), ref: 00870041
                                    • DeleteDC.GDI32(00000001), ref: 0087004A
                                    • DeleteDC.GDI32(00000001), ref: 00870053
                                    • DeleteDC.GDI32(?), ref: 0087005C
                                    • DeleteDC.GDI32(00000000), ref: 00870062
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Object$CreateDeleteSelect$Compatible$Bitmap$Stretch$Color
                                    • String ID: unkz
                                    • API String ID: 881050057-154485718
                                    • Opcode ID: 01e36658b34309126c0948b67d84b96fbb7911574642f278e1fa48788fc787c5
                                    • Instruction ID: 7878546ac3247ae2db1a476aeeac0c87095ac9bad024bdac6bc8e9fe9429f159
                                    • Opcode Fuzzy Hash: 01e36658b34309126c0948b67d84b96fbb7911574642f278e1fa48788fc787c5
                                    • Instruction Fuzzy Hash: D38159B1E40218BADB50EAECCC86FAFB7BCEB09711F104414F614FB281DA75A9448B75
                                    Function 00BF13A4 Relevance: 49.6, APIs: 33, Instructions: 124pipethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF13BA
                                    • ResetEvent.KERNEL32(?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF13D4
                                    • @Axrtl@Winapi@Kernel32@Kernel32@WaitForMultipleObjects$qqrpuixiiui.AXCOMPONENTSRTL.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF13FF
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF1409
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF140E
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF1413
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF1418
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF141D
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000,00BF153F), ref: 00BF1432
                                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000), ref: 00BF145A
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,00000000,00000000,?,?,?,?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000), ref: 00BF1463
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,00000000,00000000,?,?,?,?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000), ref: 00BF1468
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,00000000,00000000,?,?,?,?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000), ref: 00BF146D
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,00000000,00000000,?,?,?,?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000), ref: 00BF1472
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,00000000,00000000,?,?,?,?,?,00000000,00BF1512,?,00000000,000000FF,00000000,00000000,00000000), ref: 00BF1477
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF15D9,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF15BC
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF15D9,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF15C4
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(00BF15D9,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF15CC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Exit$qqrv.Finally$Clr$qqrpv.$Axrtl@EventKernel32@Thread@$Check$qqrui.CreateMultipleNamedObjects$qqrpuixiiui.PeekPipeResetSleepSystem@WaitWinapi@
                                    • String ID:
                                    • API String ID: 1890537010-0
                                    • Opcode ID: b46fc9e76b88f025bcc11512a393555e0a50393c00949906bf5dd6ebcd2cb7e8
                                    • Instruction ID: 9c3237bb4242cc54a5b74ef540e8342aafac031ed46ab098a4a866ff2e94d735
                                    • Opcode Fuzzy Hash: b46fc9e76b88f025bcc11512a393555e0a50393c00949906bf5dd6ebcd2cb7e8
                                    • Instruction Fuzzy Hash: B7312171A0020CEFDB11EBA8C952FEEB7F9EB89310F5448EAF605F3241D63599448B21
                                    Function 0086B2FC Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 315COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@InternalClear$qqrv.VCLIMG250(00000000,0086B70B), ref: 0086B339
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 00869899
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A0
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A8
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698B3
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFHeader@Prepare$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698C7
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086B70B), ref: 0086B34C
                                    • @Vcl@Imaging@Gifimg@TGIFImage@InternalClear$qqrv.VCLIMG250(00000000,0086B70B), ref: 0086B35C
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,?,00000000,0086B56F,?,00000000,0086B70B), ref: 0086B3A8
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,?,00000000,0086B56F,?,00000000,0086B70B), ref: 0086B3B9
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,?,00000000,0086B56F,?,00000000,0086B70B), ref: 0086B3CE
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,00000000,0086B544,?,?,?,?,00000000,00000000,?,00000000,0086B56F,?,00000000,0086B70B), ref: 0086B45B
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0086B712), ref: 0086B705
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@$Clear$qqrvImage@$System@@$InternalList@$ArrayBitmap$qqrvCallClass$qqrxp14Class.Clr$qqrpvi.ColorCount$qqrvDraw$qqrvDynaFreeHeader@Inst$qqrv.LoadMap@MetaObjectp17Prepare$qqrvRec.Rect$qqriiii.StopStringString$qqrp20Types@
                                    • String ID: d
                                    • API String ID: 4127975858-2564639436
                                    • Opcode ID: 394ef259e7d287070a0a01cc7d04df6b02d38d0e23f79264bcb9c4b57ebb84fc
                                    • Instruction ID: 94359ede0dd99dc6a45a335ddf51827def899627e4500b71f30be4a90f1d3e8e
                                    • Opcode Fuzzy Hash: 394ef259e7d287070a0a01cc7d04df6b02d38d0e23f79264bcb9c4b57ebb84fc
                                    • Instruction Fuzzy Hash: 89C15A74A04248EFCB05DFA8C99199EBBF6FF49314B2184A5E800EB351DB31EE45DB61
                                    Function 00BC5214 Relevance: 43.8, APIs: 29, Instructions: 251COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@AddRefRecord$qqrpvt1.RTL250.BPL(?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC5254
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC5273
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC528A
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC5295
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC52B8
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC52EB
                                    • @System@Sysutils@CharInSet$qqrbrx25System@%Set$cc$i0$c$i-1$%.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC5329
                                    • @System@Math@Max$qqrxixi.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5353
                                    • @System@Math@Max$qqrxixi.RTL250.BPL(00000000,?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?), ref: 00BC5365
                                    • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5373
                                    • @System@Math@Max$qqrxixi.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC538D
                                    • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC53A1
                                    • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC53CC
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC5410
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5424
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC542F
                                    • @System@Sysutils@CharInSet$qqrbrx25System@%Set$cc$i0$c$i-1$%.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5447
                                    • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?), ref: 00BC547A
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?), ref: 00BC547F
                                    • @System@Sysutils@TryStrToFloat$qqrx20System@UnicodeStringrfrx31System@Sysutils@TFormatSettings.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC54E1
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC54F2
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000001,?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?), ref: 00BC550A
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL ref: 00BC551A
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(00BC55A2,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC558C
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC55D0,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC55BB
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BC55D0,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC55C3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$Unicode$String.$Array$Copy$qqrx20Len$qqrx20Stringii.Sysutils@$Math@Max$qqrxixi.$CharChar$qqrx20Length$qqrpxv.Record$qqrpvt1.Set$cc$i0$c$i-1$%.Set$qqrbrx25System@%$Asg$qqrr20Clear$qqrrpvpv.Clr$qqrpv.Exit$qqrv.FinalizeFinallyFloat$qqrx20FormatHigh$qqrpxv.Length$qqrv.Settings.Stringrfrx31Stringx20
                                    • String ID:
                                    • API String ID: 538341614-0
                                    • Opcode ID: 51e75546083455d1f3770895d3e352e3f21efb6f177e7c802e3cbdf021545092
                                    • Instruction ID: ab7a179d2038bbec1d6aa3828e3ea7a1300fbb0d1f17e5bbff3241cbb2f95d52
                                    • Opcode Fuzzy Hash: 51e75546083455d1f3770895d3e352e3f21efb6f177e7c802e3cbdf021545092
                                    • Instruction Fuzzy Hash: ACA14834A006589FDB30DB58C981F9DB3F5EB45300F5089EAE949B7252DA71AEC5CF60
                                    Function 00876294 Relevance: 42.2, APIs: 28, Instructions: 175windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 008762AA
                                    • @Vcl@Imaging@Pngimage@TPngImage@AssignPNG$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250 ref: 008762B8
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPngImage@SetMaxIdatSize$qqrxi.VCLIMG250 ref: 00876638
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv.VCLIMG250 ref: 00876659
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250 ref: 0087666D
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 00876690
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPNGPointerList@SetItem$qqruipxv.VCLIMG250 ref: 008766B0
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 008766B9
                                      • Part of subcall function 00876618: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000), ref: 008766C7
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 008762CA
                                    • @Vcl@Imaging@Pngimage@TPngImage@HeaderPresent$qqrv.VCLIMG250 ref: 008762DA
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetTransparencyMode$qqrv.VCLIMG250 ref: 00876307
                                    • @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL ref: 00876314
                                    • @Vcl@Graphics@TBitmap@SetAlphaFormat$qqr25Vcl@Graphics@TAlphaFormat.VCL250.BPL ref: 0087631D
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00876324
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 0087632E
                                    • @System@Classes@Bounds$qqriiii.RTL250.BPL ref: 0087634E
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00876359
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL ref: 00876393
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetTransparencyMode$qqrv.VCLIMG250 ref: 008763A4
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 008763C0
                                    • @Vcl@Imaging@Pngimage@TChunktRNS@GetTransparentColor$qqrv.VCLIMG250 ref: 008763C9
                                    • @Vcl@Graphics@TBitmap@SetTransparentColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 008763D2
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000003), ref: 008763E4
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(00000003), ref: 008763E9
                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 008763EF
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,00CC0020,00000000,00000003), ref: 008763FE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Imaging@Pngimage@$L250$Graphics@$System@$Image@$Bitmap@List@$Canvas$qqrv.Item$qqruiMeta$AlphaClass$qqrxp14Class.Color$qqr21Color.Format$qqr25Format.Mode$qqrvObjectp17PixelPointerSystem@@TransparencyTransparentUitypes@$AssignBounds$qqriiii.Brush@Canvas@Chunks$qqrvChunktClassClass$qqrp17Classes@ClearColor$qqrvCopyE__.FromG$qqrp30Handle$qqrv.HeaderHeader$qqrvIdatImageItemItem$qqruipxvModePalette$qqrp10Present$qqrvSize$qqrxiSize$qqrxuiStretch
                                    • String ID:
                                    • API String ID: 2393881486-0
                                    • Opcode ID: e2eb20538495ae35aed92f9f57f059a52b175e7ee6a2dcb2095e9221af93b669
                                    • Instruction ID: b637b2ef82ce038dca13de6b98251bc73d12a65771e5b17e040865142c56aead
                                    • Opcode Fuzzy Hash: e2eb20538495ae35aed92f9f57f059a52b175e7ee6a2dcb2095e9221af93b669
                                    • Instruction Fuzzy Hash: 7651D6717005049FC700EB6CC985A5EB7E6FF4A711F2481A4F909DB366DE30EE0A9B96
                                    Function 008708F0 Relevance: 39.2, APIs: 26, Instructions: 175COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 0087094F
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250 ref: 00870960
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00870977
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00870990
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 008709A9
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 008709BA
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250 ref: 008709CB
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 008709D8
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 008709E7
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00870A0D
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250 ref: 00870A1E
                                    • @Vcl@Imaging@Pngimage@TChunk@GetIndex$qqrv.VCLIMG250 ref: 00870A4F
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Insert$qqrpvui.VCLIMG250 ref: 00870A5C
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Insert$qqrpvui.VCLIMG250 ref: 00870A76
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Insert$qqrpvui.VCLIMG250 ref: 00870A8F
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00870AA9
                                      • Part of subcall function 00870B60: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,?,?,008709DD), ref: 00870B7D
                                      • Part of subcall function 00870B60: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,?,?,?,?,008709DD), ref: 00870B84
                                      • Part of subcall function 00870B60: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,?,?,008709DD), ref: 00870B91
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00870AB9
                                    • @Vcl@Imaging@Pngimage@TChunk@GetIndex$qqrv.VCLIMG250 ref: 00870AC6
                                      • Part of subcall function 00870BB8: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(?,00000000,?,?,00870A54), ref: 00870BE0
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Insert$qqrpvui.VCLIMG250 ref: 00870AD3
                                      • Part of subcall function 008707E8: @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250 ref: 00870801
                                      • Part of subcall function 008707E8: @System@Move$qqrpxvpvi.RTL250.BPL ref: 00870823
                                      • Part of subcall function 008707E8: @Vcl@Imaging@Pngimage@TPNGPointerList@SetItem$qqruipxv.VCLIMG250 ref: 0087082E
                                    • @Vcl@Imaging@Pngimage@TChunk@GetIndex$qqrv.VCLIMG250 ref: 00870AE3
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Insert$qqrpvui.VCLIMG250 ref: 00870AEF
                                    • @Vcl@Imaging@Pngimage@TChunk@GetIndex$qqrv.VCLIMG250 ref: 00870B0F
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Insert$qqrpvui.VCLIMG250 ref: 00870B1B
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00870B42), ref: 00870B35
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$System@$List@$Meta$Pointer$ClassClass$qqrp17FromItem$Insert$qqrpvuiL250String$Chunk@Index$qqrv$Class20Error$qqrp17Image@Item$qqruiLoadRaiseRec.String$qqrp20Unicode$System@@$ArrayClass$qqrxp14Class.Clr$qqrpvi.Item$qqruipxvMove$qqrpxvpvi.Objectp17Size$qqrxui
                                    • String ID:
                                    • API String ID: 1863849697-0
                                    • Opcode ID: 99d2b6f1f93d0b4a646443d13ab1fcd25747d1dda5a09b05c065c7b9cfc4a793
                                    • Instruction ID: 0e6a822329549e067c0888cf282fb6618eb99fce0a159d36f4035219bdc9a92e
                                    • Opcode Fuzzy Hash: 99d2b6f1f93d0b4a646443d13ab1fcd25747d1dda5a09b05c065c7b9cfc4a793
                                    • Instruction Fuzzy Hash: 43616C34B00214CBDB50EF28D991A6EB7A1FB44314F11D165E909EB35ADA74EE81CF92
                                    Function 00BF7294 Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Eventlog@Appcrashutils@TWindowsEventRecordHelper@GetFileName$qqrv.OXCOMPONENTSRTL(00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF72CF
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF72DD
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF72E8
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@$bctr$qqrx20System@UnicodeStringo.AXCOMPONENTSRTL.BPL(00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7304
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@GetIsAviable$qqrv.AXCOMPONENTSRTL.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF731D
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@IsValueExist$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7332
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@GetValue$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7346
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7354
                                    • @System@Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7364
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7372
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@IsValueExist$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF737F
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@GetValue$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF7393
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF73A1
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF73BC
                                    • @Oxrtl@System@Eventlog@Appcrashutils@TWindowsEventRecordHelper@GetFileVersion$qqrv.OXCOMPONENTSRTL(00000000,00BF73F2,?,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF73AE
                                      • Part of subcall function 00BF76DC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF7785,?,?,?,00000000), ref: 00BF7709
                                      • Part of subcall function 00BF76DC: @System@Sysutils@Trim$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,00000000), ref: 00BF7734
                                      • Part of subcall function 00BF76DC: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,00000000), ref: 00BF773C
                                      • Part of subcall function 00BF76DC: @System@Regularexpressions@TRegEx@IsMatch$qqrx20System@UnicodeStringt1.RTL250.BPL(?,?,?,00000000), ref: 00BF774D
                                      • Part of subcall function 00BF76DC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,00000000), ref: 00BF775C
                                      • Part of subcall function 00BF76DC: @System@@UStrClr$qqrpv.RTL250.BPL(00BF778C,00000000), ref: 00BF7777
                                      • Part of subcall function 00BF76DC: @System@@UStrClr$qqrpv.RTL250.BPL(00BF778C,00000000), ref: 00BF777F
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00BF73F9,00000000,00000000,00BF74BB,?,?,00000000,00000000), ref: 00BF73EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$L250String.$System@@$File$Asg$qqrr20Stringx20$Axrtl@Fileversioninfo@Version$Info@$Sysutils@$Appcrashutils@Clr$qqrpv.EventEventlog@Exist$qqrx20Helper@Len$qqrx20Oxrtl@RecordValueValue$qqrx20Windows$Aviable$qqrv.ExtractFreeInfo@$bctr$qqrx20Match$qqrx20Name$qqrvName$qqrx20Nil$qqrpv.Regularexpressions@Stringo.Stringt1.Trim$qqrx20Version$qqrv
                                    • String ID: FileDescription$ProductVersion
                                    • API String ID: 2202159745-2349545291
                                    • Opcode ID: eaac7ba5b8a499cea98c5160622dc68e4604481c12b39dde21485fd31609aa6a
                                    • Instruction ID: 7aa1a28cda01fd60765d7157e2a47ea3bd0ab2f0d2abc14a59e183225d447882
                                    • Opcode Fuzzy Hash: eaac7ba5b8a499cea98c5160622dc68e4604481c12b39dde21485fd31609aa6a
                                    • Instruction Fuzzy Hash: 0441FD74A4420CAFDB00EB98D892EADB7F5EF49304F5484E4EA00B7356DB34EE059A64
                                    Function 008633FC Relevance: 36.4, APIs: 24, Instructions: 382windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(00000000,008638D3,?,?,0000FFFD), ref: 00863424
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 00863458
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250(?,00000000,008638D3,?,?,0000FFFD), ref: 0086347B
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(?,00000000,008638D3,?,?,0000FFFD), ref: 00863480
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250(00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 008634BB
                                    • @Vcl@Imaging@Gifimg@TNetscapeColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250(00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 008634C9
                                      • Part of subcall function 0085A94C: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A955
                                      • Part of subcall function 0085A94C: @Vcl@Imaging@Gifimg@TColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085A962
                                      • Part of subcall function 0085A94C: @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250 ref: 0085A96E
                                      • Part of subcall function 0085A94C: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085A979
                                      • Part of subcall function 0085C160: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085C16F
                                      • Part of subcall function 0085C160: @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C207
                                      • Part of subcall function 0085C160: @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C21C
                                      • Part of subcall function 0085C160: @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C231
                                      • Part of subcall function 0085C160: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00000000), ref: 0085C244
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250(?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 008634F6
                                      • Part of subcall function 00863180: @Vcl@Imaging@Gifimg@TGIFImage@GetDoDither$qqrv.VCLIMG250 ref: 008631AB
                                      • Part of subcall function 00863180: @Vcl@Imaging@Gifimg@WebPalette$qqrv.VCLIMG250 ref: 008631B4
                                      • Part of subcall function 0085A06C: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A084
                                      • Part of subcall function 0085A06C: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0085A124,?,?,00000000), ref: 0085A0C4
                                      • Part of subcall function 0085A06C: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0085A124,?,?,00000000), ref: 0085A0E3
                                      • Part of subcall function 0085A06C: @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085A12B,?,?,00000000), ref: 0085A11E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 00863510
                                      • Part of subcall function 00863DD8: @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,00863515,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 00863DE7
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 00863521
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 0086352E
                                      • Part of subcall function 00864284: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(?,?,008632B6,?,?,?,00861D80), ref: 00864291
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 00863563
                                    • MulDiv.KERNEL32(00000006,?,00000033), ref: 0086358D
                                    • MulDiv.KERNEL32(00000024,?,00000033), ref: 008635AC
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 00863605
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 0086361A
                                    • MulDiv.KERNEL32(0000001F,00000064,?), ref: 00863671
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,0000001F,00000064,?,?,00000000,?,?,00000003,?,00000000,00863887), ref: 00863685
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,0000001F,00000064,?,?,00000000,?,?,00000003,?,00000000,00863887), ref: 00863696
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,0000001F,00000064,?,?,00000000,?,?,00000003,?,00000000), ref: 008636AA
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 008636CD
                                    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00863824
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(0086384F,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 00863842
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(008638DA), ref: 008638BF
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(008638DA), ref: 008638CD
                                      • Part of subcall function 00859758: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(0085A01F,?,?,?,?,0085ECD2,00000006,00000000,0085ED37,?,?,00000000,0085ED6B), ref: 00859758
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Vcl@$System@@$Gifimg@Imaging@$System@$ColorFrame@$Graphics@Mem$qqri.Palette$qqrv$ArrayClassCreate$qqrpvzc.LoadRec.StringString$qqrp20$AfterChar$qqrpvic.Construction$qqrxp14ControlExtension@FillGraphicImage@Lookup@$bctr$qqrp10Map$qqrvObject.PixelTransparent$qqrv$ActiveAsg$qqrrpvpvt2.BitmapBitmap@Bitmap@$bctr$qqrv.CallClear$qqrrpvpv.Clr$qqrpv.Clr$qqrpvi.Colors$qqriCopyCreateDither$qqrvDynaE__.Empty$qqrvFormat$qqr25Format.FreeIndex$qqrvInst$qqrv.Lookup@Mem$qqrpv.NetscapePalette$qqrp10Rect$qqriiii.TransparentTypes@
                                    • String ID:
                                    • API String ID: 4099529474-0
                                    • Opcode ID: da8c48957cb0951888d2e3c3ce94aa68ca6e02073c395696110371eb14c12235
                                    • Instruction ID: e77927daa96183d41cc4a933633233791a3af83a29c08ecb5dd1c598fff7fe55
                                    • Opcode Fuzzy Hash: da8c48957cb0951888d2e3c3ce94aa68ca6e02073c395696110371eb14c12235
                                    • Instruction Fuzzy Hash: 6BF17A70A04298AFDB01DFA8C885AEDBBF5FF09304F058169F845E7792D7789A44CB61
                                    Function 00865FF0 Relevance: 36.2, APIs: 24, Instructions: 210windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00866277), ref: 00866018
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00866277), ref: 00866032
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv.VCLIMG250(00000000,00866277), ref: 0086604B
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBoundsRect$qqrv.VCLIMG250(00000000,00866277), ref: 00866060
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBoundsRect$qqrv.VCLIMG250(00000000,00866277), ref: 0086606B
                                    • @System@Types@IntersectRect$qqrr18System@Types@TRectrx18System@Types@TRectt2.RTL250.BPL(00000000,00866277), ref: 00866079
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,00866277), ref: 00866089
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000,00866277), ref: 00866098
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,00866277), ref: 008660C0
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000,00866277), ref: 008660D4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866277), ref: 008660F4
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,00866277), ref: 00866105
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866277), ref: 0086610D
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,00866277), ref: 0086611E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetScanline$qqri.VCLIMG250(00000000,00866277), ref: 0086614A
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetScanline$qqri.VCLIMG250(00000000,00866277), ref: 00866163
                                    • @System@Sysutils@CompareMem$qqrpvt1i.RTL250.BPL(00000000,00866277), ref: 008661CA
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,00866277), ref: 00866204
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250(00000000,00866277), ref: 00866227
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparent$qqro.VCLIMG250(00000000,00866277), ref: 00866236
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparentColorIndex$qqruc.VCLIMG250(00000000,00866277), ref: 00866241
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(00000000,00866277), ref: 00866249
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(00000000,00866277), ref: 00866251
                                      • Part of subcall function 00865F34: @Vcl@Imaging@Gifimg@TGIFColorMap@Add$qqr21System@Uitypes@TColor.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865F53
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(0086627E), ref: 00866271
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Frame@$Color$ControlGraphic$Extension@L250System@$System@@TransparentTransparent$qqrvTypes@$ActiveArrayAsg$qqrrpvpvt2.BoundsEmpty$qqrvFreeIndex$qqrvMap$qqrvRect$qqrvScanline$qqri$Add$qqr21Array$qqrpvt1ui.Bitmap$qqrvCompareDisposal$qqrvExtension@$bctr$qqrp28FinalizeFrameIndex$qqrucIntersectMap@Mask$qqrvMem$qqrpvt1i.Rect$qqrr18Rectrx18Rectt2.Sysutils@Transparent$qqroUitypes@
                                    • String ID:
                                    • API String ID: 1798189669-0
                                    • Opcode ID: bb859fd48ae68c54fb51314adfd64c0cee10f144a241108eab2525d446a85feb
                                    • Instruction ID: b3a612956b05acb79dee8d5a284ff047627f00bb5227f47fa77d3ef2f39e201b
                                    • Opcode Fuzzy Hash: bb859fd48ae68c54fb51314adfd64c0cee10f144a241108eab2525d446a85feb
                                    • Instruction Fuzzy Hash: E8816D30E042999FCF11DBACD991AADBBB1FF46304F1600A5E850EB352EB34AE15DB51
                                    Function 0086AA98 Relevance: 36.1, APIs: 24, Instructions: 146windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 0086AAC1
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086AADB
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086AAED
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086AB06
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086AB1F
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086AB32
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250 ref: 0086AB37
                                      • Part of subcall function 00863C14: @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00863DA7), ref: 00863C4C
                                      • Part of subcall function 00863C14: @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863C7F
                                      • Part of subcall function 00863C14: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863C90
                                      • Part of subcall function 00863C14: @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CA8
                                      • Part of subcall function 00863C14: @Vcl@Imaging@Gifimg@TGIFImage@GetDoDither$qqrv.VCLIMG250(00000000,00863D60,?,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CC1
                                      • Part of subcall function 00863C14: @Vcl@Imaging@Gifimg@TGIFFrame@DoGetDitherBitmap$qqrv.VCLIMG250(00000000,00863D60,?,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CCD
                                      • Part of subcall function 00863C14: @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,?,00000064,00863D67,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863D21
                                      • Part of subcall function 00863C14: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,?,00000064,00863D67,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000), ref: 00863D32
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 0086AB24
                                      • Part of subcall function 00864284: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(?,?,008632B6,?,?,?,00861D80), ref: 00864291
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086AB7C
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250 ref: 0086AB81
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL ref: 0086AB8B
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086AB9F
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 0086ABA4
                                    • @Vcl@Imaging@Gifimg@TGIFImage@EffectiveBackgroundColor$qqrv.VCLIMG250 ref: 0086ABAF
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086ABB9
                                    • @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 0086ABC3
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086ABCB
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 0086ABD5
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086ABDD
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 0086ABED
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,00000001), ref: 0086ABFF
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?), ref: 0086AC17
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,?), ref: 0086AC20
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Draw$qqrp20Vcl@Graphics@TCanvasrx18System@Types@TRectoo.VCLIMG250 ref: 0086AC29
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@$L250$Graphics@$List@$System@$Frame$qqriFrame@Image$Bitmap@Canvas$qqrv.$Bitmap$qqrvTransparent$qqrvTypes@$Brush@Image@LoadRec.Rect$qqriiii.StringString$qqrp20$BackgroundBitmap@$bctr$qqrv.BrushCallCanvasrx18Color$qqr21Color$qqrvColor.ControlCopyCount$qqrvDitherDither$qqrvDraw$qqrp20DynaE__.EffectiveEmpty$qqrvExtension@GraphicInst$qqrv.Item$qqriPalette$qqrp10RectooStyle$qqr24Style.System@@Uitypes@
                                    • String ID:
                                    • API String ID: 1554666208-0
                                    • Opcode ID: fdcad31f6a6936ecaeeb7c9e9092e750919f824392aca36b7af7625aee499475
                                    • Instruction ID: f2e4145dc771afb4fd321e830e4c7e5f4ae43c7176b393bccb02330cde79fad4
                                    • Opcode Fuzzy Hash: fdcad31f6a6936ecaeeb7c9e9092e750919f824392aca36b7af7625aee499475
                                    • Instruction Fuzzy Hash: 5151A1347001008FCB48EF2DC4C592A77E6FF8935575645A4E845DF32ADE31EC4A8B82
                                    Function 00872070 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000,008722C0), ref: 008720B4
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 008720F6
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00872112
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250 ref: 00872126
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(008722C7), ref: 008722BA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Imaging@Pngimage@StringVcl@$ArrayByteClass20Classes@Clr$qqrpvi.Error$qqrp17Image@LoadMetaPosition$qqrv.RaiseRec.Stream@String$qqrp20Swap$qqrxiSystem@@Unicode
                                    • String ID: IDAT
                                    • API String ID: 1058929383-900662814
                                    • Opcode ID: a88bdb2ee07126f7b8285371c70905bf160850f8164cca23ab8d25d86fe4828b
                                    • Instruction ID: 1f6f1a99f37a79f0073f2c501cf8d07d00a648eb0eec930fd707988c38147a9f
                                    • Opcode Fuzzy Hash: a88bdb2ee07126f7b8285371c70905bf160850f8164cca23ab8d25d86fe4828b
                                    • Instruction Fuzzy Hash: 7681D374A00209DFCB50DF58C884A69B7B5FF89320F60C6A5E918DB39ADB70ED45CB61
                                    Function 00876F18 Relevance: 33.3, APIs: 22, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,00877242), ref: 00876F52
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • CreateCompatibleDC.GDI32(?), ref: 00876F61
                                    • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00876F90
                                    • SelectObject.GDI32(?,?), ref: 00876FA0
                                    • @Vcl@Graphics@TCanvas@SetHandle$qqrp5HDC__.VCL250.BPL(?,?,?,?,00000000,?,00000000,00000000,?,00000000,00877242), ref: 00876FB1
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetScanline$qqrxi.VCLIMG250(00000000,?,?,?,?,00000000,?,00000000,00000000,?,00000000,00877242), ref: 00876FFE
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000,?,?,?,?,00000000,?,00000000,00000000,?,00000000,00877242), ref: 00877036
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000), ref: 00877065
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000), ref: 0087707C
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetAlphaScanline$qqrxi.VCLIMG250(00000000), ref: 008770AC
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000), ref: 008770DB
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00000000), ref: 008770F1
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000,00000000), ref: 00877118
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,00000000), ref: 0087712C
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetExtraScanline$qqrxi.VCLIMG250(00000000,00000000), ref: 0087715C
                                      • Part of subcall function 00876720: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,00000000,00877161,00000000,00000000), ref: 00876724
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000,00000000), ref: 0087718B
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00000000,00000000), ref: 008771A1
                                    • DeleteObject.GDI32(?), ref: 008771B9
                                    • DeleteDC.GDI32(?), ref: 008771C5
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00877242), ref: 00877216
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00877242), ref: 00877227
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00877249), ref: 0087723C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$Vcl@$Imaging@Pngimage@$Image@$Move$qqrpxvpvi.Scanline$qqrxi$Char$qqrpvic.Clr$qqrpv.CreateDeleteFillFreeHeader$qqrvMem$qqri.Mem$qqrpv.MetaObjectString$AlphaC__.Canvas@Class$qqrxp14Class.Class20CompatibleError$qqrp17ExtraGraphics@Handle$qqrp5Item$qqruiList@LoadObjectp17RaiseRec.SectionSelectString$qqrp20Unicode
                                    • String ID:
                                    • API String ID: 2944379155-0
                                    • Opcode ID: f104a9073b08ad6f95c51235eddf155a343f017f599dd630ee03d51d45a08d1b
                                    • Instruction ID: ff2fe33dc49a6fa1d5b86a040b31a96ff5ccdf7d274029fbeb574acc015d0e80
                                    • Opcode Fuzzy Hash: f104a9073b08ad6f95c51235eddf155a343f017f599dd630ee03d51d45a08d1b
                                    • Instruction Fuzzy Hash: F3B19FB5E006099FCB04DF98C985AAEBBF5FF48301F2081A5E818EB365D730AD45CB61
                                    Function 00861CBC Relevance: 31.8, APIs: 21, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00861D2C
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250 ref: 00861D3B
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00861D59
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250 ref: 00861D68
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv.VCLIMG250 ref: 00861D74
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@ClearImage$qqrv.VCLIMG250 ref: 00861D7B
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetInterlaced$qqrv.VCLIMG250(00000000,0086205A), ref: 00861E20
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,0086205A), ref: 00861E86
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00862096), ref: 00862079
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00862096), ref: 00862089
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$System@$L250$String$Frame@System@@$ArrayClr$qqrpvi.Image$qqrvItem@LoadRec.Severityx20String$qqrp20UnicodeWarning$qqr31$ClearExit$qqrv.FinallyInterlaced$qqrv
                                    • String ID:
                                    • API String ID: 2825448211-0
                                    • Opcode ID: ffc71eb2d043b66a75a985bfede7257a2ec4845d9ac7f22304480ac8cf985dd7
                                    • Instruction ID: 560ed9afdd1f37f5a15db21f4482e549e57ef7599a95cce87e6786010c200bce
                                    • Opcode Fuzzy Hash: ffc71eb2d043b66a75a985bfede7257a2ec4845d9ac7f22304480ac8cf985dd7
                                    • Instruction Fuzzy Hash: B5B12A75A006188FDB22DF28CC85FD9B7B5FB48340F0541E5E988EB242DAB59AC4CF65
                                    Function 00865C3C Relevance: 31.7, APIs: 21, Instructions: 232windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250 ref: 00865C47
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 00865C56
                                      • Part of subcall function 00864284: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(?,?,008632B6,?,?,?,00861D80), ref: 00864291
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250 ref: 00865C66
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPixel$qqrii.VCLIMG250 ref: 00865CA5
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPixel$qqrii.VCLIMG250 ref: 00865CE6
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPixel$qqrii.VCLIMG250 ref: 00865D35
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPixel$qqrii.VCLIMG250 ref: 00865D76
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00865DB8
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv.VCLIMG250 ref: 00865DC3
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00865DD3
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeImage$qqrv.VCLIMG250 ref: 00865DDD
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250 ref: 00865DE4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250 ref: 00865DEB
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv.VCLIMG250 ref: 00865E0A
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetScanline$qqri.VCLIMG250 ref: 00865E13
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv.VCLIMG250 ref: 00865E25
                                    • @System@@GetMem$qqri.RTL250.BPL(?), ref: 00865E53
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,?), ref: 00865E87
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeImage$qqrv.VCLIMG250(?,?), ref: 00865E9B
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(?,?), ref: 00865ECF
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(?,?), ref: 00865ED6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Frame@$Free$Pixel$qqrii$ControlExtension@GraphicImage$qqrv$Bitmap$qqrvCount$qqrvL250List@Mask$qqrvTransparent$qqrv$Clear$qqrvColorDelay$qqrvEmpty$qqrvIndex$qqrvMem$qqri.Move$qqrpxvpvi.Scanline$qqriSystem@System@@Transparent
                                    • String ID:
                                    • API String ID: 2095377403-0
                                    • Opcode ID: 9ed969bb9d5f8be821dd53b6e76c1cbba790a75cde11eabdb1bbe0ffc8974580
                                    • Instruction ID: 18c91cd78309c28994aa77e8856b7320b34e74769e1275ea63e4795b046b3ff2
                                    • Opcode Fuzzy Hash: 9ed969bb9d5f8be821dd53b6e76c1cbba790a75cde11eabdb1bbe0ffc8974580
                                    • Instruction Fuzzy Hash: A2811330208B4AABC750EF28C58152EB7E1FF84744F16892AF8D9C7742E734ED459B92
                                    Function 008654E4 Relevance: 30.2, APIs: 20, Instructions: 248windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00865527
                                    • SelectObject.GDI32(?,00000000), ref: 0086553C
                                    • MaskBlt.GDI32(?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,CCAA0029,00000000,008655AC,?,?), ref: 00865580
                                    • SelectObject.GDI32(?,00000000), ref: 0086559A
                                    • DeleteObject.GDI32(00000000), ref: 008655A6
                                    • CreateCompatibleDC.GDI32(?), ref: 008655BC
                                    • CreateCompatibleBitmap.GDI32(?,00000000,00865AD9), ref: 008655E3
                                    • SelectObject.GDI32(00865AD9,00000000), ref: 00865606
                                    • CreateCompatibleDC.GDI32(?), ref: 00865620
                                    • CreateBitmap.GDI32(00000000,00865AD9,00000001,00000001,00000000), ref: 00865649
                                    • SelectObject.GDI32(00000000,?), ref: 0086566C
                                    • BitBlt.GDI32(00000000,?,00000000,00000000,00865AD9,?,?,00000000,00330008), ref: 008656A7
                                    • SelectPalette.GDI32(?,35080DBA,00000000), ref: 008656B7
                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 008656C6
                                    • SelectPalette.GDI32(00865AD9,00000000,000000FF), ref: 008656DB
                                    • SelectPalette.GDI32(00865AD9,35080DBA,000000FF), ref: 008656F3
                                    • RealizePalette.GDI32(00865AD9), ref: 008656FF
                                    • BitBlt.GDI32(00865AD9,?,00000000,00000000,00865AD9,00000000,?,00000000,00CC0020), ref: 00865729
                                    • BitBlt.GDI32(00865AD9,?,00000000,00000000,00865AD9,?,?,00000000,008800C6), ref: 00865750
                                    • SelectObject.GDI32(00000000,00000000), ref: 00865770
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Select$Object$CreatePalette$Compatible$Bitmap$DeleteMaskRealize
                                    • String ID:
                                    • API String ID: 650023233-0
                                    • Opcode ID: 2cbc5ae8edeaced644fd028deaee3822f86568b632452e61f62ab6c2baa3b686
                                    • Instruction ID: 120165e0e786ec86a28cb9a3de9f5d7765675f99cfcc82fad5ce54e1104d63ef
                                    • Opcode Fuzzy Hash: 2cbc5ae8edeaced644fd028deaee3822f86568b632452e61f62ab6c2baa3b686
                                    • Instruction Fuzzy Hash: 6891AEB2A00649AFCB41DFACC896EAE77FDFB0D701F424410FA18E7641D638E9548B65
                                    Function 00869500 Relevance: 30.2, APIs: 20, Instructions: 151windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00869545
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 0086955C
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000), ref: 00869573
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,00000000), ref: 0086957F
                                    • @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1.VCL250.BPL ref: 00869586
                                    • @Vcl@Imaging@Gifimg@TGIFRenderer@UndoPreviousFrame$qqrv.VCLIMG250 ref: 0086959F
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 008695AC
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 008695C3
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000), ref: 008695DA
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,00000000), ref: 008695E6
                                    • @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1.VCL250.BPL ref: 008695ED
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250 ref: 008695F8
                                    • SelectPalette.GDI32(00000000), ref: 0086961A
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,008696A5,?,00000000), ref: 00869636
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(00000000,008696A5,?,00000000), ref: 0086963B
                                    • RealizePalette.GDI32(00000000), ref: 00869641
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,00000001,00000000,00000000,008696A5,?,00000000), ref: 00869650
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?,?,00000000), ref: 00869667
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Draw$qqrp20Vcl@Graphics@TCanvasrx18System@Types@TRectoo.VCLIMG250(?,00000000), ref: 00869675
                                    • SelectPalette.GDI32(00000000), ref: 0086969F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Graphics@$L250$Bitmap@Canvas$qqrv.$Canvas@Gifimg@Imaging@PaletteSystem@Types@$Canvast1.CopyFrame@Rect$qqrrx18Rectp20Select$Canvasrx18Draw$qqrp20Frame$qqrvHandle$qqrv.Palette$qqrvPreviousRealizeRectooRenderer@Undo
                                    • String ID:
                                    • API String ID: 3912038034-0
                                    • Opcode ID: bd6481e055e46aff83b643a51aef6bccf079a4cf0d3063a00f707abf3547da55
                                    • Instruction ID: d031f9160518495d67ee747dffc87722626a2689f9689bbadbf996502182e62d
                                    • Opcode Fuzzy Hash: bd6481e055e46aff83b643a51aef6bccf079a4cf0d3063a00f707abf3547da55
                                    • Instruction Fuzzy Hash: 8C51A374A10208EFCB04EBA8C585E9DB7F9FF4A311F2500A1E941DB362DA31EE49DB51
                                    Function 00BE231C Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 107threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00BE232C
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@$bctr$qqrv.OXCOMPONENTSRTL ref: 00BE233F
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@JournalExist$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00BE234D
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL250.BPL(00000000,?), ref: 00BE236F
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,?), ref: 00BE2374
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,?), ref: 00BE2386
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,?), ref: 00BE2395
                                    • @System@Sysutils@TSimpleRWSync@$bctr$qqrv.RTL250.BPL(00000000,?), ref: 00BE23A1
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00BE23B2
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@IsSupported$qqrv.OXCOMPONENTSRTL ref: 00BE23C6
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@TWindowsEventRecordWevt@$bctr$qqrpv.OXCOMPONENTSRTL ref: 00BE23DC
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL ref: 00BE2403
                                    • OpenEventLogW.ADVAPI32(00000000,00000000), ref: 00BE240B
                                    • @System@Sysutils@RaiseLastOSError$qqrv.RTL250.BPL(00000000,00000000), ref: 00BE241F
                                    • @Axrtl@System@Thread@TThread@$bctr$qqrynpqqrp27Axrtl@System@Thread@TThread$voi.AXCOMPONENTSRTL.BPL(00000002,?,?,00000000,00000000), ref: 00BE2435
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(00000002,?,?,00000000,00000000), ref: 00BE2445
                                    Strings
                                    • Journal "0:s" does not exist., xrefs: 00BE2363
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$EventUnicode$DelphiInterface$17Oxrtl@System@%Windows$Eventlog@Sysutils@$Axrtl@Copy$qqrr44Interface%.Interface%x44IntfLog@RaiseString.Thread@$AfterApi@Asg$qqrr20Char$qqrx20ClassConstruction$qqrxp14Create$qqrpvzc.Error$qqrv.Except$qqrv.Exception@$bctr$qqrx20Exist$qqrx20JournalLastLog@$bctr$qqrvObject.OpenRecordRecxi.SimpleStringStringpx14Stringx20Supported$qqrvSync@$bctr$qqrv.Thread$voi.Thread@$bctr$qqrynpqqrp27WevtWevt@$bctr$qqrpvWevtapi@Winapi@
                                    • String ID: Journal "0:s" does not exist.
                                    • API String ID: 4178221468-16596345
                                    • Opcode ID: 64a30108e111d4d9763f3bbd6ba9ec69fa4c5f814d66b418455aee22f3b53a86
                                    • Instruction ID: 350185bbe6eec7c729fb3f1d4a668b60905a6ce6eada41ff525a07fba5f6d74d
                                    • Opcode Fuzzy Hash: 64a30108e111d4d9763f3bbd6ba9ec69fa4c5f814d66b418455aee22f3b53a86
                                    • Instruction Fuzzy Hash: 7D31B370A002408FDB04EF29D8C2B8A7BE8AF55314F5482EAE914DF397DB75DD098B95
                                    Function 00873398 Relevance: 28.6, APIs: 19, Instructions: 121COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 008733AD
                                      • Part of subcall function 00870B4C: @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(?,00000000,008708B6), ref: 00870B56
                                    • @System@@AsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 008733B8
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetPixelInfo$qqrruit1.VCLIMG250 ref: 008733E0
                                      • Part of subcall function 00874B40: @Vcl@Imaging@Pngimage@TPngImage@HeaderPresent$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874B4B
                                      • Part of subcall function 00874B40: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874B5A
                                      • Part of subcall function 00874B40: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,00000000,?,?,00873285,00000000,00873384), ref: 00874B69
                                      • Part of subcall function 00874B40: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,?,00000000,?,?,00873285,00000000,00873384), ref: 00874B78
                                      • Part of subcall function 00874B40: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874B8E
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 008733E8
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 008733F9
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00873401
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00873412
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00873426
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 0087343D
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00873454
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 0087346B
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@EncodeNonInterlaced$qqrp22System@Classes@TStreamr33Vcl@Imaging@Pngimage@TZStreamRec2.VCLIMG250(?), ref: 008734AC
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?), ref: 008734D0
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?), ref: 008734DB
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?), ref: 008734F2
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?), ref: 00873509
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?), ref: 00873520
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?), ref: 00873537
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Imaging@Pngimage@Vcl@$FreeImage@Mem$qqri.Mem$qqrpv.$Header$qqrv$System@$Char$qqrpvic.FillItem$qqruiList@$ChunkClass$qqrxp14Class.Classes@EncodeHeaderInfo$qqrruit1Interlaced$qqrp22MetaObjectp17PixelPointerPresent$qqrvRec2StreamStreamr33
                                    • String ID:
                                    • API String ID: 2611958933-0
                                    • Opcode ID: bc5651bf2fa79b1f7eb80b1dbba3baf28dcab253b8f7cf7f2c17fbb277b0bb52
                                    • Instruction ID: 06bec9c6db2d938dfc535786dd31e3d79bb053ae72c0502395a6e1b770cd3951
                                    • Opcode Fuzzy Hash: bc5651bf2fa79b1f7eb80b1dbba3baf28dcab253b8f7cf7f2c17fbb277b0bb52
                                    • Instruction Fuzzy Hash: 4951C3B02002448BCB45DF29C4C9B9A77E0FF49715B5986A9EC88CF36BC635ED449F86
                                    Function 00C5C0D3 Relevance: 28.6, APIs: 19, Instructions: 112COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL ref: 00C5C0F5
                                    • @System@@UStrClr$qqrpv.RTL250.BPL ref: 00C5C107
                                    • @Oxrtl@System@Jsonserializer@TObjectJSONSerializer@CanDeserialize$qqr48System@%DynamicArray$p23System@TCustomAttribute%24System@%DynamicArray$uc%r20System@UnicodeString.OXCOMPONENTSRTL ref: 00C5C120
                                    • @Oxrtl@System@Jsonserializer@TObjectJSONSerializer@DeserializeProperty$qqrp25System@Rtti@TRttiPropertyp23System@Json@TJSONObjectx24System@%DynamicArray$uc%x20System@UnicodeString.OXCOMPONENTSRTL(?,?), ref: 00C5C139
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C5C142
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL ref: 00C5C154
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL ref: 00C5C165
                                    • @System@@UStrClr$qqrpv.RTL250.BPL ref: 00C5C177
                                    • @Oxrtl@System@Jsonserializer@TObjectJSONSerializer@CanDeserialize$qqr48System@%DynamicArray$p23System@TCustomAttribute%24System@%DynamicArray$uc%r20System@UnicodeString.OXCOMPONENTSRTL ref: 00C5C190
                                      • Part of subcall function 00C5B49C: @System@@DynArrayAddRef$qqrpv.RTL250.BPL ref: 00C5B4B6
                                      • Part of subcall function 00C5B49C: @System@@DynArrayAddRef$qqrpv.RTL250.BPL ref: 00C5B4BE
                                      • Part of subcall function 00C5B49C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C5B5E0), ref: 00C5B4EB
                                      • Part of subcall function 00C5B49C: @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,00C5B5E0), ref: 00C5B4FC
                                      • Part of subcall function 00C5B49C: @System@@DynArrayLength$qqrpxv.RTL250.BPL(00000000,00C5B5E0), ref: 00C5B596
                                      • Part of subcall function 00C5B49C: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000000,00C5B5E0), ref: 00C5B5AC
                                      • Part of subcall function 00C5B49C: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C5B5E7), ref: 00C5B5C7
                                      • Part of subcall function 00C5B49C: @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5B5E7), ref: 00C5B5DA
                                    • @Oxrtl@System@Jsonserializer@TObjectJSONSerializer@DeserializeField$qqrp22System@Rtti@TRttiFieldp23System@Json@TJSONObjectx24System@%DynamicArray$uc%x20System@UnicodeString.OXCOMPONENTSRTL(?,?), ref: 00C5C1A9
                                      • Part of subcall function 00C5BBFC: @System@@InitializeRecord$qqrpvt1.RTL250.BPL ref: 00C5BC1F
                                      • Part of subcall function 00C5BBFC: @System@Sysutils@TStringHelper@IsEmpty$qqrv.RTL250.BPL(?), ref: 00C5BC47
                                      • Part of subcall function 00C5BBFC: @System@Strutils@IfThen$qqrox20System@UnicodeString20System@UnicodeString.RTL250.BPL ref: 00C5BC50
                                      • Part of subcall function 00C5BBFC: @System@Json@TJSONObject@GetValue$qqrx20System@UnicodeString.RTL250.BPL ref: 00C5BC5A
                                      • Part of subcall function 00C5BBFC: @System@Rtti@TRttiType@GetHandle$qqrv.RTL250.BPL ref: 00C5BC81
                                      • Part of subcall function 00C5BBFC: @Oxrtl@System@Jsonserializer@TObjectJSONSerializer@DoDeserialize$qqr48System@%DynamicArray$p23System@TCustomAttribute%p22System@Json@TJSONValuep24System@Typinfo@TTypeInfor18System@Rtti@TValue24System@%DynamicArray$uc%.OXCOMPONENTSRTL ref: 00C5BCA1
                                      • Part of subcall function 00C5BBFC: @System@Rtti@TValue@GetIsEmpty$qqrv.RTL250.BPL ref: 00C5BCA9
                                      • Part of subcall function 00C5BBFC: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C5BCFF), ref: 00C5BCD4
                                      • Part of subcall function 00C5BBFC: @System@@UStrClr$qqrpv.RTL250.BPL(00C5BCFF), ref: 00C5BCDC
                                      • Part of subcall function 00C5BBFC: @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5BCFF), ref: 00C5BCEA
                                      • Part of subcall function 00C5BBFC: @System@@UStrClr$qqrpv.RTL250.BPL(00C5BCFF), ref: 00C5BCF2
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C5C1B2
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL ref: 00C5C1C4
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5C249), ref: 00C5C1E4
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5C249), ref: 00C5C1F2
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C5C249), ref: 00C5C1FA
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5C249), ref: 00C5C20D
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5C249), ref: 00C5C220
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5C249), ref: 00C5C22E
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C5C249), ref: 00C5C23C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$Array$Unicode$DynamicSystem@%$Finalize$Clear$qqrrpvpv.$Clr$qqrpv.Jsonserializer@ObjectOxrtl@Rtti@Serializer@String$Array$qqrpvt1ui.Json@Record$qqrpvt1.$Array$p23Asg$qqrrpvpvt2.CustomDeserialize$qqr48Length$qqrpxv.RttiString.$Array$uc%r20Array$uc%x20Attribute%24DeserializeEmpty$qqrv.Objectx24Ref$qqrpv.$Array$uc%Asg$qqrr20Attribute%p22Field$qqrp22Fieldp23Handle$qqrv.Helper@Infor18InitializeObject@Property$qqrp25Propertyp23String20Stringx20Strutils@Sysutils@Then$qqrox20TypeType@Typinfo@Value$qqrx20Value24Value@Valuep24
                                    • String ID:
                                    • API String ID: 2931505224-0
                                    • Opcode ID: 0acb450c3e2c305d0dd9f64a93c13533c46d50715648fc6820f29aac29bed6d5
                                    • Instruction ID: 985645618a6d95276c4e1a8a339ca61442062fd66bcb7da6a572bcb33a4f4164
                                    • Opcode Fuzzy Hash: 0acb450c3e2c305d0dd9f64a93c13533c46d50715648fc6820f29aac29bed6d5
                                    • Instruction Fuzzy Hash: 0741EA38A102199FCB00EF98D981EAEB7F5FF49301F604565E811B7366DB30AE46CB64
                                    Function 00BE0334 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@InitializeRecord$qqrpvt1.RTL250.BPL ref: 00BE034E
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@TXPathCondition@Init$qqrv.OXCOMPONENTSRTL(00000000,00BE04A6), ref: 00BE0364
                                      • Part of subcall function 00BE1B4C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,00BDF817,00000000,00BDF8FD,?,?,00000000), ref: 00BE1B5C
                                      • Part of subcall function 00BE1B4C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,00BDF817,00000000,00BDF8FD,?,?,00000000), ref: 00BE1B6C
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@GetEnumerator$qqrv.OXCOMPONENTSRTL(00000000,00BE04A6), ref: 00BE036C
                                      • Part of subcall function 00BE3924: @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@TEnumerator@$bctr$qqrxp125System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@SystemsnxQiHJjcixCJyxC14KNOg.OXCOMPONENTSRTL(?,00BE01D2,00000000,00BE0321), ref: 00BE3930
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@TEnumerator@GetCurrent$qqrv.OXCOMPONENTSRTL(00000000,00BE0471,?,00000000,00BE04A6), ref: 00BE038D
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@TXPathCondition@IsEmpty$qqrv.OXCOMPONENTSRTL(?,00000000,00BE04A6), ref: 00BE03A0
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@TEnumerator@MoveNext$qqrv.OXCOMPONENTSRTL(00000000,00BE0471,?,00000000,00BE04A6), ref: 00BE0446
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Oxrtl@$EventEventlog@Log@Windows$Collections@%DelphiGenerics@Interface$57List__1$84System@%$ConditionInternal%%@Unicode$L250System@@$Asg$qqrr20Condition@Enumerator@PathString.Stringx20$Current$qqrvEmpty$qqrvEnumerator$qqrvEnumerator@$bctr$qqrxp125Init$qqrvInitializeJjcixMoveNext$qqrvRecord$qqrpvt1.Systemsnx
                                    • String ID: and $ or
                                    • API String ID: 2512330988-2875502675
                                    • Opcode ID: 74c5e998adde8f93d46a4516387aded13ffca85fddcd6fe0c13aef7865bdc726
                                    • Instruction ID: b02415aa568335ad7b0bf00ebe6efed765a86e0e8edf38fe705d243c8f16f65e
                                    • Opcode Fuzzy Hash: 74c5e998adde8f93d46a4516387aded13ffca85fddcd6fe0c13aef7865bdc726
                                    • Instruction Fuzzy Hash: 7A316534A141859FCB00FF6ADAA29AEB7F4EF05700B2085E4E905A73A1D7B0DE41CB55
                                    Function 008638E4 Relevance: 25.8, APIs: 17, Instructions: 255windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(00000000,00863C01,?,?,0000FFFD), ref: 00863909
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 0086393D
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250(?,00000000,00863C01,?,?,0000FFFD), ref: 00863960
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(?,00000000,00863C01,?,?,0000FFFD), ref: 00863965
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00863C08), ref: 00863BFB
                                      • Part of subcall function 00859758: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(0085A01F,?,?,?,?,0085ECD2,00000006,00000000,0085ED37,?,?,00000000,0085ED6B), ref: 00859758
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250(?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 0086398F
                                      • Part of subcall function 0085A06C: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A084
                                      • Part of subcall function 0085A06C: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0085A124,?,?,00000000), ref: 0085A0C4
                                      • Part of subcall function 0085A06C: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0085A124,?,?,00000000), ref: 0085A0E3
                                      • Part of subcall function 0085A06C: @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085A12B,?,?,00000000), ref: 0085A11E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,00863BC3,?,00000000,?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 008639BD
                                      • Part of subcall function 00864284: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(?,?,008632B6,?,?,?,00861D80), ref: 00864291
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000,00863BC3,?,00000000,?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 008639EA
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,00863BC3,?,00000000,?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 00863A0E
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,00863BC3,?,00000000,?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 00863A23
                                    • MulDiv.KERNEL32(0000001F,00000064,?), ref: 00863A7E
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(00863D60,00000000,00000000,00000000,0000001F,00000064,?,?,00000000,00863BC3,?,00000000,?,?,00000003,00000000), ref: 00863A92
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00863D60,00863D60,00000000,00000000,00000000,0000001F,00000064,?,?,00000000,00863BC3,?,00000000,?,?,00000003), ref: 00863AA3
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,00863D60,00863D60,00000000,00000000,00000000,0000001F,00000064,?,?,00000000,00863BC3,?,00000000,?,?), ref: 00863AB7
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,00000000,00863BC3,?,00000000,?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 00863AC6
                                    • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00863B82
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00863BAD,?,00000000,?,?,00000003,00000000,00863BD4,?,00000000,00863C01,?,?,0000FFFD), ref: 00863BA0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Vcl@$System@$System@@$Gifimg@Imaging@$Frame@Graphics@$LoadRec.StringString$qqrp20$ControlExtension@GraphicPalette$qqrvPixelTransparent$qqrv$ArrayBitmapBitmap@Bitmap@$bctr$qqrv.CallChar$qqrpvic.ClassClr$qqrpv.Clr$qqrpvi.ColorCopyCreateCreate$qqrpvzc.DynaE__.Empty$qqrvFillFormat$qqr25Format.FreeIndex$qqrvInst$qqrv.Mem$qqri.Mem$qqrpv.Move$qqrpxvpvi.Palette$qqrp10Rect$qqriiii.TransparentTypes@
                                    • String ID:
                                    • API String ID: 3111038703-0
                                    • Opcode ID: 759de2c2b342f284a9cb1024bb5324de2d9a3e953c57aa5b105e5d52f7b7c17f
                                    • Instruction ID: 2f9ea2f78f518cab9f1682a1eb50069228d7848b075e22e43b651396056a9bd7
                                    • Opcode Fuzzy Hash: 759de2c2b342f284a9cb1024bb5324de2d9a3e953c57aa5b105e5d52f7b7c17f
                                    • Instruction Fuzzy Hash: E5A1CF70A04659AFDB01CFA8C841BBEBBF5FF0A300F054066E844E7681D778AE44DBA1
                                    Function 00871A00 Relevance: 25.7, APIs: 17, Instructions: 198windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,?,008715AA,00000000,00871657), ref: 00871A18
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@FreeImageData$qqrv.VCLIMG250(?,?,?,?,008715AA,00000000,00871657), ref: 00871A1F
                                      • Part of subcall function 00871668: DeleteObject.GDI32(?), ref: 00871673
                                      • Part of subcall function 00871668: DeleteDC.GDI32(?), ref: 00871680
                                      • Part of subcall function 00871668: @System@@FreeMem$qqrpv.RTL250.BPL(?,0087153E), ref: 0087168F
                                      • Part of subcall function 00871668: DeleteObject.GDI32(?), ref: 0087169C
                                      • Part of subcall function 00871668: @System@@FreeMem$qqrpv.RTL250.BPL(?,0087153E), ref: 008716AB
                                    • @System@@GetMem$qqri.RTL250.BPL(?,?,?,?,?,?,008715AA,00000000,00871657), ref: 00871AFC
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,?,?,?,008715AA,00000000,00871657), ref: 00871B20
                                    • @System@@GetMem$qqri.RTL250.BPL(?), ref: 00871B40
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?), ref: 00871B64
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00871B6B
                                    • @Vcl@Graphics@TCanvas@SetHandle$qqrp5HDC__.VCL250.BPL(00000000), ref: 00871B84
                                    • CreateHalftonePalette.GDI32(?,00000000), ref: 00871BA6
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@CreateGrayscalePalette$qqri.VCLIMG250(00000000), ref: 00871BBD
                                    • ResizePalette.GDI32(?,00000001), ref: 00871BDB
                                    • SelectPalette.GDI32(?,?,00000000), ref: 00871C00
                                    • RealizePalette.GDI32(?), ref: 00871C0B
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@PaletteToDIB$qqrp10HPALETTE__.VCLIMG250(?,?,?,00000000,00000000), ref: 00871C17
                                    • CreateDIBSection.GDI32(?,-00000474,00000000,-00000450,00000000,00000000), ref: 00871C36
                                    • SelectObject.GDI32(?,00000000), ref: 00871C49
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,00000000), ref: 00871C69
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$Palette$Char$qqrpvic.CreateFillVcl@$ChunkDeleteFreeImaging@ObjectPngimage@$Mem$qqri.Mem$qqrpv.Select$B$qqrp10C__.Canvas@CompatibleData$qqrvGraphics@GrayscaleHalftoneHandle$qqrp5ImagePalette$qqriRealizeResizeSection
                                    • String ID:
                                    • API String ID: 979923590-0
                                    • Opcode ID: 29121dffd847b6861f440ca2461f4194e2bee29aa2b3b85321468e53d516d1a2
                                    • Instruction ID: a46c6f1327a84d00f7c5c2a7a5152d484650d1fbbbda8873f5112e568dbf2a81
                                    • Opcode Fuzzy Hash: 29121dffd847b6861f440ca2461f4194e2bee29aa2b3b85321468e53d516d1a2
                                    • Instruction Fuzzy Hash: EA7111752005608FCB44DB2CC4D9F6577A5FB0A305F4581E6FA08CF7AADA30E84ACB96
                                    Function 008731FC Relevance: 25.6, APIs: 17, Instructions: 127windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00873384), ref: 0087322A
                                      • Part of subcall function 00870B4C: @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(?,00000000,008708B6), ref: 00870B56
                                    • @System@@AsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00873384), ref: 00873235
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@PreparePalette$qqrv.VCLIMG250(00000000,00873384), ref: 00873247
                                      • Part of subcall function 00871FB0: @System@@FillChar$qqrpvic.RTL250.BPL ref: 00871FEA
                                      • Part of subcall function 00871FB0: MulDiv.KERNEL32(?,000000FF,-00000001), ref: 00872027
                                      • Part of subcall function 00871FB0: CreatePalette.GDI32(?), ref: 00872054
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250(00000000,00873384), ref: 0087326F
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetPixelInfo$qqrruit1.VCLIMG250(00000000,00873384), ref: 00873280
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000,00873384), ref: 00873291
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000,00873384), ref: 008732A0
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000,00873384), ref: 008732AC
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,00873384), ref: 008732BD
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@DecodeNonInterlaced$qqrp22System@Classes@TStreamr33Vcl@Imaging@Pngimage@TZStreamRec2xirui.VCLIMG250(?,?,00000000,00873384), ref: 008732E7
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00000000,00873384), ref: 00873311
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00000000,00873384), ref: 0087331D
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00873338
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?), ref: 00873358
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?), ref: 00873369
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0087338B), ref: 0087337E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Imaging@Vcl@$Pngimage@System@System@@$Char$qqrpvic.ChunkClasses@FillFreeImage@Item$qqruiList@Mem$qqri.Mem$qqrpv.MetaString$Array$uci$i65536$%iByteClass$qqrxp14Class.Class20Clr$qqrpv.CreateDecodeError$qqrp17Info$qqrruit1Interlaced$qqrp22LoadObjectp17PalettePalette$qqrvPixelPngimage@update_crc$qqruip32PointerPosition$qqrv.PrepareRaiseRec.Rec2xiruiStaticStreamStream@Streamr33String$qqrp20Swap$qqrxiSystem@%Unicode
                                    • String ID:
                                    • API String ID: 1108665819-0
                                    • Opcode ID: a250eb3bf1c830f4a15562b4527ae7cd939ed5cdbbc99ec3dca1f125701acdb4
                                    • Instruction ID: b5460d37af1686520698f903a1e62ad27ad9f6b64bc844b67c24e15041d58d3d
                                    • Opcode Fuzzy Hash: a250eb3bf1c830f4a15562b4527ae7cd939ed5cdbbc99ec3dca1f125701acdb4
                                    • Instruction Fuzzy Hash: 82514B70A002448FCB04DFA8C8C599EB7B4FF48310B5086A5EC19DB35ADB75EA088B91
                                    Function 00BF51F8 Relevance: 25.6, APIs: 17, Instructions: 117COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF3AA0,00000000,00BF3BC0), ref: 00BF5219
                                    • @Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv.OXCOMPONENTSRTL(00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BF522C
                                      • Part of subcall function 00BF089C: @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL ref: 00BF08A7
                                    • @System@Generics@Collections@%TList__1$p56Oxrtl@System@Fileutils@FileUtils@TDosDeviceToWinPathItem%@Clear$qqrv.OXCOMPONENTSRTL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF526F
                                    • @System@Ioutils@TDirectory@GetLogicalDrives$qqrv.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF5277
                                    • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF5292
                                    • @System@Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF529D
                                    • @Axrtl@Winapi@Kernel32@Kernel32@GetDosDevice$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF52D0,?,00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000), ref: 00BF52B6
                                    • @System@Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF52D0,?,00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000), ref: 00BF52C1
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF52ED
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF52FD
                                    • @System@Generics@Collections@%TList__1$p56Oxrtl@System@Fileutils@FileUtils@TDosDeviceToWinPathItem%@Add$qqrxp56Oxrtl@System@Fileutils@FileUtils@TDosDeviceToWinPathItem.OXCOMPONENTSRTL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF530B
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF5316
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF5321
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF532C
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000000,00BF5367,?,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000), ref: 00BF5343
                                    • @Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv.OXCOMPONENTSRTL(00BF536E,00000000,00BF5386,?,00000000,00BF53BE,?,00C6D158,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF5355
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Unicode$String.Utils@$System@@$Oxrtl@Path$Asg$qqrr20Axrtl@DeviceFileFileutils@Stringx20$ArrayCollections@%Count64$qqrvDelimiter$qqrx20Generics@IncludeItem%@Kernel32@List__1$p56Osinfo@Sysutils@TickTrailingWin@$Add$qqrxp56Clear$qqrrpvpv.Clear$qqrvCriticalDevice$qqrx20Directory@Drives$qqrv.Enter$qqrv.Info@Ioutils@ItemLen$qqrx20Length$qqrpxv.LogicalObject@$bctr$qqrv.Section@Syncobjs@Versiont1.Winapi@WindowsWindows$qqr39
                                    • String ID:
                                    • API String ID: 2585851015-0
                                    • Opcode ID: de4a7dfc8d4603d778405b33fc9daa8452d4bcec5385b25d25d7a1827257ba95
                                    • Instruction ID: 09883102a2f82244df9b73accf630469cd3ab899fc3771d530eda619b986e2e4
                                    • Opcode Fuzzy Hash: de4a7dfc8d4603d778405b33fc9daa8452d4bcec5385b25d25d7a1827257ba95
                                    • Instruction Fuzzy Hash: A141B43061054C9FC720EF69DC92E6EB7F4FB49750B9148B4FA01E3621D7B0AD08CA50
                                    Function 0086035C Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00860380
                                      • Part of subcall function 008592EC: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00859322
                                      • Part of subcall function 008592EC: @System@@UStrClr$qqrpv.RTL250.BPL(0085934C), ref: 0085933F
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008603A1
                                    • @System@Sysutils@UpperCase$qqrx20System@UnicodeString.RTL250.BPL(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008603AC
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008603B9
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(00000000,?,00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008603C7
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008603F6
                                    • @System@Sysutils@UpperCase$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00860401
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0086040E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0086041D
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00860468
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@LoadFromStream$qqrp22System@Classes@TStreami.VCLIMG250(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0086047C
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(00000000,008604A6,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00860486
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(008604AD,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008604A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Unicode$Load$Classes@FromRec.StringString$qqrp20String.Sysutils@$Array$qqrr20Case$qqrx20ColorEqual$qqrv.Gifimg@Imaging@Map@Stream@Stringpci.UpperVcl@$ArrayClear$qqrvClr$qqrpv.Clr$qqrpvi.Except$qqrv.Exception@$bctr$qqrx20Position$qqrv.Position$qqrxj.RaiseStream$qqrp22Streami
                                    • String ID: GIF
                                    • API String ID: 3451781141-881873598
                                    • Opcode ID: c44e1b9f4dc908a483330d50482d7226a8768e90196bc96ca013c31a86684569
                                    • Instruction ID: 59c3d8207e7db14c0a6a25c82e703f8828af2cdba23532c48ca70fc5bb0c0c53
                                    • Opcode Fuzzy Hash: c44e1b9f4dc908a483330d50482d7226a8768e90196bc96ca013c31a86684569
                                    • Instruction Fuzzy Hash: 9D31B6307006099FDB10EBACC892AAF73A6FF85305F414574E915DB352DE78ED098B96
                                    Function 00865928 Relevance: 24.2, APIs: 16, Instructions: 213windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(?,?,?), ref: 00865944
                                      • Part of subcall function 00864284: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(?,?,008632B6,?,?,?,00861D80), ref: 00864291
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@HasMask$qqrv.VCLIMG250(?,?,?), ref: 00865953
                                      • Part of subcall function 008633D0: @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 008633DB
                                      • Part of subcall function 008633D0: @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250 ref: 008633E6
                                      • Part of subcall function 008633D0: @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250 ref: 008633ED
                                    • CreateCompatibleDC.GDI32(00000000), ref: 0086597A
                                    • SelectObject.GDI32(?,?), ref: 0086598F
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250(?,?,00000000,00000000,00865AD9,?,?,?,?), ref: 00865A69
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?,?,00000000,00000000,00865AD9,?,?,?,?), ref: 00865A6E
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(?,?,00000000,00000000,00865AD9,?,?,?,?), ref: 00865A73
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00865AD9), ref: 00865A92
                                    • SelectObject.GDI32(00000000,00000000), ref: 00865AC4
                                    • DeleteDC.GDI32(00000000), ref: 00865AD3
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250(?,?,?), ref: 00865B1A
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250(?,?,?), ref: 00865B6F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@$Frame@$Bitmap$qqrv$Graphics@L250Transparent$qqrv$Canvas@Handle$qqrv.ObjectSelect$Bitmap@Canvas$qqrv.CompatibleControlCreateDeleteExtension@FreeGraphicMask$qqrv
                                    • String ID:
                                    • API String ID: 3991581260-0
                                    • Opcode ID: 26a9cd6252284394864a87e3eda062bd580ace67f9b5fe0efae2dc1573e7c51c
                                    • Instruction ID: 5797ecfc61cb499f6a31d74cc2176c21a148d561c72cf1a2a39286815cd5a217
                                    • Opcode Fuzzy Hash: 26a9cd6252284394864a87e3eda062bd580ace67f9b5fe0efae2dc1573e7c51c
                                    • Instruction Fuzzy Hash: 80811670A006059FCB50DFA8C881AAEBBF5FF49311F2581A5F949DB246DB34ED44CBA1
                                    Function 00868678 Relevance: 24.1, APIs: 16, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868686
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686B7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686E4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686E9
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686FE
                                      • Part of subcall function 008682FC: @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868323
                                      • Part of subcall function 008682FC: @System@Classes@TList@Add$qqrpv.RTL250.BPL(00000000,00868423,?,00000000,00000000,?), ref: 00868339
                                      • Part of subcall function 008682FC: @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868358
                                      • Part of subcall function 008682FC: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868369
                                      • Part of subcall function 008682FC: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00868423,?,00000000,00000000,?), ref: 008683A1
                                      • Part of subcall function 008682FC: @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 008683AE
                                      • Part of subcall function 008682FC: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparentColorIndex$qqruc.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 008683F7
                                      • Part of subcall function 008682FC: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparent$qqro.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868404
                                      • Part of subcall function 008682FC: @System@@UStrClr$qqrpv.RTL250.BPL(0086842A,00000000,00000000,?), ref: 0086841D
                                    • @System@TObject@Free$qqrv.RTL250.BPL(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868737
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686CE
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @System@Classes@TList@Add$qqrpv.RTL250.BPL(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 0086872E
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868698
                                      • Part of subcall function 008681DC: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008681EC
                                      • Part of subcall function 008681DC: @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00000000,?), ref: 008681FD
                                      • Part of subcall function 008681DC: @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00000000,?), ref: 00868218
                                      • Part of subcall function 008681DC: @System@@GetMem$qqri.RTL250.BPL(00000000,00000000,?), ref: 00868226
                                      • Part of subcall function 008681DC: @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00000000,?), ref: 00868235
                                      • Part of subcall function 008681DC: @System@Classes@TList@SetCapacity$qqri.RTL250.BPL(00000000,00000000,?), ref: 00868244
                                      • Part of subcall function 008681DC: @System@Classes@TList@Add$qqrpv.RTL250.BPL(00000000,00000000,?), ref: 0086826A
                                      • Part of subcall function 008681DC: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(00000000,00000000,?), ref: 008682A8
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868742
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 0086875D
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868773
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868778
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868789
                                    • @System@Classes@TList@Add$qqrpv.RTL250.BPL(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008687A4
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008687B1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$List@$L250$System@$Frame$qqriImage$Classes@$Add$qqrpv.ColorFrame@System@@$ControlEmpty$qqrvExtension@GraphicObject@$bctr$qqrv.$Count$qqrvImage@Map$qqrvStringTransparent$AfterCapacity$qqri.ClassClr$qqrpv.Construction$qqrxp14Create$qqrpvzc.Free$qqrv.Index$qqrucIndex$qqrvItem$qqriItem@LoadMem$qqri.Object.Object@Rec.Severityx20String$qqrp20Transparent$qqroTransparent$qqrvUnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 3449107730-0
                                    • Opcode ID: 67fc4a746ed8438364524cfede2bbf8a8737e35866a610a73079005447796454
                                    • Instruction ID: c83efd7db1c385c09c330f8b08bc0640fd565457f6809187d64201e965e17426
                                    • Opcode Fuzzy Hash: 67fc4a746ed8438364524cfede2bbf8a8737e35866a610a73079005447796454
                                    • Instruction Fuzzy Hash: C441F234204154CFCB41EE2CC581B267BE1FB99754B2681D5EC88CF72BDE65DC868BA2
                                    Function 00876480 Relevance: 24.1, APIs: 16, Instructions: 124windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0087649A
                                    • @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 008764A1
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPngImage@InitializeGamma$qqrv.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748B7
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748D5
                                      • Part of subcall function 008748B0: @System@TObject@Free$qqrv.RTL250.BPL(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748DA
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748EB
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 008764AF
                                      • Part of subcall function 008714E8: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008714F1
                                      • Part of subcall function 008714E8: @Vcl@Imaging@Pngimage@TChunk@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250 ref: 0087150D
                                      • Part of subcall function 008714E8: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00871518
                                      • Part of subcall function 00875FA8: @Vcl@Imaging@Pngimage@TChunkIHDR@PrepareImageData$qqrv.VCLIMG250 ref: 00876007
                                      • Part of subcall function 00875FA8: CreateCompatibleDC.GDI32(00000000), ref: 0087600E
                                      • Part of subcall function 00875FA8: GetDIBits.GDI32(00000000,00000000,00000000,?,?,00000024,00000000), ref: 0087602D
                                      • Part of subcall function 00875FA8: DeleteDC.GDI32(00000000), ref: 00876033
                                    • @Vcl@Imaging@Pngimage@TChunk@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 008764D1
                                      • Part of subcall function 00870C44: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00870C5D
                                      • Part of subcall function 00870C44: @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870C7E
                                      • Part of subcall function 00870C44: @System@TObject@ClassName$qqrv.RTL250.BPL(00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870C99
                                      • Part of subcall function 00870C44: @System@TObject@ClassName$qqrv.RTL250.BPL(00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CA6
                                      • Part of subcall function 00870C44: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CC7
                                      • Part of subcall function 00870C44: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL250.BPL(?,00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CD7
                                      • Part of subcall function 00870C44: @System@@UStrClr$qqrpv.RTL250.BPL(00870CF9,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CEC
                                    • @Vcl@Imaging@Pngimage@TChunk@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 008764EB
                                    • @Vcl@Imaging@Pngimage@TChunk@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876503
                                    • @Vcl@Imaging@Pngimage@TChunk@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876514
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Add$qqrpv.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876524
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Add$qqrpv.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876537
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Add$qqrpv.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 0087654B
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Add$qqrpv.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876559
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@Add$qqrpv.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876567
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876591
                                    • CreatePalette.GDI32(00000300), ref: 008765EC
                                    • @Vcl@Imaging@Pngimage@TPngImage@DoSetPalette$qqrp10HPALETTE__xo.VCLIMG250(00000300), ref: 008765F7
                                    • @Vcl@Imaging@Pngimage@TChunktRNS@SetTransparentColor$qqrxui.VCLIMG250(00000000,00000018,?,?,?,?,?,008748A1), ref: 00876608
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$L250$ImageList@System@System@@$Pointer$Add$qqrpvChunk@$bctr$qqrp30$Class$Image@Object@$ChunkCreateCreate$qqrpvzc.Name$qqrv.Unicode$AfterAnsiBitsChar$qqrpvic.Chunks$qqrvChunktClearClr$qqrpv.Color$qqrxuiCompatibleConstruction$qqrxp14Copy$qqrx20Data$qqrvDeleteE__xoFillFree$qqrv.FromGamma$qqrvInitializeItem$qqruiObjectObject.Object@$bctr$qqrv.PalettePalette$qqrp10PrepareR@$bctr$qqrp30Size$qqrxuiStr$qqrr27StringStringii.Stringus.System@%T$us$i0$%x20Transparent
                                    • String ID:
                                    • API String ID: 379831005-0
                                    • Opcode ID: de030d0e6470d8a038b85664dfcaad32380d87934af7dbaa7f5c8e1ecd249376
                                    • Instruction ID: 6aaac54bbda17563a8393a8aaf68761035b796cd50e5815db74f0587f742221b
                                    • Opcode Fuzzy Hash: de030d0e6470d8a038b85664dfcaad32380d87934af7dbaa7f5c8e1ecd249376
                                    • Instruction Fuzzy Hash: 7741D270A042598BDB15DB6CC8806EEB7E0FF54304F0482AAE849DB35ADA71EE45CF56
                                    Function 00BCD240 Relevance: 24.1, APIs: 16, Instructions: 119memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCD3A9), ref: 00BCD267
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCD22D,00000000,00BCD3A9), ref: 00BCD286
                                    • @Axrtl@Winapi@Kernel32@Kernel32@GetPackagesByPackageFamily$qqrpbruit1t2t1.AXCOMPONENTSRTL.BPL(00000000,00BCD22D,00000000,00BCD3A9), ref: 00BCD294
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000000,00000000,00BCD22D,00000000,00BCD3A9), ref: 00BCD2C8
                                    • @System@AllocMem$qqri.RTL250.BPL ref: 00BCD2D5
                                    • @Axrtl@Winapi@Kernel32@Kernel32@GetPackagesByPackageFamily$qqrpbruit1t2t1.AXCOMPONENTSRTL.BPL(00000000,00000000,00000000,00BCD37E), ref: 00BCD2FB
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00000000,00000000,00BCD37E), ref: 00BCD304
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL(00000000,00000000,00000000,00BCD37E), ref: 00BCD30E
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(00000000,00000000,00000000,00BCD37E), ref: 00BCD325
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00000000,00000000,00BCD37E), ref: 00BCD32D
                                    • @System@Generics@Collections@%TList__1$20System@UnicodeString%@$bctr$qqrv.OXCOMPONENTSRTL(00000000,00000000,00000000,00BCD37E), ref: 00BCD343
                                    • @System@Generics@Collections@%TList__1$20System@UnicodeString%@Add$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,00000000,00000000,00BCD37E), ref: 00BCD351
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00BCD385,00BCD37E), ref: 00BCD36A
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00BCD385,00BCD37E), ref: 00BCD378
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BCD3B0), ref: 00BCD395
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00BCD3B0), ref: 00BCD3A3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$Unicode$ArrayKernel32@$String.$Axrtl@Clear$qqrrpvpv.Collections@%Family$qqrpbruit1t2t1.Generics@Len$qqrx20List__1$20PackagePackagesWinapi@$Add$qqrx20AllocChar$qqrr20Char$qqrx20Clr$qqrpv.Exit$qqrv.FinallyFreeFromHigh$qqrpxv.Length$qqrv.Mem$qqri.Mem$qqrpv.StringString%@String%@$bctr$qqrvStringpb.
                                    • String ID:
                                    • API String ID: 3027235703-0
                                    • Opcode ID: 340eaf8edf0a9608067e08c4bb435fcc36555cb0fb4c41d780618b0f22ebacd2
                                    • Instruction ID: 50cd24664fe08c0a7d176382676c62d601e2e0f8d423d6c5745df63170b74b7e
                                    • Opcode Fuzzy Hash: 340eaf8edf0a9608067e08c4bb435fcc36555cb0fb4c41d780618b0f22ebacd2
                                    • Instruction Fuzzy Hash: C4411F75A002499FDB10EFA8DC81FAEB7F9EB89300F5045B9E500E7251EA349E05CBA5
                                    Function 00C263F0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C26587), ref: 00C26562
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C26587), ref: 00C2656A
                                    • @System@@WStrClr$qqrpv.RTL250.BPL(00C26587), ref: 00C26572
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C26587), ref: 00C2657A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Clr$qqrpv.$Clear$qqrr44DelphiInterface$17Interface%.IntfSystem@System@%
                                    • String ID: %s\%s$localhost$root
                                    • API String ID: 2209739163-1772245708
                                    • Opcode ID: c1834e3887e3629ca03b46f4cbb6678c43b1e67b8769ea761f590451e0687613
                                    • Instruction ID: 8a109abd21ad67154a3132d14166a7eb895c750a31d67c545da6b5a6a7f24068
                                    • Opcode Fuzzy Hash: c1834e3887e3629ca03b46f4cbb6678c43b1e67b8769ea761f590451e0687613
                                    • Instruction Fuzzy Hash: 46313770904258AFDB04DF99D881AEDBBF9EF4A304F6184B9E400B7A52D774AE04CB60
                                    Function 0087870C Relevance: 22.7, APIs: 15, Instructions: 244windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00878728
                                      • Part of subcall function 00885DBC: memset.MSVCRT ref: 00885E14
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@GetBitmap$qqrv.VCLIMG250 ref: 0087879E
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?,?,?,?,008782B2), ref: 00878CF9
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00879165,?,00000000,00879194,?,?,?,?,?,008782B2), ref: 00878D43
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(?,?,?,00000000,00879165,?,00000000,00879194,?,?,?,?,?,008782B2), ref: 00878D62
                                      • Part of subcall function 00878CBC: @System@Classes@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878DA6
                                      • Part of subcall function 00878CBC: @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878DC0
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(00000000,00879154,?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000), ref: 00878DF9
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@NewImage$qqrv.VCLIMG250 ref: 008787B2
                                      • Part of subcall function 008793CC: @Vcl@Graphics@TSharedImage@Release$qqrv.VCL250.BPL(0088D300,?,008781EC), ref: 008793D7
                                      • Part of subcall function 008793CC: @System@TObject@$bctr$qqrv.RTL250.BPL(0088D300,?,008781EC), ref: 008793E3
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 008787BE
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(00000000,00000000), ref: 008787D4
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL ref: 00878819
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 00878888
                                    • @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL ref: 008788B1
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 00878912
                                    • @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 0087892B
                                    • @System@Classes@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000), ref: 0087896E
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,?,?,00000000,00000000,00000000), ref: 00878988
                                    • @System@ExceptObject$qqrv.RTL250.BPL(00878A39,00000000,?,?,00000000,00000000,00000000), ref: 008789EE
                                    • @System@Classes@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00878A39,00000000,?,?,00000000,00000000,00000000), ref: 00878A12
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,?,?,00000000,00000000,00000000,00878A39,00000000,?,?,00000000,00000000,00000000), ref: 00878A2C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Vcl@$Graphics@$System@$Bitmap@System@@$Classes@Pixel$CallDynaImage@Inst$qqrv.Rect$qqriiii.$Bitmap@$bctr$qqrv.Format$qqr25Format.Imaging@Jpeg@Object@$bctr$qqrv.Scanline$qqri.$Bitmap$qqrvChar$qqrpvic.CopyE__.ExceptExit$qqrv.FillFinallyHandle$qqrp9Image$qqrvObject$qqrv.P__.Palette$qqrp10Position$qqrxj.Release$qqrv.SharedStream@memset
                                    • String ID:
                                    • API String ID: 1500411942-0
                                    • Opcode ID: 3d9bcaefe472f590713bd7483829702e4514bc1247eb3c5263d3f662552b06d3
                                    • Instruction ID: 34eb65d7382e3af86b9fdd9a500dcc4ad46d16719c4a527718c6092bdce5b6b1
                                    • Opcode Fuzzy Hash: 3d9bcaefe472f590713bd7483829702e4514bc1247eb3c5263d3f662552b06d3
                                    • Instruction Fuzzy Hash: 3BA1E374A40219DFDB11DB68C989B9DB7F5FB09310F5081A5E908EB3A5DB70AE84CB42
                                    Function 0085D294 Relevance: 22.5, APIs: 15, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085D296
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2A5
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2B0
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2BB
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2C6
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2D1
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2DC
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2E7
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2F2
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D2FD
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D308
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D313
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085D31E
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 0085D329
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085D334
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$FreeMem$qqrpv.$System@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4017372846-0
                                    • Opcode ID: d0bbc7c18bc75eaa93f28544f79d9cae51696866b927a2a821fce126c815cdc9
                                    • Instruction ID: 2378e7c98e9b8411762ec499d27978bd4c9732471450ae85ad3f25995ba21eee
                                    • Opcode Fuzzy Hash: d0bbc7c18bc75eaa93f28544f79d9cae51696866b927a2a821fce126c815cdc9
                                    • Instruction Fuzzy Hash: 8C012731290E54C7CA20B63CDD9678BA3E4FF447C2F048C25B8D5C729ADE266D8997C2
                                    Function 00868A90 Relevance: 21.1, APIs: 14, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@SuspendDraw$qqrv.VCLIMG250 ref: 00868AA2
                                    • @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(00000000,00868C14), ref: 00868ABB
                                      • Part of subcall function 0086B1D0: @System@TObject@Free$qqrv.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,0086989E,?,008698DD,0086981D), ref: 0086B1FF
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868686
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868698
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686B7
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686CE
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686E4
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686E9
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 008686FE
                                      • Part of subcall function 00868678: @System@Classes@TList@Add$qqrpv.RTL250.BPL(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 0086872E
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868742
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 0086875D
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868773
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868778
                                      • Part of subcall function 00868678: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,?,00868AC8,00000000,00868C14), ref: 00868789
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(00000000,00868C14), ref: 00868AE3
                                      • Part of subcall function 00868434: @System@Classes@TList@Sort$qqrpqqrpvt1$i.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 00868442
                                      • Part of subcall function 00868434: @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 00868457
                                      • Part of subcall function 00868434: @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 00868471
                                      • Part of subcall function 00868434: @System@Classes@TList@SetCount$qqri.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 0086848A
                                    • @System@Classes@TList@SetCapacity$qqri.RTL250.BPL ref: 00868B06
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868B24
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868B48
                                    • @System@Classes@TList@Add$qqrpv.RTL250.BPL ref: 00868B55
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868B95
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00868BBA
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00868BD4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@SetHasBitmap$qqro.VCLIMG250 ref: 00868BDB
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00868BEB
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@SetPalette$qqrp10HPALETTE__.VCLIMG250 ref: 00868BF2
                                    • @Vcl@Imaging@Gifimg@TGIFImage@ResumeDraw$qqrv.VCLIMG250(00868C1B), ref: 00868C0E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: List@$Gifimg@Imaging@Vcl@$L250System@$Classes@$Frame$qqriImage$Get$qqri.$Image@$Frame@$Count$qqrvDraw$qqrv$Add$qqrpv.ColorEmpty$qqrvMap$qqrv$Bitmap$qqroCapacity$qqri.Count$qqri.Free$qqrv.Object@Palette$qqrp10ResumeSort$qqrpqqrpvt1$i.StopSuspend
                                    • String ID:
                                    • API String ID: 720290684-0
                                    • Opcode ID: 51d859602a4d108ddb2eb66dd6a9036abb367d3cb2faa8f1eb8710090a8b6943
                                    • Instruction ID: d0fbe52015a91f7e56d9aa9140de7e721d40ed815bed796feaaeb5172518bb6c
                                    • Opcode Fuzzy Hash: 51d859602a4d108ddb2eb66dd6a9036abb367d3cb2faa8f1eb8710090a8b6943
                                    • Instruction Fuzzy Hash: 1D51C378A04609DFCB50EBADC5D5C5DB7F5FF59310B268291E858DB322CA30EE419B42
                                    Function 0085D0E0 Relevance: 21.1, APIs: 14, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085D0ED
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D17F
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D194
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D1A9
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D1BE
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D1D3
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D1E8
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D1FD
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D212
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D227
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D23C
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D251
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D266
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00000000,?,00000001,?,0085F0C6,?,?,?,?,?,?,0085F208), ref: 0085D279
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Mem$qqri.$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.System@
                                    • String ID:
                                    • API String ID: 3732308598-0
                                    • Opcode ID: 055f37226906216e9016ad662e54e3e54c35d69467fabf25098f6d636d6f870c
                                    • Instruction ID: c19f36609b3404159fc2d96d1e76893d1828aa3d690896c879ec825c2ed58a8f
                                    • Opcode Fuzzy Hash: 055f37226906216e9016ad662e54e3e54c35d69467fabf25098f6d636d6f870c
                                    • Instruction Fuzzy Hash: 404129B3A406008BDF58EF7CCC8638536D0FB0531AF48497AEC55CB346EA79C5998B96
                                    Function 00863C14 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 126windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00863DA7), ref: 00863C4C
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863C7F
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863C90
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CA8
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetDoDither$qqrv.VCLIMG250(00000000,00863D60,?,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CC1
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@DoGetDitherBitmap$qqrv.VCLIMG250(00000000,00863D60,?,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CCD
                                      • Part of subcall function 008633FC: @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(00000000,008638D3,?,?,0000FFFD), ref: 00863424
                                      • Part of subcall function 008633FC: @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00863898,?,00000000,008638D3,?,?,0000FFFD), ref: 00863458
                                      • Part of subcall function 008633FC: @Vcl@Imaging@Gifimg@TGIFFrame@GetPalette$qqrv.VCLIMG250(?,00000000,008638D3,?,?,0000FFFD), ref: 0086347B
                                      • Part of subcall function 008633FC: @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(?,00000000,008638D3,?,?,0000FFFD), ref: 00863480
                                      • Part of subcall function 008633FC: @System@@UStrClr$qqrpv.RTL250.BPL(008638DA), ref: 008638BF
                                      • Part of subcall function 008633FC: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(008638DA), ref: 008638CD
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@DoGetBitmap$qqrv.VCLIMG250(00000000,00863D60,?,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863CDD
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,?,00000064,00863D67,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000,00863DA7), ref: 00863D21
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,?,00000064,00863D67,?,?,?,00000000,00000000,?,00000000,00863D71,?,00000000), ref: 00863D32
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,?,00000064,00863D67,?,?,?,00000000,00000000,?,00000000,00863D71), ref: 00863D46
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00863DAE), ref: 00863DA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Vcl@$Gifimg@Imaging@System@$Frame@System@@$ArrayBitmap$qqrvCallDynaEmpty$qqrvGraphics@Inst$qqrv.LoadRec.Rect$qqriiii.StringString$qqrp20Types@$Bitmap@$bctr$qqrv.Clear$qqrrpvpv.Clr$qqrpv.Clr$qqrpvi.CopyDitherDither$qqrvE__.Image@Palette$qqrp10Palette$qqrv
                                    • String ID: d
                                    • API String ID: 1941652230-2564639436
                                    • Opcode ID: fcdf330615c139013a458bcd80a1809fe69a24f61b2fc8b85ebe7773641c5c24
                                    • Instruction ID: b0772f85a779b351a604be712fb6ff38c34bc89e7d0d893616451842af4f6162
                                    • Opcode Fuzzy Hash: fcdf330615c139013a458bcd80a1809fe69a24f61b2fc8b85ebe7773641c5c24
                                    • Instruction Fuzzy Hash: C4410875A00608AFDB05DFA9C991A9EB7FAFB49700F2181A5E804E7391D634AE04DB61
                                    Function 00C2A298 Relevance: 21.1, APIs: 14, Instructions: 111COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C2A2B5
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C2A2E1
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C2A2F1
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C2A301
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C2A30B
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000000), ref: 00C2A321
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C2A32C
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,00000000,?), ref: 00C2A35B
                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,?), ref: 00C2A361
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(00000000,?,00000000,?), ref: 00C2A36F
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL ref: 00C2A385
                                    • @System@Sysutils@Abort$qqrv.RTL250.BPL ref: 00C2A3A4
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C2A3D9), ref: 00C2A3C4
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2A3D9), ref: 00C2A3CC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$Array$Length$qqrpxv.$System@$DelphiInterface$17Interface%.IntfSystem@%$Abort$qqrv.Array$qqrpvt1ui.Clear$qqrr44FinalizeLength$qqrv.MultipleObjectsRef$qqrx44Sysutils@Wait
                                    • String ID:
                                    • API String ID: 3373432657-0
                                    • Opcode ID: bd80476aafc8539c6951915172c2b7867c45469cf78172aae5fb8acd52ab932d
                                    • Instruction ID: e2496a09da9295cb053ae5e8536ca9e70b9b5440ee96cffeacc46a4ccf68f273
                                    • Opcode Fuzzy Hash: bd80476aafc8539c6951915172c2b7867c45469cf78172aae5fb8acd52ab932d
                                    • Instruction Fuzzy Hash: BC410C75A00219AFDB00EFA9D881A9EF7F5EF45340F5044A9E811EB622D730EE45CB55
                                    Function 0088C358 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 76clipboardregistryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00856EC4,00000000,0088C464,?,?,00000000,00000000), ref: 0088C389
                                    • @Vcl@Graphics@TPicture@RegisterFileFormat$qqrx20System@UnicodeStringt1p17System@TMetaClass.VCL250.BPL(00856EC4,00000000,0088C464,?,?,00000000,00000000), ref: 0088C39B
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00856EC4,00000000,0088C464,?,?,00000000,00000000), ref: 0088C3A8
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00856EC4,00000000,0088C464,?,?,00000000,00000000), ref: 0088C3B0
                                    • RegisterClipboardFormatW.USER32(00000000), ref: 0088C3B6
                                    • @Vcl@Graphics@TPicture@RegisterClipboardFormat$qqrusp17System@TMetaClass.VCL250.BPL(00856EC4,00000000,0088C464,?,?,00000000,00000000), ref: 0088C3D3
                                    • GetDC.USER32(00000000), ref: 0088C3DA
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0088C3FA
                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0088C409
                                    • ReleaseDC.USER32(00000000,00000000), ref: 0088C43C
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0088C46B,?,00000000,00000000), ref: 0088C45E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Register$CapsClass.ClipboardDeviceGraphics@LoadMetaPicture@Rec.StringString$qqrp20System@@UnicodeVcl@$ArrayChar$qqrx20Clr$qqrpvi.FileFormatFormat$qqrusp17Format$qqrx20ReleaseString.Stringt1p17
                                    • String ID: GIF
                                    • API String ID: 4211467630-881873598
                                    • Opcode ID: 2069d16af7bd17601be64afc8ede1392f8d809cc95c834325f13b5b231768e0b
                                    • Instruction ID: 8e34368590c01c9eda3951c28a0533f607e5f1534f52b3eeae0b73c5a77d281c
                                    • Opcode Fuzzy Hash: 2069d16af7bd17601be64afc8ede1392f8d809cc95c834325f13b5b231768e0b
                                    • Instruction Fuzzy Hash: 0721D334204700AFD700FBADEC92F2977A9FB4A701F904861F900D73A1DAB4A844DB36
                                    Function 00868F7C Relevance: 21.1, APIs: 14, Instructions: 60windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetIsTransparent$qqrv.VCLIMG250 ref: 00868F8B
                                      • Part of subcall function 0086AF00: @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,00868F90), ref: 0086AF24
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00868F97
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00868FB6
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00868FC6
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000), ref: 00868FCF
                                    • @Vcl@Graphics@TCanvas@CopyRect$qqrrx18System@Types@TRectp20Vcl@Graphics@TCanvast1.VCL250.BPL ref: 00868FD9
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@ScaleRect$qqrrx18System@Types@TRect.VCLIMG250 ref: 00868FAE
                                      • Part of subcall function 00865B8C: MulDiv.KERNEL32(?,?,?), ref: 00865BD9
                                      • Part of subcall function 00865B8C: MulDiv.KERNEL32(?,?,00000000), ref: 00865BEB
                                      • Part of subcall function 00865B8C: MulDiv.KERNEL32(?,?,?), ref: 00865C0C
                                      • Part of subcall function 00865B8C: MulDiv.KERNEL32(?,?,00000000), ref: 00865C25
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00868FE3
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 00868FEE
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00868FF6
                                    • @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 00869000
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00869008
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@ScaleRect$qqrrx18System@Types@TRect.VCLIMG250 ref: 00869021
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 0086902E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Graphics@$L250$Bitmap@Canvas$qqrv.$Gifimg@Imaging@System@$Rect$qqrrx18Types@$Brush@Frame@RectScale$BrushCanvas@Canvast1.Color$qqr21Color.CopyCount$qqrvImage@List@Rectp20Style$qqr24Style.Transparent$qqrvUitypes@
                                    • String ID:
                                    • API String ID: 1220838252-0
                                    • Opcode ID: d3debdd46f90af976df217491c0d0c1e31756aafa8d184d6d82815b130d8ed48
                                    • Instruction ID: c02aabfa35575b852b9ddf860a3e72536c75048574dc5469a2a15de73c1c8d62
                                    • Opcode Fuzzy Hash: d3debdd46f90af976df217491c0d0c1e31756aafa8d184d6d82815b130d8ed48
                                    • Instruction Fuzzy Hash: 9C2180702102018BCB08EF2CC8C5D9D77A5FF86315B1549A4BC448F26AEF71ED4ACB92
                                    Function 00BC7001 Relevance: 21.0, APIs: 14, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7014
                                    • @System@Variants@@VarClr$qqrr8TVarData.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC701F
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7030
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC703B
                                    • @System@Variants@@VarClr$qqrr8TVarData.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7046
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7057
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7067
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7077
                                    • @System@Variants@@VarClr$qqrr8TVarData.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7082
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC7093
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC70A4
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC70B7
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC70CA
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BC70E7,?,?,?,?,00000000,00000000), ref: 00BC70D7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$Finalize$Record$qqrpvt1.$ArrayClr$qqrpvi.Clr$qqrr8Data.System@Variants@@$Array$qqrpvt1ui.Clr$qqrpv.
                                    • String ID: SOFTWARE\Microsoft\NET Framework Setup\NDP\$Version$^([0-9]{1,})\.([0-9]{1,})([\.0-9a-z]*)$$^v([0-9]{1,})
                                    • API String ID: 287416685-1723552937
                                    • Opcode ID: 4a023972eee5614248f5a1f3af481683aec4244f69fb5a48788e219e366b3d5e
                                    • Instruction ID: 589203fa405b5188acd5e9e694b6c531a92ead86342ff82cae69ae78b707f99a
                                    • Opcode Fuzzy Hash: 4a023972eee5614248f5a1f3af481683aec4244f69fb5a48788e219e366b3d5e
                                    • Instruction Fuzzy Hash: 4611B97450011C8FD710EB54D982FDDB3F9FF49300F9089FAA518A3252EB74AA968E25
                                    Function 00864328 Relevance: 19.7, APIs: 13, Instructions: 153windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv.VCLIMG250(00000000,00864508,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00864349
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008630EF), ref: 0086312E
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008630EF), ref: 00863136
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFFrame@FreeImage$qqrv.VCLIMG250(?,008630EF), ref: 0086313D
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFFrame@DoSetBounds$qqriiii.VCLIMG250(00000000,00000000,?,008630EF), ref: 0086314C
                                      • Part of subcall function 00863128: @Vcl@Imaging@Gifimg@TGIFFrame@Dormant$qqrv.VCLIMG250(00000000,00000000,?,008630EF), ref: 00863158
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0086450F,?,00000000,00000000,00000000,00000000,00000000), ref: 00864502
                                      • Part of subcall function 008592EC: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00859322
                                      • Part of subcall function 008592EC: @System@@UStrClr$qqrpv.RTL250.BPL(0085934C), ref: 0085933F
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 008643B5
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00864418
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00864424
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00864457
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250 ref: 00864463
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00864497
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@LoadFromStream$qqrp22System@Classes@TStreami.VCLIMG250 ref: 008644AB
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Decompress$qqrp22System@Classes@TStream.VCLIMG250 ref: 008644B4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250 ref: 008644BB
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@DoSetBounds$qqriiii.VCLIMG250(00000000,?), ref: 008644D8
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitmap$qqrv.VCLIMG250(00000000,?), ref: 008644E8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Gifimg@Imaging@Vcl@$L250$Frame@$String$Load$Rec.String$qqrp20$Clear$qqrvSystem@@Unicode$Bounds$qqriiiiClasses@ColorItem@Map@Severityx20Warning$qqr31$ArrayBitmap$qqrvClr$qqrpv.Clr$qqrpvi.Decompress$qqrp22Dormant$qqrvEmpty$qqrvExcept$qqrv.Exception@$bctr$qqrx20FreeFromImage$qqrvList@RaiseStreamStream$qqrp22StreamiString.Sysutils@
                                    • String ID:
                                    • API String ID: 4272599990-0
                                    • Opcode ID: bc93719969c232a09148e1c06203197a9fdd104baae9bd339b5b7536697aed59
                                    • Instruction ID: c0f33f24699df4b1b2f521c5f14555cc0f46bfe56edabf601c58a53663016a05
                                    • Opcode Fuzzy Hash: bc93719969c232a09148e1c06203197a9fdd104baae9bd339b5b7536697aed59
                                    • Instruction Fuzzy Hash: 6B51AE747002019BCB10EF6CC8926AD33E2FF89315B1252A5F854CB39ADA78DD49C759
                                    Function 00864550 Relevance: 19.6, APIs: 13, Instructions: 146windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@GetHandleType$qqrv.VCL250.BPL(00000000,008646ED,?,00000000,0000FFFD,?), ref: 00864581
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,008646ED,?,00000000,0000FFFD,?), ref: 00864593
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(00000000,008646ED,?,00000000,0000FFFD,?), ref: 00864598
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@ImportDIBColors$qqrp5HDC__.VCLIMG250(00000000,008646ED,?,00000000,0000FFFD,?), ref: 008645A8
                                      • Part of subcall function 0085F710: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250 ref: 0085F71F
                                      • Part of subcall function 0085F710: @System@@GetMem$qqri.RTL250.BPL ref: 0085F729
                                      • Part of subcall function 0085F710: GetDIBColorTable.GDI32(?,00000000,00000100,?,00000000,0085F773), ref: 0085F74B
                                      • Part of subcall function 0085F710: @Vcl@Imaging@Gifimg@TGIFColorMap@ImportColorTable$qqrpvi.VCLIMG250(?,00000000,00000100,?,00000000,0085F773), ref: 0085F758
                                      • Part of subcall function 0085F710: @System@@FreeMem$qqrpv.RTL250.BPL(0085F77A,?,00000000,0085F773), ref: 0085F76D
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@ImportPalette$qqrp10HPALETTE__.VCLIMG250(?,00000000,0000FFFD,?), ref: 008645C8
                                    • MulDiv.KERNEL32(00000000,00000064,?), ref: 008645F9
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,?,?,00000000,0000FFFD,?), ref: 0086460D
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,?,?,00000000,0000FFFD,?), ref: 0086461E
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000064,?,?,00000000,0000FFFD,?), ref: 0086463C
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,00000000,0000FFFD,?), ref: 00864659
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0000FFFD,?), ref: 008646BD
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(?,00000000,0000FFFD,?), ref: 008646CD
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(008646F4,?), ref: 008646E7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Vcl@$System@$ColorGifimg@Imaging@$Map@System@@$Graphics@ImportString$Bitmap@LoadRec.String$qqrp20$ArrayCallCanvas$qqrv.Canvas@Clear$qqrvClr$qqrpvi.Colors$qqrp5DynaFreeHandleHandle$qqrv.Inst$qqrv.Item@Mem$qqri.Mem$qqrpv.Move$qqrpxvpvi.Palette$qqrp10Rect$qqriiii.Severityx20TableTable$qqrpviType$qqrv.Types@UnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 811360245-0
                                    • Opcode ID: 184fe87aacc331037783ca489456613240e4bbea928856518b5f868cfa2c06e0
                                    • Instruction ID: d742c14914b7ceec8e0d19912cf237f87aa4f5b35e031d04c4e9a6c87cf2856a
                                    • Opcode Fuzzy Hash: 184fe87aacc331037783ca489456613240e4bbea928856518b5f868cfa2c06e0
                                    • Instruction Fuzzy Hash: 2551D1786006059FDB00DF68C589AAEBBE5FB59351B1181A1FD84CB362DB30EE85CB91
                                    Function 00C2D108 Relevance: 19.6, APIs: 13, Instructions: 117comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 00C2D157
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D17C
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D186
                                    • CoCreateInstance.OLE32(?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D19A
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D1AE
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D1C9
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000), ref: 00C2D1D8
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000), ref: 00C2D1F2
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000), ref: 00C2D1F7
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(?,?,00000000,00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A), ref: 00C2D203
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2D247,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D23A
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2D286,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D271
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2D286,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D279
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$System@$DelphiInterface$17System@%$Interface%.Intf$Clear$qqrr44$Exit$qqrv.Finally$Char$qqrx20Copy$qqrr44CreateInitializeInstanceInterface%x44String.Unicode
                                    • String ID:
                                    • API String ID: 244221592-0
                                    • Opcode ID: b27225f6d5d2e68a5e685e98ee4601bd4b4d377f0ef69a8adecb27656487a24a
                                    • Instruction ID: 95d22f898248d954c5c3cef53cc1ff12513bbc71a37c6081f174b2cf9f5137c5
                                    • Opcode Fuzzy Hash: b27225f6d5d2e68a5e685e98ee4601bd4b4d377f0ef69a8adecb27656487a24a
                                    • Instruction Fuzzy Hash: E1416070600358AFDB11EF69DC42F9EB7E8EB5A710F5144B5F805E3A92C7709E108A64
                                    Function 00865260 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 78windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 0086528C
                                    • @Vcl@Graphics@TBitmap@GetTransparentColor$qqrv.VCL250.BPL ref: 00865297
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000), ref: 008652A3
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(?,00000000), ref: 008652AF
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@SetColor$qqri21System@Uitypes@TColor.VCLIMG250 ref: 008652B6
                                    • @Vcl@Graphics@TBitmap@GetTransparentColor$qqrv.VCL250.BPL ref: 008652C0
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@IndexOf$qqr21System@Uitypes@TColor.VCLIMG250 ref: 008652CD
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,?,?,008654B6), ref: 0086530E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,?,?,008654B6), ref: 00865322
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,?,?,008654B6), ref: 00865339
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Color$Gifimg@Imaging@L250System@$Transparent$Bitmap@Color$qqrv.Frame@Graphics@Map@Uitypes@$ActiveCallColor$qqri21ControlDynaExtension@GraphicIndexIndex$qqrvInst$qqrv.LoadMap$qqrvOf$qqr21Rec.Rect$qqriiii.StringString$qqrp20System@@Transparent$qqrvTypes@
                                    • String ID: d
                                    • API String ID: 724826577-2564639436
                                    • Opcode ID: a49afa67575ddbe4fe362d4ea4146ecf8598c2853fefce835e908eba92f7a616
                                    • Instruction ID: fba392b6dcf3e47f959e9bc6e6a64e40b9cc62a9598feefe38e8f7cd1d69d84c
                                    • Opcode Fuzzy Hash: a49afa67575ddbe4fe362d4ea4146ecf8598c2853fefce835e908eba92f7a616
                                    • Instruction Fuzzy Hash: E7216271A04108AFDB10EBACD981A9EB7F9FF09311F6181A5F914E7396CE30DE488B51
                                    Function 00C02014 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Syncobjs@TInterlocked@Increment$qqrri.RTL250.BPL(00000000,00C0229A), ref: 00C02047
                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,00000000,00C0225A,?,00000000,00C0229A), ref: 00C02069
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000002,?,00000000,000000FF,00000000,00C0225A,?,00000000,00C0229A), ref: 00C02073
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000002,?,00000000,000000FF,00000000,00C0225A,?,00000000,00C0229A), ref: 00C02078
                                    • @System@Syncobjs@TInterlocked@Decrement$qqrri.RTL250.BPL(00C02261,00000000,00C0229A), ref: 00C0220C
                                    • @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(00C02261,00000000,00C0229A), ref: 00C0221B
                                    • @System@Generics@Collections@%TQueue__1$p44Oxrtl@System@Internet@TInternetPostQueueItem%@Clear$qqrv.OXCOMPONENTSRTL(00000000,00C02252,?,00C02261,00000000,00C0229A), ref: 00C02234
                                      • Part of subcall function 00C02AEC: @System@Generics@Collections@TQueueHelper@InternalClear4$qqrv.RTL250.BPL(?,00C02239,00000000,00C02252,?,00C02261,00000000,00C0229A), ref: 00C02AF2
                                    • @System@Syncobjs@TCriticalSection@Leave$qqrv.RTL250.BPL(00C02259,00C02261,00000000,00C0229A), ref: 00C0224C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Syncobjs@$CriticalExit$qqrv.FinallyGenerics@Interlocked@QueueSection@System@@$Clear$qqrvClear4$qqrv.Collections@Collections@%Decrement$qqrri.Enter$qqrv.Helper@Increment$qqrri.InternalInternetInternet@Item%@Leave$qqrv.MultipleObjectsOxrtl@PostQueue__1$p44Wait
                                    • String ID:
                                    • API String ID: 1982611932-0
                                    • Opcode ID: fe754e85b9a843f6906d8d200a4fce23d24a9ddf1ad663f23e0df9f8b44dc9dc
                                    • Instruction ID: e33c95ef06c6ffb956bccc13adc0266270e7e02d1bc6fc3e486405f33c8d4bf9
                                    • Opcode Fuzzy Hash: fe754e85b9a843f6906d8d200a4fce23d24a9ddf1ad663f23e0df9f8b44dc9dc
                                    • Instruction Fuzzy Hash: BB416B34604644EFDB11DFA8CD5AE69BBF8EB49B10B5284F5F809E3692D734EE10DA10
                                    Function 00860006 Relevance: 18.1, APIs: 12, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086001B
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00860039
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250 ref: 0086003E
                                      • Part of subcall function 00863DD8: @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,00863515,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 00863DE7
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00860056
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00860069
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?), ref: 0086007E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 008600AE
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 008600B3
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 008600C7
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250 ref: 008600CF
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?), ref: 008600EA
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparentColorIndex$qqruc.VCLIMG250 ref: 008600F3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$List@$Frame$qqriImage$Color$ControlExtension@Frame@GraphicMap$qqrvTransparent$ActiveCount$qqrvImage@Index$qqrucIndex$qqrvItem$qqriTransparent$qqrv
                                    • String ID:
                                    • API String ID: 2001505042-0
                                    • Opcode ID: a305263f2cd0d33330c7614dab805472a36b0f702e82e883be200516c84a33e7
                                    • Instruction ID: d42c304de25e2b00803383a2e39b10790ca68fd803d52e79a5ce35063e74e3da
                                    • Opcode Fuzzy Hash: a305263f2cd0d33330c7614dab805472a36b0f702e82e883be200516c84a33e7
                                    • Instruction Fuzzy Hash: 763114783096508F8320EB2DC180C3ABBE5FF893103569594F891CB722D625EC06CB52
                                    Function 00C022B0 Relevance: 18.1, APIs: 12, Instructions: 82threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C022BD
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00C022CC
                                    • @System@Math@Max$qqrxixi.RTL250.BPL ref: 00C022EA
                                    • @System@Math@Max$qqrxixi.RTL250.BPL ref: 00C022FA
                                    • @System@Syncobjs@TCriticalSection@$bctr$qqrv.RTL250.BPL ref: 00C02309
                                    • @System@Generics@Collections@%TObjectQueue__1$p44Oxrtl@System@Internet@TInternetPostQueueItem%@$bctr$qqro.OXCOMPONENTSRTL ref: 00C0231A
                                    • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000), ref: 00C0232A
                                    • CreateEventW.KERNEL32(00000000,000000FF,000000FF,00000000,00000000,000000FF,00000000,00000000), ref: 00C0233A
                                    • @System@Generics@Collections@%TObjectList__1$p27Axrtl@System@Thread@TThread%@$bctr$qqro.OXCOMPONENTSRTL(00000000,000000FF,000000FF,00000000,00000000,000000FF,00000000,00000000), ref: 00C0234B
                                    • @Axrtl@System@Thread@TThread@$bctr$qqrynpqqrp27Axrtl@System@Thread@TThread$voi.AXCOMPONENTSRTL.BPL(00000002,?,?,00000000,000000FF,000000FF,00000000,00000000,000000FF,00000000,00000000), ref: 00C0236B
                                    • @System@Generics@Collections@%TList__1$p27Axrtl@System@Thread@TThread%@Add$qqrxp27Axrtl@System@Thread@TThread.OXCOMPONENTSRTL(00000002,?,?,00000000,000000FF,000000FF,00000000,00000000,000000FF,00000000,00000000), ref: 00C02375
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(00000000,000000FF,000000FF,00000000,00000000,000000FF,00000000,00000000), ref: 00C02383
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Axrtl@Thread@$Collections@%Generics@$CreateEventList__1$p27Math@Max$qqrxixi.ObjectSystem@@$Add$qqrxp27AfterClassConstruction$qqrxp14Create$qqrpvzc.CriticalInternetInternet@Item%@$bctr$qqroObject.Object@$bctr$qqrv.Oxrtl@PostQueueQueue__1$p44Section@$bctr$qqrv.Syncobjs@ThreadThread$voi.Thread%@Thread%@$bctr$qqroThread@$bctr$qqrynpqqrp27
                                    • String ID:
                                    • API String ID: 3896238780-0
                                    • Opcode ID: feb78f655895ab499ac134a9d5c47d15ad608fdb0593114a1fd990ee1f6f85c8
                                    • Instruction ID: 49e9af900d59dc207e79d6f168514e826a72c723223cfeaf5d92a1deb890cf22
                                    • Opcode Fuzzy Hash: feb78f655895ab499ac134a9d5c47d15ad608fdb0593114a1fd990ee1f6f85c8
                                    • Instruction Fuzzy Hash: CF21BAB17006056BD310EF39DC42F1AB7E4AB45B24F248329F928DB7D2DB72A9158BD0
                                    Function 008758C0 Relevance: 18.1, APIs: 12, Instructions: 80windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 008758E1
                                      • Part of subcall function 00870B4C: @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(?,00000000,008708B6), ref: 00870B56
                                    • @System@@AsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 008758EC
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetTransparencyMode$qqrv.VCLIMG250 ref: 008758F5
                                      • Part of subcall function 008767A8: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,00000000,?,008758FA), ref: 008767AF
                                      • Part of subcall function 008767A8: @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250(?,00000000,?,008758FA), ref: 008767C4
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL ref: 00875904
                                    • @Vcl@Imaging@Pngimage@TPngImage@DrawPartialTrans$qqrp5HDC__rx18System@Types@TRect.VCLIMG250 ref: 0087590F
                                      • Part of subcall function 00874F68: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,008758B1), ref: 00874FEC
                                      • Part of subcall function 00874F68: @System@@FillChar$qqrpvic.RTL250.BPL ref: 008750B6
                                      • Part of subcall function 00874F68: CreateCompatibleDC.GDI32(00000000), ref: 008750E1
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetTransparentColor$qqrv.VCLIMG250(?,00000024), ref: 0087591D
                                    • @Vcl@Graphics@ColorToRGB$qqr21System@Uitypes@TColor.VCL250.BPL(?,00000024), ref: 00875922
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(00000000,?,00000024), ref: 0087592A
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(00000003), ref: 00875943
                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 00875949
                                    • @Vcl@Graphics@TCanvas@GetHandle$qqrv.VCL250.BPL(?,?,?,?,00000000,00000000,?,?,?,00000024,00000000,00CC0020), ref: 00875988
                                    • StretchDIBits.GDI32(00000000,?,?,?,?,00000000,00000000,?,?,?,00000024,00000000,00CC0020), ref: 0087598E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Imaging@Pngimage@$L250$Graphics@Image@System@$Canvas@Handle$qqrv.$List@$Header$qqrvItem$qqruiMetaStretchSystem@@$B$qqr21BitsC__rx18Char$qqrpvic.ClassClass$qqrp17Class$qqrxp14Class.ColorColor$qqrvColor.CompatibleCreateDrawFillFromItemModeMode$qqrvObjectp17PartialPointerRectTrans$qqrp5TransparencyTransparentTypes@Uitypes@
                                    • String ID:
                                    • API String ID: 2925288898-0
                                    • Opcode ID: dc26af1aadb9944aa3dabdb3c087f093134bc26f11a90bfa246389a0dfe83c01
                                    • Instruction ID: 4afea9a60f41a910454e6fb13a8b4da226295b17cf523e8165e8a6f7d8562011
                                    • Opcode Fuzzy Hash: dc26af1aadb9944aa3dabdb3c087f093134bc26f11a90bfa246389a0dfe83c01
                                    • Instruction Fuzzy Hash: 9021E5B1300A04AFD650EAADDC81F5AB7D9FB89712B008539BA4DC7246DE60EC098765
                                    Function 00BF41F0 Relevance: 18.1, APIs: 12, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF42F6), ref: 00BF421B
                                    • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF42F6), ref: 00BF422D
                                    • @System@Sysutils@CharInSet$qqrbrx25System@%Set$cc$i0$c$i-1$%.RTL250.BPL(00000000,00BF42F6), ref: 00BF423D
                                    • @System@@UStrDelete$qqrr20System@UnicodeStringii.RTL250.BPL(00000000,00BF42F6), ref: 00BF4261
                                    • @System@Sysutils@TrimLeft$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF42F6), ref: 00BF426F
                                    • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF42F6), ref: 00BF427D
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF42F6), ref: 00BF4285
                                    • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL250.BPL(00000000,00BF42F6), ref: 00BF42A2
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,?,000002B4,00004000,00000000,00BF42F6), ref: 00BF42C0
                                    • SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00004000), ref: 00BF42C6
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF42FD), ref: 00BF42E8
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF42FD), ref: 00BF42F0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$System@@$String.$Stringx20$Asg$qqrr20Clr$qqrpv.Len$qqrx20Sysutils@$Cat3$qqrr20CharChar$qqrx20Delete$qqrr20FileInfoLeft$qqrx20Set$cc$i0$c$i-1$%.Set$qqrbrx25Stringii.Stringt2.System@%Trim
                                    • String ID:
                                    • API String ID: 1094735032-0
                                    • Opcode ID: 225ec529393cb873cfd04eaed2ed8c4dd7a19881380f09386d483345a9051b41
                                    • Instruction ID: ed7c50f2b7a3aa4288b56440ac71992787c952a4a11d01151edd95aa5736d05b
                                    • Opcode Fuzzy Hash: 225ec529393cb873cfd04eaed2ed8c4dd7a19881380f09386d483345a9051b41
                                    • Instruction Fuzzy Hash: 54212E30A1020C9BDB10EB55C981BAEB3F9EF45340F6144F9FA00B7292EB74AE499B50
                                    Function 00C5D13D Relevance: 18.1, APIs: 12, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Rtti@TValue@GetTypeKind$qqrv.RTL250.BPL ref: 00C5D145
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D6BD
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D6CE
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D6E4
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D6F4
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D705
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D718
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D72B
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D739
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D741
                                    • @System@@FinalizeArray$qqrpvt1ui.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D754
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C5D772,?,?,?,?,0000001C,00000000,00000000,?,?,00C5C294,00000000,00C5C2B2), ref: 00C5D762
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$Finalize$Array$qqrpvt1ui.Record$qqrpvt1.$Array$Clear$qqrrpvpv.Clr$qqrpv.Clr$qqrpvi.Kind$qqrv.Rtti@System@TypeValue@
                                    • String ID:
                                    • API String ID: 219724619-0
                                    • Opcode ID: a96470dca56419abb63232dbb48e597bd447d8dd976cae78ad206aa06be4d2ff
                                    • Instruction ID: a46d322bf90f9668dab365e9c76d74d7e5e13c5de2eb4946c4d2883d0b4e88de
                                    • Opcode Fuzzy Hash: a96470dca56419abb63232dbb48e597bd447d8dd976cae78ad206aa06be4d2ff
                                    • Instruction Fuzzy Hash: 3B119938A1010C8FD711EB98DC91F9DB3F9FB49310FA049BAD419B7257DB34AA468B61
                                    Function 0085C874 Relevance: 18.0, APIs: 12, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085C876
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C885
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C890
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C89B
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C8A6
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C8B1
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C8BC
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C8C7
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C8D2
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C8DD
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 0085C8E8
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085C8F3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$FreeMem$qqrpv.$System@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4017372846-0
                                    • Opcode ID: 52606eb996c6b2b9c3caba7d1557f2a1692b89467ff212b64ff659fe7db8bab7
                                    • Instruction ID: a0fcfeb4b68b386e7704063b62510fa97fa56f8d36af0c2ff6059320ed90c7b6
                                    • Opcode Fuzzy Hash: 52606eb996c6b2b9c3caba7d1557f2a1692b89467ff212b64ff659fe7db8bab7
                                    • Instruction Fuzzy Hash: 53F07931690E4487CA10B63CCC9A78BA3E4FF053C2F048C24B8D5C7296CE266C8D5BC2
                                    Function 00C100E8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00000000,00C101DA), ref: 00C10115
                                    • @Oxrtl@Winapi@Powrprof@PowrProf@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,?,?,?,00000000,?,00000000,00C101DA), ref: 00C1012A
                                      • Part of subcall function 00C103E0: @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL(?,00C0FFAB,00000000,?,?,?,?,?,?), ref: 00C103EA
                                    • @System@GetMemory$qi.RTL250.BPL(00000000,?,?,?,00000000,?,00000000,00C101DA), ref: 00C10148
                                    • @Oxrtl@Winapi@Powrprof@PowrProf@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,?,?,?,?,00000000,00000000,00C101B8,?,?,?,?,00000000,?,00000000,00C101DA), ref: 00C10171
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(?,?,?,?,00000000,00000000,00C101B8,?,?,?,?,00000000,?,00000000,00C101DA), ref: 00C10187
                                    • @System@Sysutils@Trim$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00000000,00C101B8,?,?,?,?,00000000,?,00000000,00C101DA), ref: 00C10192
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,?,00000000,00000000,00C101B8,?,?,?,?,00000000,?,00000000,00C101DA), ref: 00C1019D
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00C101BF,?,00000000,00000000,00C101B8,?,?,?,?,00000000,?,00000000,00C101DA), ref: 00C101B2
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00C101E1,00000000,?,00000000,00C101DA), ref: 00C101D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$System@@$Oxrtl@PowrPowrprof@Proc$qqrx20Prof@StringString.Winapi@$ArrayAsg$qqrr20Axrtl@Call$qqrx20Char$qqrr20Clr$qqrpv.Clr$qqrpvi.Dllroutines@FreeFromMem$qqrpv.Memory$qi.Routines@Stringpb.Stringt1.Stringx20Sysutils@Trim$qqrx20
                                    • String ID: PowerReadFriendlyName
                                    • API String ID: 4021585920-1629783195
                                    • Opcode ID: d8c8df322b31cf39166d1186826a1db2607308ea7c7bc58f53157d1dd1dd3a62
                                    • Instruction ID: 54c066e787a15c6e921226bb1948d721c0c5c917e6e16924c7a53940e2c0347f
                                    • Opcode Fuzzy Hash: d8c8df322b31cf39166d1186826a1db2607308ea7c7bc58f53157d1dd1dd3a62
                                    • Instruction Fuzzy Hash: 26312F71A00208BFDB10DFA9CC41FDEBBF8EB4A750F6144B9F514E3251D6749E809A60
                                    Function 00BF73F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL ref: 00BF73FF
                                    • @System@Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL250.BPL ref: 00BF7411
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BF741F
                                    • @System@Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL250.BPL(?), ref: 00BF7431
                                    • @System@Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF745A
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7468
                                    • @Axrtl@Utils@Hash@Crc32@HashCRC32@FromString$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7473
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF74C2,?,00000000,00000000), ref: 00BF74A8
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BF74C2,?,00000000,00000000), ref: 00BF74B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$L250$String.$System@@$Sysutils@$Asg$qqrr20ExtractFileName$qqrx20Stringx20$ArrayAxrtl@C32@Clr$qqrpv.Clr$qqrpvi.Crc32@Format$qqrx20FromHashHash@Len$qqrx20Recxi.String$qqrx20Stringpx14Utils@
                                    • String ID: %s (%s)
                                    • API String ID: 96417070-1363028141
                                    • Opcode ID: 92b4ad991bc0fbc16a732a4b3e2fdd43e11b8401aaffe05417c3f8c02d2e91e8
                                    • Instruction ID: 049c0dbead5a445160e0e20d3ac8f1bc5f0496b5fcbc6f928c2bde074806ad60
                                    • Opcode Fuzzy Hash: 92b4ad991bc0fbc16a732a4b3e2fdd43e11b8401aaffe05417c3f8c02d2e91e8
                                    • Instruction Fuzzy Hash: B7219034A00208AFDB04EFA8D481E8DBBF1FF49310F5485D5E944A7362DB75EA858B51
                                    Function 00C1B1C8 Relevance: 16.8, APIs: 11, Instructions: 322COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8970e4073bfa276b15214e00bb407b19a8fc52c3762b87e7f7fbb07bec32e6ec
                                    • Instruction ID: 9ca0e01f89b7a9840c3a79f5cbcce3fb4453afd498cd62dafa914e654d16a9a5
                                    • Opcode Fuzzy Hash: 8970e4073bfa276b15214e00bb407b19a8fc52c3762b87e7f7fbb07bec32e6ec
                                    • Instruction Fuzzy Hash: D79177B11097806FC7039B348C91AEABF79EF53710B9942D7E4908A173D7209D9ABB61
                                    Function 00868840 Relevance: 16.7, APIs: 11, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TList@Sort$qqrpqqrpvt1$i.RTL250.BPL ref: 00868851
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868886
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000100), ref: 008688AF
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 008688CB
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 008688D8
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868915
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868950
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868968
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00868980
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 008689C6
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Color2RGB$qqr21System@Uitypes@TColor.VCLIMG250 ref: 008689F8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Classes@List@$Get$qqri.$Color$ArrayB$qqr21Color2Gifimg@Imaging@Length$qqrv.Map@Sort$qqrpqqrpvt1$i.System@@Uitypes@Vcl@
                                    • String ID:
                                    • API String ID: 3106138568-0
                                    • Opcode ID: 51825a79337ce1d7bcf19246d8c30bf9b869899f8c4a06be0f36d688718340c6
                                    • Instruction ID: f32d59543e836f2703475a6c8543d0614f1d002858bedf8f208139c16378485e
                                    • Opcode Fuzzy Hash: 51825a79337ce1d7bcf19246d8c30bf9b869899f8c4a06be0f36d688718340c6
                                    • Instruction Fuzzy Hash: 3E512F746082518FCB45DF28D48092AFBE1FF89311F15C5AAEC89CB35ADB30D955CBA2
                                    Function 00867950 Relevance: 16.6, APIs: 11, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 008679C2
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000064,00000000), ref: 008679ED
                                    • MulDiv.KERNEL32(00000000,00000064,00000000), ref: 008679F3
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000000,00000064,00000000), ref: 00867A0D
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000000,00000064,00000000), ref: 00867A1E
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL ref: 00867A36
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250 ref: 00867A3E
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00867A4D
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00867A59
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00867A89
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00867AF2), ref: 00867AE5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Gifimg@Imaging@Vcl@$LoadRec.StringString$qqrp20System@@$ArrayCallClasses@Clr$qqrpvi.Count$qqrvDynaEmpty$qqrvFrame@Frame@$bctr$qqrp28Free$qqrv.ImageInst$qqrv.List@Object@Position$qqrv.Rect$qqriiii.Stream@Types@
                                    • String ID:
                                    • API String ID: 3234228385-0
                                    • Opcode ID: ecb4589e495a94416057d9f4908201696ff763eb8d631e02583d49975d829795
                                    • Instruction ID: 04b79a9d95d2af4cae20fb4d5f6ced03a78948103b2b87c1a0c4190a3ad580a8
                                    • Opcode Fuzzy Hash: ecb4589e495a94416057d9f4908201696ff763eb8d631e02583d49975d829795
                                    • Instruction Fuzzy Hash: 9341C130A082049FCB00DFA9C845AAEBBFAFF49315F0145A5F801DB3A1DA75AD49CB91
                                    Function 0086AD20 Relevance: 16.6, APIs: 11, Instructions: 127windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086AEC9), ref: 0086AD4D
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086AEC9), ref: 0086AD59
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,0086ADAF,?,00000000,0086AEC9), ref: 0086AD96
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250(00000000,0086AEC9), ref: 0086AD7A
                                      • Part of subcall function 00863028: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00863031
                                      • Part of subcall function 00863028: @Vcl@Imaging@Gifimg@TGIFItem@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 0086303E
                                      • Part of subcall function 00863028: @Vcl@Imaging@Gifimg@TGIFExtensionList@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250 ref: 0086304C
                                      • Part of subcall function 00863028: @Vcl@Imaging@Gifimg@TGIFList@Add$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 008630AA
                                      • Part of subcall function 00863028: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 008630B5
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0086AEC9), ref: 0086ADD9
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250(00000000,0086AEC9), ref: 0086ADEB
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(00000000,0086AEC9), ref: 0086AEA5
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0086AED0), ref: 0086AEC3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@System@@$ImageList@$Class$qqrxp14Class.Frame@$bctr$qqrp28MetaObjectp17$Add$qqrp27AfterBitmap$qqrvClassClr$qqrpv.Construction$qqrxp14Count$qqrvCreate$qqrpvzc.ExtensionFrameFrame$qqriFreeImage@ItemItem$qqriItem@$bctr$qqrp28List@$bctr$qqrp28Object.
                                    • String ID:
                                    • API String ID: 1641429921-0
                                    • Opcode ID: 7bfcadfea27242508285921193b6afd06adbea74370b59863f695748165b244c
                                    • Instruction ID: 27052de70bc5a7afd76febbc6d83277e6d64c10ead1af76e35a8c40f2ecae972
                                    • Opcode Fuzzy Hash: 7bfcadfea27242508285921193b6afd06adbea74370b59863f695748165b244c
                                    • Instruction Fuzzy Hash: DE41D0347046049FCB09DF28D85286EB7F6FF893057A244B9E800E7760DA32AD19DF52
                                    Function 0085C6F8 Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085C705
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C797
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C7AC
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C7C1
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C7D6
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C7EB
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C800
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C815
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C82A
                                    • @System@@GetMem$qqri.RTL250.BPL(?,0085B68C,?,00000001,?,0085CE9E,?,00000000,?,?,0085F096,?,?,?,0085F208), ref: 0085C83F
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085C85C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Mem$qqri.$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.System@
                                    • String ID:
                                    • API String ID: 3732308598-0
                                    • Opcode ID: b9d369be1b31d5012d2cf426136867ea1c80c9125ea3dadf8723b3df963dcb38
                                    • Instruction ID: 488e86d0775b1c83ac39e5264a7ec21c8449ec6ec3f8ecf4f38cb3adc7c4b8d8
                                    • Opcode Fuzzy Hash: b9d369be1b31d5012d2cf426136867ea1c80c9125ea3dadf8723b3df963dcb38
                                    • Instruction Fuzzy Hash: F7414AB2A002104BDF149FBCCC8639936D0FB0831AF48497AED15DB346EA79D5998B95
                                    Function 0087056C Relevance: 16.6, APIs: 11, Instructions: 106COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,008706AD,?,00000000,00000000,?,?,008712A0,?,?,?,00000000,00871364), ref: 008705AE
                                    • @System@Zlib@deflateInit_$qr20System@Zlib@z_streamipci.RTL250.BPL(017D633C,?,017D633C,00000038,00000000,008706AD,?,00000000,00000000,?,?,008712A0,?,?,?,00000000), ref: 008705C5
                                    • @System@Zlib@deflate$qr20System@Zlib@z_streami.RTL250.BPL(?,00000004), ref: 008705F7
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00870616
                                    • @System@Move$qqrpxvpvi.RTL250.BPL ref: 00870644
                                    • @System@Zlib@deflateEnd$qr20System@Zlib@z_stream.RTL250.BPL(?), ref: 0087068E
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(008706B4), ref: 008706A7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Zlib@deflate$Char$qqrpvic.Clr$qqrpv.End$qr20FillInit_$qr20Mem$qqri.Move$qqrpxvpvi.Zlib@deflate$qr20Zlib@z_stream.Zlib@z_streami.Zlib@z_streamipci.
                                    • String ID:
                                    • API String ID: 2197737472-0
                                    • Opcode ID: 049daa6102a2c6bace1462022ba43fc947cf1c8a37592b2ac9c3d1c66c2bc989
                                    • Instruction ID: 88c3734deee45b4aa4b60e825b7e3d10e69c36beb2cfc13f1885352f6cd37e7d
                                    • Opcode Fuzzy Hash: 049daa6102a2c6bace1462022ba43fc947cf1c8a37592b2ac9c3d1c66c2bc989
                                    • Instruction Fuzzy Hash: 1A410B70D00208DFDB11DFA8C885A9EBBF8FF59305F50846AE909E7341EB70AA598F51
                                    Function 0087044C Relevance: 16.6, APIs: 11, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,00870555,?,00000000,?), ref: 00870484
                                    • @System@Zlib@inflateInit_$qr20System@Zlib@z_streampci.RTL250.BPL(?,017D633C,00000038,00000000,00870555,?,00000000,?), ref: 00870497
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000,?), ref: 008704BB
                                    • @System@@ReallocMem$qqrrpvi.RTL250.BPL(00000000,?), ref: 008704C8
                                    • @System@Zlib@inflate$qr20System@Zlib@z_streami.RTL250.BPL(?,00000000,00000000,?), ref: 008704E2
                                    • @System@@ReallocMem$qqrrpvi.RTL250.BPL(?,?,00000000,?), ref: 008704FA
                                    • @System@@LStrFromPChar$qqrr27System@%AnsiStringT$us$i0$%pcus.RTL250.BPL(?,?,00000000,?), ref: 00870512
                                    • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL250.BPL(?,?,00000000,?), ref: 0087051D
                                    • @System@Zlib@inflateEnd$qr20System@Zlib@z_stream.RTL250.BPL(?,?,?,00000000,?), ref: 00870526
                                    • @System@Zlib@inflateEnd$qr20System@Zlib@z_stream.RTL250.BPL(?,?,?,00000000,?), ref: 00870539
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(0087055C,?), ref: 0087054F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$Zlib@inflate$AnsiEnd$qr20FromMem$qqrrpvi.ReallocStringSystem@%Zlib@z_stream.$Char$qqrpvic.Char$qqrr27Clr$qqrpv.FillInit_$qr20Mem$qqri.Str$qqrr20Stringx27T$us$i0$%.T$us$i0$%pcus.UnicodeZlib@inflate$qr20Zlib@z_streami.Zlib@z_streampci.
                                    • String ID:
                                    • API String ID: 3109246630-0
                                    • Opcode ID: 61979347fd9a29aac809a913851dd2512c5a2ef127d27cfba0c327d094fae2e3
                                    • Instruction ID: bf9a92b969db565e01195748c981f7ee19f4f9fa62ca502e3e1fec406feed831
                                    • Opcode Fuzzy Hash: 61979347fd9a29aac809a913851dd2512c5a2ef127d27cfba0c327d094fae2e3
                                    • Instruction Fuzzy Hash: 0A315C70A00208DFDB11DFA8D885B9EB7F8FF49315F508429E948E3241EB74A949CF55
                                    Function 00BD9218 Relevance: 16.6, APIs: 11, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BD922F
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtRender$qqruiuiuiuipvpuit6.OXCOMPONENTSRTL(?,?,?,00000000,00000000,00BD92FE), ref: 00BD9269
                                      • Part of subcall function 00BD9DC4: @Oxrtl@Winapi@Wevtapi@WevtApi@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,?,00000001,00BD92FE,?,?,?,?,?,00000000,?,00BD926E,?,?,?,00000000), ref: 00BD9DE8
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00BD92FE), ref: 00BD9278
                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00BD92FE), ref: 00BD9282
                                    • @System@GetMemory$qi.RTL250.BPL(00000000,?,?,?,00000000,00000000,00BD92FE), ref: 00BD9290
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtRender$qqruiuiuiuipvpuit6.OXCOMPONENTSRTL(?,00000000,?,00000000,?,?,?,00000000,00000000,00BD92FE), ref: 00BD92B2
                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00BD92FE), ref: 00BD92B7
                                    • @System@FreeMemory$qpv.RTL250.BPL(?,?,?,?,00000000,00000000,00BD92FE), ref: 00BD92C4
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00BD92FE), ref: 00BD92CF
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(?,?,?,00000000,00000000,00BD92FE), ref: 00BD92DB
                                    • @System@FreeMemory$qpv.RTL250.BPL(00000000,00BD9305,00000000,00000000,00BD92FE), ref: 00BD92F7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@Unicode$Api@Oxrtl@WevtWevtapi@Winapi@$ErrorExit$qqrv.FinallyFreeLastMemory$qpv.Render$qqruiuiuiuipvpuit6$Asg$qqrr20Char$qqrr20FromMemory$qi.Proc$qqrx20StringString.Stringpb.Stringx20
                                    • String ID:
                                    • API String ID: 241666407-0
                                    • Opcode ID: eb65ca623feac172717aff00c08f396e782170ed2d96f58840336ff2438808c0
                                    • Instruction ID: 67a6ddd640d9fb89dd864b00ea51d9c417b1f256ffc9e4c31d7c1f764e040513
                                    • Opcode Fuzzy Hash: eb65ca623feac172717aff00c08f396e782170ed2d96f58840336ff2438808c0
                                    • Instruction Fuzzy Hash: 01212D76A00208BFDB10DEE9D981A9FF7FDEB49310F2144EBE508E3641EA349E409760
                                    Function 00BCD0BF Relevance: 16.6, APIs: 11, Instructions: 82threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(00000000,00BCD22D), ref: 00BCD0CA
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCD22D), ref: 00BCD0D2
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCD22D), ref: 00BCD0E2
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@AppxPackageID$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,00BCD22D), ref: 00BCD0F2
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCD14A,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD12C
                                    • @Axrtl@Typelibrary@Appxpackaging@CoAppxFactory@Create$qqrv.AXCOMPONENTSRTL.BPL(00000000,00BCD14A,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD13B
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(00000000,00BCD1E6,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD188
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackage@$bctr$qqrx20System@UnicodeStringt1p32Axrtl@Winapi@Kernel32@TPackageID.OXCOMPONENTSRTL(00000000,?,00000000,00BCD1E6,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD19F
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,?,00000000,00BCD1E6,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD1B2
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@TAppxPackage@UpdateInfo$qqrx71System@%DelphiInterface$44Axrtl@Typelibrary@Appxpackaging@IAppxFactory%p27Axrtl@System@Thread@TThread.OXCOMPONENTSRTL(00000000,?,00000000,00BCD1E6,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD1BF
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,?,00000000,00BCD1E6,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD1CB
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCD1ED,00BCD1E6,?,00000000,00BCD203,?,00000000,00BCD22D), ref: 00BCD1E0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Appx$DelphiSystem@%$Axrtl@Interface$17L250System@@$Thread@$Interface%.IntfUnicode$Appxpackages@Oxrtl@Utils@$Appxpackaging@Check$qqrui.Clear$qqrr44Copy$qqrr44Interface%x44Len$qqrx20PackageSleepString.Typelibrary@$Create$qqrv.D$qqrx20Factory%p27Factory@Info$qqrx71Interface$44Kernel32@Package@Package@$bctr$qqrx20StringStringt1p32ThreadUpdateWinapi@
                                    • String ID:
                                    • API String ID: 3992179026-0
                                    • Opcode ID: 56c86e84cae3e3933248f38295b8b44f50329b76a522d6afe73c6d174cb2fe29
                                    • Instruction ID: a041cb064b715f61edd0da4a23b2d613f0015088bf8ed5e59a0b2a67c449e02b
                                    • Opcode Fuzzy Hash: 56c86e84cae3e3933248f38295b8b44f50329b76a522d6afe73c6d174cb2fe29
                                    • Instruction Fuzzy Hash: D721A234A00609AFDB15EF69C991FAEB7F1EB89300F5488FCE800B3661CB349E01CA50
                                    Function 00BCC010 Relevance: 16.6, APIs: 11, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00BCC025
                                    • @Axrtl@Project@Interfacedobject@TInterfacedObject@$bctr$qqrv.AXCOMPONENTSRTL.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC046
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC050
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC05B
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC066
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC091
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC09C
                                    • @Oxrtl@System@Appxpackages@TAppxUtils@AppxPackagePath$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00BCC0A7
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC0DC,?,?,?), ref: 00BCC0B2
                                    • @System@Generics@Collections@%TList__1$69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication%%@$bctr$qqrv.OXCOMPONENTSRTL ref: 00BCC0BE
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BCC0E3), ref: 00BCC0D6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$L250System@@$AppxAsg$qqrr20Char$qqrr20FromString.Stringpb.Stringx20$Appxpackages@Oxrtl@$Application%%@$bctr$qqrvAxrtl@ClassClr$qqrpv.Collections@%Create$qqrpvzc.DelphiGenerics@Interface$42InterfacedInterfacedobject@List__1$69Object@$bctr$qqrv.PackagePath$qqrx20Project@StringSystem@%Utils@
                                    • String ID:
                                    • API String ID: 4266239738-0
                                    • Opcode ID: ad06d8591560052201d2818dd073b15b3f535571c4ff20526f891e1d8052795c
                                    • Instruction ID: 7e868c6567f118decbab63b87d136387ae64423439ca51b7ca9e8b97c23b4558
                                    • Opcode Fuzzy Hash: ad06d8591560052201d2818dd073b15b3f535571c4ff20526f891e1d8052795c
                                    • Instruction Fuzzy Hash: 1D216D381002049FC710DF65C8C1D9ABBF5EF4931031189AAEC54DB756EB34E945CB95
                                    Function 00866A50 Relevance: 16.6, APIs: 11, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866A6E
                                      • Part of subcall function 00863DD8: @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,00863515,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 00863DE7
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866A80
                                      • Part of subcall function 00863DD8: @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,00863515,00000000,?,?,00000003,?,00000000,00863887,?,00000000,00863898,?,00000000,008638D3), ref: 00863DFA
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866A8E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866AA0
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866AB1
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Add$qqr21System@Uitypes@TColor.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866ABC
                                      • Part of subcall function 0085F804: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085F8AF), ref: 0085F835
                                      • Part of subcall function 0085F804: @Vcl@Imaging@Gifimg@TGIFColorMap@SetCapacity$qqri.VCLIMG250(00000000,0085F8AF), ref: 0085F861
                                      • Part of subcall function 0085F804: @Vcl@Imaging@Gifimg@TGIFColorMap@Color2RGB$qqr21System@Uitypes@TColor.VCLIMG250(00000000,0085F8AF), ref: 0085F86E
                                      • Part of subcall function 0085F804: @System@@UStrClr$qqrpv.RTL250.BPL(0085F8B6), ref: 0085F8A9
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866AC9
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866AD5
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866AE4
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(00000000,00866B15,?,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866AF0
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00866B1C,?,?,00000000,00000000,?,00866A03,?,0086623B,00000000,00866277), ref: 00866B0F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Color$System@$Map$qqrv$ActiveFrame@L250String$LoadMap@Rec.String$qqrp20$Image@Item@Severityx20System@@Uitypes@UnicodeWarning$qqr31$Add$qqr21ArrayB$qqr21Capacity$qqriClr$qqrpv.Clr$qqrpvi.Color2
                                    • String ID:
                                    • API String ID: 2073125759-0
                                    • Opcode ID: 91bb6ab272619ab2d2c92e5f6e6a7f04718fa5048943577abb220a5997b85194
                                    • Instruction ID: c59fb91e7cc9b59fa7ef6f89b51cef8d81e9772e02bcd5855568d1b0637b6d39
                                    • Opcode Fuzzy Hash: 91bb6ab272619ab2d2c92e5f6e6a7f04718fa5048943577abb220a5997b85194
                                    • Instruction Fuzzy Hash: E5216730300754AFD711EB6CC882A59B3E9FF44315F528465E844DB7A2EBB4ED99CB42
                                    Function 00871230 Relevance: 15.1, APIs: 10, Instructions: 112COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@LStrAsg$qqrr27System@%AnsiStringT$us$i0$%x27System@%AnsiStringT$us$i0$%.RTL250.BPL(00000000,00871364), ref: 00871264
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL(00000000,00871364), ref: 0087126C
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(?,?,?,00000000,00871364), ref: 008712BC
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,00000000,00871364), ref: 008712C9
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL(?,?,?,00000000,00871364), ref: 008712D7
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,?,?,00000000,00871364), ref: 008712F3
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,?,?,00000000,00871364), ref: 0087132B
                                    • @Vcl@Imaging@Pngimage@TChunk@SaveData$qqrp22System@Classes@TStream.VCLIMG250(?,?,?,00000000,00871364), ref: 00871335
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?,?,?,00000000,00871364), ref: 00871349
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0087136B,00000000,00871364), ref: 0087135E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$StringSystem@@$AnsiSystem@%$System@T$us$i0$%.$A$qqrr27Chunk@Imaging@Move$qqrpxvpvi.Pngimage@UniqueVcl@$Asg$qqrr27Char$qqrpvic.Classes@Clr$qqrpv.Data$qqrp22Data$qqrxuiFillFreeMem$qqrpv.ResizeSaveStreamT$us$i0$%x27
                                    • String ID:
                                    • API String ID: 2528244639-0
                                    • Opcode ID: 64b998287d8e1534d57d53baefa00aa2f9dab34f3da6dea4ff73b2121035ff44
                                    • Instruction ID: bd5c284f2739a30be37971b6594cd8c5a36adb8bbfc79f1e577534bb1a1900ee
                                    • Opcode Fuzzy Hash: 64b998287d8e1534d57d53baefa00aa2f9dab34f3da6dea4ff73b2121035ff44
                                    • Instruction Fuzzy Hash: 1C412871B006049FDF14DF6CC989A6A77E8FB09300B4485A5E819EBB4ADA34ED04CB61
                                    Function 008748F4 Relevance: 15.1, APIs: 10, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00874909
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00874979
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250 ref: 00874989
                                    • @Vcl@Imaging@Pngimage@TPngImage@InitializeGamma$qqrv.VCLIMG250 ref: 0087499F
                                    • @Vcl@Imaging@Pngimage@TPNGList@Add$qqrp17System@TMetaClass.VCLIMG250 ref: 008749B7
                                    • @Vcl@Imaging@Pngimage@TPNGList@Add$qqrp17System@TMetaClass.VCLIMG250 ref: 008749C8
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@PrepareImageData$qqrv.VCLIMG250 ref: 008749F5
                                    • @Vcl@Imaging@Pngimage@TPNGList@Add$qqrp17System@TMetaClass.VCLIMG250 ref: 00874A0C
                                    • @Vcl@Imaging@Pngimage@TPNGList@Add$qqrp17System@TMetaClass.VCLIMG250 ref: 00874A29
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00874A52), ref: 00874A45
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Imaging@Pngimage@Vcl@$ClassMeta$Add$qqrp17List@$L250$Image@StringSystem@@$ChunkClass20Clr$qqrpv.Create$qqrpvzc.Data$qqrvError$qqrp17Gamma$qqrvImageInitializeLoadPrepareRaiseRec.String$qqrp20Unicode
                                    • String ID:
                                    • API String ID: 1251919281-0
                                    • Opcode ID: 11b2ec79a04b1cea56c19bae4632ef472f82006ff5bf51da8cf6a7a82eb38fba
                                    • Instruction ID: 4c3cf5a175a1406d8c23d39c0a49a279818cda53091cdf3e6427c91ff825c9b7
                                    • Opcode Fuzzy Hash: 11b2ec79a04b1cea56c19bae4632ef472f82006ff5bf51da8cf6a7a82eb38fba
                                    • Instruction Fuzzy Hash: BC419F35A047448FCB10CF3CC8857AABBA1FB55310F149275E928C736AD771E945CB52
                                    Function 00865F34 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Add$qqr21System@Uitypes@TColor.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865F53
                                      • Part of subcall function 0085F804: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085F8AF), ref: 0085F835
                                      • Part of subcall function 0085F804: @Vcl@Imaging@Gifimg@TGIFColorMap@SetCapacity$qqri.VCLIMG250(00000000,0085F8AF), ref: 0085F861
                                      • Part of subcall function 0085F804: @Vcl@Imaging@Gifimg@TGIFColorMap@Color2RGB$qqr21System@Uitypes@TColor.VCLIMG250(00000000,0085F8AF), ref: 0085F86E
                                      • Part of subcall function 0085F804: @System@@UStrClr$qqrpv.RTL250.BPL(0085F8B6), ref: 0085F8A9
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865F65
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865F7E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865F91
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865F96
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865FA9
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865FC1
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(?,?,00000000,?,008661E3,?,00000000,00866277), ref: 00865FC9
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Color$List@$Frame$qqriImageSystem@$Map@$L250Uitypes@$Add$qqr21B$qqr21Capacity$qqriClr$qqrpv.Color2ControlCount$qqrvExtension@Frame@GraphicIndex$qqrvLoadRec.StringString$qqrp20System@@TransparentTransparent$qqrv
                                    • String ID:
                                    • API String ID: 37361886-0
                                    • Opcode ID: 7fb7d9cfbee06897cff95e60cfa32754da13c57921da2d05a34ec6077eceff84
                                    • Instruction ID: ed195fe6a3b50be2168306ea4871522fd2f286b184098d678c931d0f81a74354
                                    • Opcode Fuzzy Hash: 7fb7d9cfbee06897cff95e60cfa32754da13c57921da2d05a34ec6077eceff84
                                    • Instruction Fuzzy Hash: 5B21EF342026048FC700EB2DD985D25BBE8FF08364B6692A1FA55CB327CB30ED05CB91
                                    Function 0086A5CC Relevance: 15.1, APIs: 10, Instructions: 60windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A5D3
                                      • Part of subcall function 0086ACF8: @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,?,008698A5,?,008698DD,0086981D), ref: 0086ACFE
                                      • Part of subcall function 0086ACF8: @System@TObject@Free$qqrv.RTL250.BPL(?,?,008698A5,?,008698DD,0086981D), ref: 0086AD15
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A5E4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@SetBitmap$qqrp20Vcl@Graphics@TBitmap.VCLIMG250(?,?,?,008699F6), ref: 0086A5FF
                                      • Part of subcall function 00863DB8: @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250 ref: 00863DC0
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A609
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@SetPalette$qqrp10HPALETTE__.VCLIMG250(?,?,?,008699F6), ref: 0086A610
                                      • Part of subcall function 008631E8: DeleteObject.GDI32(?), ref: 008631FB
                                      • Part of subcall function 008631E8: @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250 ref: 00863221
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A5F8
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A628
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A635
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A64D
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A655
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@$List@$Frame$qqriFrame@Image$Bitmap$qqrvFree$Count$qqrvImage@$BitmapBitmap$qqrp20Clear$qqrvColorDeleteDraw$qqrvFree$qqrv.Graphics@Item$qqriL250Map@ObjectObject@Palette$qqrp10StopSystem@
                                    • String ID:
                                    • API String ID: 1401260051-0
                                    • Opcode ID: 742ec007fd6c6329b33ba4f0149fa0c5368278bfbc7875b998fd918333cd69d4
                                    • Instruction ID: a7e579c81826f4dc239ba9f21e25eb3a7b4f5c1a8e02dc40d4744d53511ee011
                                    • Opcode Fuzzy Hash: 742ec007fd6c6329b33ba4f0149fa0c5368278bfbc7875b998fd918333cd69d4
                                    • Instruction Fuzzy Hash: FA11F2757111108BDB44EF2DC4C5929BBEAFF88715396A4A4EC45CF32ACA35DC86CA82
                                    Function 00C0239C Relevance: 15.0, APIs: 10, Instructions: 46threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C023A3
                                    • @Oxrtl@System@Thread@%TThreadQueue__1$p44Oxrtl@System@Internet@TInternetPostQueueItem%@Shutdown$qqrv.OXCOMPONENTSRTL ref: 00C023AF
                                      • Part of subcall function 00C025A4: @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(?,00000000,?,?,00C023B4), ref: 00C025BC
                                      • Part of subcall function 00C025A4: @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00C02626,?,?,00000000,?,?,00C023B4), ref: 00C025D8
                                    • @System@Generics@Collections@%TList__1$p27Axrtl@System@Thread@TThread%@Delete$qqri.OXCOMPONENTSRTL ref: 00C023BB
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C023CD
                                    • CloseHandle.KERNEL32(?), ref: 00C023D6
                                    • CloseHandle.KERNEL32(?,?), ref: 00C023DF
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(?,?), ref: 00C023E7
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(?,?), ref: 00C023EF
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL(?,?), ref: 00C023FD
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL(?,?), ref: 00C0240A
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$FreeNil$qqrpv.System@@Sysutils@$CloseHandleOxrtl@$Axrtl@BeforeClassCollections@%CriticalDelete$qqriDestroy$qqrxp14Destruction$qqrxp14Enter$qqrv.Exit$qqrv.FinallyGenerics@InternetInternet@Item%@List__1$p27Object.Object@$bdtr$qqrv.Objectzc.PostQueueQueue__1$p44Section@Shutdown$qqrvSyncobjs@ThreadThread%@Thread@Thread@%
                                    • String ID:
                                    • API String ID: 655991732-0
                                    • Opcode ID: 5105163336735a116b50f2ad6f328043467edf2a558fa553858b3b55e6742733
                                    • Instruction ID: e1726044301a5f3df1cf9dd2113c4aa23a2b099ee3a42087b03e103418986fd3
                                    • Opcode Fuzzy Hash: 5105163336735a116b50f2ad6f328043467edf2a558fa553858b3b55e6742733
                                    • Instruction Fuzzy Hash: CB01A2227042445BDB00FB7CDCC2E5D77D89F4222175889E9F514AB247DA34DE0B8760
                                    Function 008774D0 Relevance: 15.0, APIs: 10, Instructions: 41windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 008774E2
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 008774F6
                                      • Part of subcall function 00874EC4: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F0D
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F1D
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@PaletteToDIB$qqrp10HPALETTE__.VCLIMG250 ref: 008774FE
                                      • Part of subcall function 0087194C: @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,?,00871C1C,?,?,?,00000000,00000000), ref: 00871962
                                      • Part of subcall function 0087194C: GetPaletteEntries.GDI32(?,00000000,00000100,?), ref: 00871974
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,00000000), ref: 0087750C
                                    • SelectPalette.GDI32(?,?,00000000), ref: 00877515
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,?,00000000), ref: 0087751D
                                    • RealizePalette.GDI32(?), ref: 00877526
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,?,?,00000000), ref: 0087752E
                                    • DeleteObject.GDI32(?), ref: 00877537
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,?,?,?,00000000), ref: 0087753F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Image@$Header$qqrvSystem@$L250Palette$System@@$MetaString$B$qqrp10Char$qqrpvic.ChunkClass$qqrxp14Class.Class20Clr$qqrpv.DeleteEntriesError$qqrp17FillItem$qqruiList@LoadObjectObjectp17RaiseRealizeRec.SelectString$qqrp20Unicode
                                    • String ID:
                                    • API String ID: 1802471119-0
                                    • Opcode ID: adb8ceb73157e714dcac47363de9a9f5ad7d8b52cdad45161492bbeb90805923
                                    • Instruction ID: b81a7689992edf5363831159c84d677da96f2433ef392ae1238463d44cd01756
                                    • Opcode Fuzzy Hash: adb8ceb73157e714dcac47363de9a9f5ad7d8b52cdad45161492bbeb90805923
                                    • Instruction Fuzzy Hash: 5A01C071944148EFCF14EBACC986A8DB7B5FF05320F108594B408EB2A6D730DE41CB52
                                    Function 00870260 Relevance: 15.0, APIs: 10, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870265
                                      • Part of subcall function 008701E4: @Vcl@Imaging@Pngimage@TPNGPointerList@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250 ref: 008701F9
                                      • Part of subcall function 008701E4: @System@@GetMem$qqri.RTL250.BPL ref: 00870208
                                      • Part of subcall function 008701E4: @Vcl@Imaging@Pngimage@TPNGPointerList@Add$qqrpv.VCLIMG250 ref: 00870216
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 0087026F
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870279
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870283
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 0087028D
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870297
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702A1
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702AB
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702B5
                                    • @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702BF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Chunk$qqrp17ClassMetaRegisterSystem@$Pointer$Add$qqrpvImageL250List@List@$bctr$qqrp30Mem$qqri.System@@
                                    • String ID:
                                    • API String ID: 2006562266-0
                                    • Opcode ID: bdabbdf8528f23fb8c26b50532ec85180a2a09a2a58993ed6fdd16290dbe4435
                                    • Instruction ID: 0bc0aa5091b9649b74e588881eb5edc17b686af758f7cf8991aaf1a95ac2f56e
                                    • Opcode Fuzzy Hash: bdabbdf8528f23fb8c26b50532ec85180a2a09a2a58993ed6fdd16290dbe4435
                                    • Instruction Fuzzy Hash: 30F05325215190CBDA04EB28FD8280C33A4FB16702792A133F519CA23ADAE5EE41CF22
                                    Function 00C2B1A8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60registrystringshareCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,HARDWARE\ACPI\DSDT\VBOX__,00000000,00020019,?), ref: 00C2B1C7
                                    • RegCloseKey.ADVAPI32(?,80000002,HARDWARE\ACPI\DSDT\VBOX__,00000000,00020019,?), ref: 00C2B1D8
                                    • @System@GetMemory$qi.RTL250.BPL(00001000,80000002,HARDWARE\ACPI\DSDT\VBOX__,00000000,00020019,?), ref: 00C2B1EE
                                    • WNetGetProviderNameW.MPR(00250000,?,00001000), ref: 00C2B212
                                    • lstrcmpiW.KERNEL32(?,VirtualBox Shared Folders,00000000,00C2B249,?,80000002,HARDWARE\ACPI\DSDT\VBOX__,00000000,00020019,?), ref: 00C2B224
                                    • @System@FreeMemory$qpv.RTL250.BPL(?,00C2B250,80000002,HARDWARE\ACPI\DSDT\VBOX__,00000000,00020019,?), ref: 00C2B242
                                    Strings
                                    • HARDWARE\ACPI\DSDT\VBOX__, xrefs: 00C2B1BD
                                    • VirtualBox Shared Folders, xrefs: 00C2B21B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$CloseFreeMemory$qi.Memory$qpv.NameOpenProviderlstrcmpi
                                    • String ID: HARDWARE\ACPI\DSDT\VBOX__$VirtualBox Shared Folders
                                    • API String ID: 1925627811-1669829656
                                    • Opcode ID: 09e3554dcc3e672d31f5c9f3261f0b5d43af6cb82ffb8a6b506007e6bbac8599
                                    • Instruction ID: 8c70d57640adc552875a07b976dc150e8d017bbcc9e6d8d9b91ac7b7891ec04f
                                    • Opcode Fuzzy Hash: 09e3554dcc3e672d31f5c9f3261f0b5d43af6cb82ffb8a6b506007e6bbac8599
                                    • Instruction Fuzzy Hash: 6711C171944358BAEB04DBE4AC06FAEB7FC9B45304F004498F924E2A81D7B59A448760
                                    Function 00BC83DC Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Winapi@Kernel32@Kernel32@ExpandEnvironmentStrings$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BC8469,?,?,?,00000000,00000000,00000000), ref: 00BC83FD
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL(00000000,00BC8469,?,?,?,00000000,00000000,00000000), ref: 00BC8406
                                    • @Axrtl@Winapi@Shell32@Shell32@SHGetSpecialFolderPath$qqrio.AXCOMPONENTSRTL.BPL(?,00000000,00000000,00BC8469,?,?,?,00000000,00000000,00000000), ref: 00BC8425
                                    • @System@Sysutils@ExcludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,00000000,00BC8469,?,?,?,00000000,00000000,00000000), ref: 00BC8430
                                    • @System@Sysutils@StringReplace$qqrx20System@UnicodeStringt1t162System@%Set$35System@Sysutils@System_Sysutils__85t1$i0$t1$i1$%.RTL250.BPL(?,00000000,00000000,00BC8469,?,?,?,00000000,00000000,00000000), ref: 00BC843F
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,00000000,00000000,00BC8469,?,?,?,00000000,00000000,00000000), ref: 00BC8449
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BC8470,?,?,00000000,00000000,00000000), ref: 00BC8463
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$Axrtl@L250$String.Sysutils@$Kernel32@Osinfo@Shell32@System@@Win@Winapi@$ArrayAsg$qqrr20Clr$qqrpvi.Delimiter$qqrx20EnvironmentExcludeExpandFolderInfo@PathPath$qqrio.Replace$qqrx20Set$35SpecialStringStrings$qqrx20Stringt1t162Stringx20System@%System_Sysutils__85t1$i0$t1$i1$%.TrailingVersiont1.WindowsWindows$qqr39
                                    • String ID: %LOCALAPPDATA%
                                    • API String ID: 2198776-1991000653
                                    • Opcode ID: 48b8dc630cebbbb3b67b1eee1f7119ed8e7842ca8923bb5898c15ae5e711b937
                                    • Instruction ID: 7331f9f4497f74774b8a6be9acbce76f51109527c8ed731838e070b18e634c95
                                    • Opcode Fuzzy Hash: 48b8dc630cebbbb3b67b1eee1f7119ed8e7842ca8923bb5898c15ae5e711b937
                                    • Instruction Fuzzy Hash: 3A01D4347002086FE705EBA8DC62F9EB3E9DB8A700F5580F9F500A7351DA34AE058660
                                    Function 00BF4007 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF40F8), ref: 00BF400C
                                    • @System@Win@Registry@TRegistry@$bctr$qqrv.RTL250.BPL(00000000,00BF40F8), ref: 00BF4020
                                    • @System@Win@Registry@TRegistry@SetRootKey$qqrp6HKEY__.RTL250.BPL(00000000,00BF40A5,?,00000000,00BF40F8), ref: 00BF403E
                                    • @System@Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL250.BPL(?,00000000,00BF40A5,?,00000000,00BF40F8), ref: 00BF4068
                                    • @Axrtl@System@Win@Registry@TRegistry@OpenKeyReadOnly$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(?,00000000,00BF40A5,?,00000000,00BF40F8), ref: 00BF4073
                                    • @Axrtl@System@Win@Registry@TRegistry@ReadString$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(?,00000000,00BF40A5,?,00000000,00BF40F8), ref: 00BF408A
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00BF40AC,?,00000000,00BF40F8), ref: 00BF409F
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF40F8), ref: 00BF40B1
                                    • @Oxrtl@System@Fileutils@FileUtils@CommandLineToFileName$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,00BF40F8), ref: 00BF40C2
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF40F8), ref: 00BF40CD
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF40FF), ref: 00BF40E2
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF40FF), ref: 00BF40EA
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF40FF), ref: 00BF40F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Unicode$Registry@$System@@$String.$Win@$Clr$qqrpv.$Axrtl@FileLen$qqrx20ReadSysutils@$Asg$qqrr20CommandFileutils@Format$qqrx20FreeKey$qqrp6LineName$qqrx20Nil$qqrpv.Only$qqrx20OpenOxrtl@Recxi.Registry@$bctr$qqrv.RootStringString$qqrx20Stringpx14Stringx20Utils@Y__.
                                    • String ID: \%s\shell\%s\command\
                                    • API String ID: 681437050-2264411561
                                    • Opcode ID: 50a35d7a91c94667638788615adbbaa22d4ac2d1db02486998f59699bb115a1e
                                    • Instruction ID: 5ad0bca1c00508d5dde6a41d80f3997b3971b719ceb5fd360d0db1dfa22302d0
                                    • Opcode Fuzzy Hash: 50a35d7a91c94667638788615adbbaa22d4ac2d1db02486998f59699bb115a1e
                                    • Instruction Fuzzy Hash: 96110034A001099FDB05DFA8D851BEEBBF5EB49700F5180A9EA00B7351DB75AD45CB50
                                    Function 00851968 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00851A20
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 152b9d3d207a70b983ca4ac72da8d589111ed054b99e68dc4e689372988c62f7
                                    • Instruction ID: 47d45900d6212c1bd386414c8ed4df8333a79c5e008dafb676b2df155a371db2
                                    • Opcode Fuzzy Hash: 152b9d3d207a70b983ca4ac72da8d589111ed054b99e68dc4e689372988c62f7
                                    • Instruction Fuzzy Hash: 36A18D75A00709DFDF21DFE8C889BAEB7B5FB48311F104529E905EB280EB70A948CB51
                                    Function 00C1D014 Relevance: 13.6, APIs: 9, Instructions: 111synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Processes@Processes@TProcess@ProcessHandle$qqrxuixo.OXCOMPONENTSRTL ref: 00C1D036
                                      • Part of subcall function 00C1C588: @Oxrtl@System@Processes@Processes@TProcess@GetID$qqrv.OXCOMPONENTSRTL(?,?,?,?,00C1CCB0), ref: 00C1C596
                                      • Part of subcall function 00C1C588: OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,?,?,00C1CCB0), ref: 00C1C5A4
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(00000000,0000000A,00000000,00C1D0FF,?,00000000,00C1D160), ref: 00C1D09F
                                    • @Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv.OXCOMPONENTSRTL(00000000,00C1D160), ref: 00C1D05F
                                      • Part of subcall function 00BF089C: @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL ref: 00BF08A7
                                    • WaitForSingleObject.KERNEL32(00000000,0000000A,00000000,00C1D0FF,?,00000000,00C1D160), ref: 00C1D08E
                                    • @Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv.OXCOMPONENTSRTL(00000000,0000000A,00000000,00C1D0FF,?,00000000,00C1D160), ref: 00C1D0A9
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00C1D0FF,?,00000000,00C1D160), ref: 00C1D0D5
                                    • WaitForSingleObject.KERNEL32(00000000,0000000A,00000000,0000000A,00000000,00C1D0FF,?,00000000,00C1D160), ref: 00C1D0E5
                                    • @Oxrtl@System@Processes@Processes@TProcess@Terminate$qqrxuixui.OXCOMPONENTSRTL(00C1D0FF,?,00000000,00C1D160), ref: 00C1D144
                                    • CloseHandle.KERNEL32(00000000,00C1D167,00C1D160), ref: 00C1D15A
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Processes@$Oxrtl@$Utils@$Axrtl@Process@$Count64$qqrvObjectOsinfo@ProcessSingleThread@TickWaitWin@$Check$qqrui.CloseD$qqrvExit$qqrv.FinallyHandleHandle$qqrxuixoInfo@L250OpenSleepSystem@@Terminate$qqrxuixuiVersiont1.WindowsWindows$qqr39
                                    • String ID:
                                    • API String ID: 1900142688-0
                                    • Opcode ID: 865823fb1a9d0b3171ee3e3820f7b5f3be59dda2b915f1fec490f6f43c45c4ae
                                    • Instruction ID: c11f02d10a7549277b8970d28e805f863456cc0d0378199f6d34acc33aa4ef1e
                                    • Opcode Fuzzy Hash: 865823fb1a9d0b3171ee3e3820f7b5f3be59dda2b915f1fec490f6f43c45c4ae
                                    • Instruction Fuzzy Hash: A8312C31A042049FDB15DB69D851BFEB7F5EB8A720F20857AF42593280DB704D83A690
                                    Function 0085CCFC Relevance: 13.6, APIs: 9, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CD1A
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CD33
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CD4C
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CD65
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CD7E
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CD97
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CDB0
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CDC9
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085CDE2
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Char$qqrpvic.FillL250System@@
                                    • String ID:
                                    • API String ID: 4233932837-0
                                    • Opcode ID: 1202fb11a9adadfdeadb7240b7c7a0a93ff4a2355e237ba1ca5b544615cd8fa5
                                    • Instruction ID: c686146236c968d202f5943f25528c4b0f4a6a7ae11bffc4759f89f67ba15132
                                    • Opcode Fuzzy Hash: 1202fb11a9adadfdeadb7240b7c7a0a93ff4a2355e237ba1ca5b544615cd8fa5
                                    • Instruction Fuzzy Hash: 824180717415408BDF08DF2DC88278936E2BF88216B4DC4B9EC59DE30ADE39E8558BA4
                                    Function 008682FC Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868323
                                    • @System@Classes@TList@Add$qqrpv.RTL250.BPL(00000000,00868423,?,00000000,00000000,?), ref: 00868339
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868358
                                      • Part of subcall function 00864284: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparent$qqrv.VCLIMG250(?,?,008632B6,?,?,?,00861D80), ref: 00864291
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868369
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00868423,?,00000000,00000000,?), ref: 008683A1
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 008683AE
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparentColorIndex$qqruc.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 008683F7
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparent$qqro.VCLIMG250(00000000,00868423,?,00000000,00000000,?), ref: 00868404
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0086842A,00000000,00000000,?), ref: 0086841D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$ControlExtension@GraphicSystem@$L250$ColorFrame@StringTransparentTransparent$qqrv$Add$qqrpv.Classes@Clr$qqrpv.Empty$qqrvIndex$qqrucIndex$qqrvItem@List@LoadRec.Severityx20String$qqrp20System@@Transparent$qqroUnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 2395835107-0
                                    • Opcode ID: c23fd7ecae406ebc619faedf8fa3f2a559de0e6d0c5429cee283fb4a7ce71516
                                    • Instruction ID: 536507334a028929d365933356d5b1423b28c7e0ac2a3e6aa33fd06de4e11267
                                    • Opcode Fuzzy Hash: c23fd7ecae406ebc619faedf8fa3f2a559de0e6d0c5429cee283fb4a7ce71516
                                    • Instruction Fuzzy Hash: F8415D70A04249DFCB01DBA8C591AAEBBF1FF45300F564295E884EB352EB309E41CB95
                                    Function 0086BB28 Relevance: 13.6, APIs: 9, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086BB48
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,0086BC2F), ref: 0086BB70
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086BB95
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250 ref: 0086BB9A
                                    • @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 0086BBA8
                                    • @Vcl@Imaging@Gifimg@TGIFImage@EffectiveBackgroundColor$qqrv.VCLIMG250 ref: 0086BBB0
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 0086BBBA
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,00000000), ref: 0086BBDB
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Draw$qqrp20Vcl@Graphics@TCanvasrx18System@Types@TRectoo.VCLIMG250(00000000,00000000), ref: 0086BBE4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@$Graphics@List@$Brush@Count$qqrvFrame$qqriFrame@ImageL250System@$BackgroundBrushCanvasrx18Color$qqr21Color$qqrvColor.Draw$qqrp20EffectiveImage@RectooStyle$qqr24Style.Transparent$qqrvTypes@Uitypes@
                                    • String ID:
                                    • API String ID: 2802008341-0
                                    • Opcode ID: 086054465c44f952676021e39bc87f9aa09422ff4b70658eb2058633c9f5c952
                                    • Instruction ID: 6bf820804f376b938fcf4d2112efdea8616f1424dbc454b0603660e4e8cb6a1d
                                    • Opcode Fuzzy Hash: 086054465c44f952676021e39bc87f9aa09422ff4b70658eb2058633c9f5c952
                                    • Instruction Fuzzy Hash: CA311274A04208DFDB00DB68C685A69B7F5FF49314FA640E4E804DB326DB70EE85EB41
                                    Function 00C26074 Relevance: 13.6, APIs: 9, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C26089
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C2617E), ref: 00C260A7
                                    • @System@Syncobjs@TCriticalSection@$bctr$qqrv.RTL250.BPL(00000000,00C2617E), ref: 00C260B3
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2617E), ref: 00C260CB
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL(00000000,00C2617E), ref: 00C260E5
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@GetIsServerWindows$qqrv.OXCOMPONENTSRTL ref: 00C26105
                                    • @Axrtl@Typelibrary@Wbemscripting@CoSWbemLocator@Create$qqrv.AXCOMPONENTSRTL.BPL(00000000,00C2614C,?), ref: 00C26128
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2614C,?), ref: 00C26136
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C26185), ref: 00C26178
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$DelphiInterface$17System@%System@@$Axrtl@Interface%.Intf$Clear$qqrr44Osinfo@SecurityWin@$Center@ClassCopy$qqrr44Create$qqrpvzc.Create$qqrv.CriticalInfo@Interface%x44Locator@Object@$bctr$qqrv.Oxrtl@Section@$bctr$qqrv.Securitycenter@ServerSyncobjs@SystemTypelibrary@Utils@Versiont1.WbemWbemscripting@WindowsWindows$qqr39Windows$qqrv
                                    • String ID:
                                    • API String ID: 3683321244-0
                                    • Opcode ID: f1684e7c06170562e9a2ed62b9a71502164db6cdb02169a102b566bd2f83790b
                                    • Instruction ID: fc61676954b4a1d96a160c3601b04d5ce189170af2e56d5522c7b643ad91b046
                                    • Opcode Fuzzy Hash: f1684e7c06170562e9a2ed62b9a71502164db6cdb02169a102b566bd2f83790b
                                    • Instruction Fuzzy Hash: 4F318D34A04148EFDB04DF69E892A9EB7F5EF4A314B6184E8E800E7752D731AF11DA60
                                    Function 00C49240 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000,00C4931E,?,?,?,?), ref: 00C49269
                                    • @System@Classes@TStream@ReadBuffer$qqrpvi.RTL250.BPL(00000000,00C4931E,?,?,?,?), ref: 00C4927F
                                    • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL250.BPL(00000000,00C4931E,?,?,?,?), ref: 00C4928A
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C4931E,?,?,?,?), ref: 00C492A7
                                    • @System@Classes@TStream@ReadBuffer$qqrpvi.RTL250.BPL(00000000,00C4931E,?,?,?,?), ref: 00C492B3
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Add$qqrxujx20System@UnicodeString.OXCOMPONENTSRTL(?,?,00000000,00C4931E,?,?,?,?), ref: 00C492C7
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(?,?,00000000,00C4931E,?,?,?,?), ref: 00C492CF
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(?,?), ref: 00C492F1
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C49325), ref: 00C49318
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Classes@Stream@$Unicode$System@@$Buffer$qqrpvi.Position$qqrv.Read$Add$qqrxujx20Char$qqrx20Clr$qqrpv.Collections@%Dictionary__2$uj20Generics@Length$qqrr20Position$qqrxj.StringString%@String.Stringi.
                                    • String ID:
                                    • API String ID: 2996981190-0
                                    • Opcode ID: ad2b51c2bcdfac15f05dfde1212e8ae5766c62638b9b53eba2c569a77a1151b8
                                    • Instruction ID: 21fadaf12c502ad2f957aedd5cc6617acc1d5d0eadb1f8e18ed9b865093cc512
                                    • Opcode Fuzzy Hash: ad2b51c2bcdfac15f05dfde1212e8ae5766c62638b9b53eba2c569a77a1151b8
                                    • Instruction Fuzzy Hash: CD213D75A04108AFCB00DF68CD82E9EB7F5EF89700B55C5A5E809E7756D770EE008B60
                                    Function 0086B9F8 Relevance: 13.6, APIs: 9, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250 ref: 0086BA0D
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetBackgroundColor$qqrv.VCLIMG250 ref: 0086BA1A
                                      • Part of subcall function 00869A04: @Vcl@Imaging@Gifimg@TGIFHeader@GetBackgroundColor$qqrv.VCLIMG250(0086BA1F), ref: 00869A07
                                    • @Vcl@Graphics@ColorToRGB$qqr21System@Uitypes@TColor.VCL250.BPL ref: 0086BA29
                                    • @Vcl@Graphics@ColorToRGB$qqr21System@Uitypes@TColor.VCL250.BPL ref: 0086BA33
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetDoDither$qqrv.VCLIMG250 ref: 0086BA3D
                                    • @Vcl@Imaging@Gifimg@TNetscapeColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0086BA53
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Color2RGB$qqr21System@Uitypes@TColor.VCLIMG250(00000000,0086BAC9), ref: 0086BA74
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@RGB2Color$qqr28Vcl@Imaging@Gifimg@TGIFColor.VCLIMG250(?), ref: 0086BAAB
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0086BAD0), ref: 0086BAC3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$ColorGifimg@Imaging@$System@$B$qqr21Image@L250Uitypes@$BackgroundColor$qqrvColor.Graphics@Map@$Color$qqr28Color2Dither$qqrvFree$qqrv.Header@Lookup@$bctr$qqrp10Map$qqrvNetscapeObject@
                                    • String ID:
                                    • API String ID: 2674387409-0
                                    • Opcode ID: eee94563c268c7fe973efc57da568043c45e2253d2bd9e536e449015888f558b
                                    • Instruction ID: 29d389a2981ff41e3f5b626049435554356cf236d581ccd1f9fab24fdc33c3be
                                    • Opcode Fuzzy Hash: eee94563c268c7fe973efc57da568043c45e2253d2bd9e536e449015888f558b
                                    • Instruction Fuzzy Hash: 85218E75A04248AFCB00EFE8C8919ADB7F8FB08316B5141A6F955D7282DB349F44DB91
                                    Function 00874B40 Relevance: 13.6, APIs: 9, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@HeaderPresent$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874B4B
                                      • Part of subcall function 00876ACC: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 00876AEF
                                      • Part of subcall function 00876ACC: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00876AFA
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874B5A
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,00000000,?,?,00873285,00000000,00873384), ref: 00874B69
                                      • Part of subcall function 00874EC4: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F0D
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F1D
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,?,00000000,?,?,00873285,00000000,00873384), ref: 00874B78
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874B8E
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,?,?,00873285,00000000,00873384), ref: 00874BC8
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 00874BF0
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 00874C08
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 00874C1F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Image@$Header$qqrvSystem@$L250$MetaSystem@@$Class$qqrxp14Class.Item$qqruiList@Objectp17String$Class20Clr$qqrpv.Error$qqrp17HeaderLoadPresent$qqrvRaiseRec.String$qqrp20Unicode
                                    • String ID:
                                    • API String ID: 2919249824-0
                                    • Opcode ID: 63943095ce36685b6f8a6bf2a37641ff589ec6480e4d570633a319eb6495edba
                                    • Instruction ID: 7d987758ad6a0b4190fefbedeef1c2a634c9321c714086b39dca4f9032087f1a
                                    • Opcode Fuzzy Hash: 63943095ce36685b6f8a6bf2a37641ff589ec6480e4d570633a319eb6495edba
                                    • Instruction Fuzzy Hash: 13216FA22482998EC711DF3C8C447657AD1FF55324F28A8B9A0CDCB29BE775C844D71A
                                    Function 00C2A1C8 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,?,?,?,00000000), ref: 00C2A1F1
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,?,?,?,00000000), ref: 00C2A1FD
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000001,?,?,?,?,00000000), ref: 00C2A212
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL ref: 00C2A21D
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,00000000), ref: 00C2A232
                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000), ref: 00C2A238
                                    • @System@@DynArrayHigh$qqrpxv.RTL250.BPL(00000000,?,00000000), ref: 00C2A242
                                    • @System@Sysutils@Abort$qqrv.RTL250.BPL(?,?,?,?,00000000), ref: 00C2A266
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C2A28E,?,00000000), ref: 00C2A281
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$ArraySystem@@$Length$qqrpxv.$High$qqrpxv.$Abort$qqrv.Clear$qqrrpvpv.Length$qqrv.MultipleObjectsSystem@Sysutils@Wait
                                    • String ID:
                                    • API String ID: 964521765-0
                                    • Opcode ID: a1e119750921ce52b1832b78255db8f55e5ffacd236ea54f5e8f78295a67cdbb
                                    • Instruction ID: e87b119164a82d5f8e03858af783134bf9ee30c2f510506aaf8417f03cf94dd4
                                    • Opcode Fuzzy Hash: a1e119750921ce52b1832b78255db8f55e5ffacd236ea54f5e8f78295a67cdbb
                                    • Instruction Fuzzy Hash: 35218C35700204EFD710EBA9D982E9EB7E8EF4A740F6044B4F804EB622DA71AE05DB51
                                    Function 00C1D188 Relevance: 13.6, APIs: 9, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(?,?,00000000), ref: 00C1D19C
                                    • @System@@InitializeRecord$qqrpvt1.RTL250.BPL(?,?,00000000), ref: 00C1D1AA
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1D275,?,?,?,00000000), ref: 00C1D1C3
                                    • @Oxrtl@System@Processes@Processes@TWindowList@$bctr$qqrv.OXCOMPONENTSRTL(00000000,00C1D275,?,?,?,00000000), ref: 00C1D1CF
                                      • Part of subcall function 00C1ED60: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C1ED6C
                                      • Part of subcall function 00C1ED60: @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,?,00C1D1D4,00000000,00C1D275,?,?,?,00000000), ref: 00C1ED79
                                      • Part of subcall function 00C1ED60: @System@Generics@Collections@%TList__1$57System@%DelphiInterface$30Oxrtl@System@Processes@IWindow%%@$bctr$qqrv.OXCOMPONENTSRTL(?,?,?,00C1D1D4,00000000,00C1D275,?,?,?,00000000), ref: 00C1ED85
                                      • Part of subcall function 00C1ED60: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,?,?,00C1D1D4,00000000,00C1D275,?,?,?,00000000), ref: 00C1ED93
                                    • @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID.RTL250.BPL(00000000,00C1D275,?,?,?,00000000), ref: 00C1D1EA
                                    • EnumWindows.USER32(?,?), ref: 00C1D206
                                    • @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID.RTL250.BPL(00C1D215,?,00000000,00C1D275,?,?,?,00000000), ref: 00C1D24C
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C1D27C,00C1D275,?,?,?,00000000), ref: 00C1D267
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1D27C,00C1D275,?,?,?,00000000), ref: 00C1D26F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$DelphiSystem@%System@@$Interface$17$Intf$Interface%.Interface%x44Processes@$Cast$qqrr44Interface%rx5_Oxrtl@Record$qqrpvt1.$AfterClassClear$qqrr44Collections@%Construction$qqrxp14Copy$qqrr44Create$qqrpvzc.EnumFinalizeGenerics@InitializeInterface$30List@$bctr$qqrvList__1$57Object.Object@$bctr$qqrv.Ref$qqrx44WindowWindow%%@$bctr$qqrvWindows
                                    • String ID:
                                    • API String ID: 3218562210-0
                                    • Opcode ID: b669845a5616bc5c0477a4977eca8d384b3e5fe9cb6271c94d49f978f6218629
                                    • Instruction ID: b5f8a21cd80f5dec3c45dddd3623f8f9d39bd6888cfe43247629272cdfd35b67
                                    • Opcode Fuzzy Hash: b669845a5616bc5c0477a4977eca8d384b3e5fe9cb6271c94d49f978f6218629
                                    • Instruction Fuzzy Hash: 91212930A00108AF8710EF68DC52DEEB3F9EBCB31076086B9FC2193651D7309E00A654
                                    Function 00C2D0E8 Relevance: 13.6, APIs: 9, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C2D100
                                    • CoInitialize.OLE32(00000000), ref: 00C2D157
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D17C
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D1C9
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000), ref: 00C2D1D8
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000), ref: 00C2D1F2
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00000000,00C2D2A4,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000), ref: 00C2D1F7
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2D286,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D271
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2D286,00000000,00000000,00C2D240,?,?,00000000,00000003,00C2D294,00000000,00000000,00C2D25A,?,00000000,00000000,00C2D27F), ref: 00C2D279
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$System@$DelphiInterface$17System@%$Interface%.Intf$Clear$qqrr44$Exit$qqrv.Finally$Char$qqrx20Copy$qqrr44InitializeInterface%x44String.Unicode
                                    • String ID:
                                    • API String ID: 2827285957-0
                                    • Opcode ID: 360b05aaf7cced9b8fb0d6417f29dba264cde14a3528e5d33eb3f62831af6c7a
                                    • Instruction ID: 7d9f045f723f0ed93de85829e86794e0cef03fa34b59f7d1496a5407cd3670d7
                                    • Opcode Fuzzy Hash: 360b05aaf7cced9b8fb0d6417f29dba264cde14a3528e5d33eb3f62831af6c7a
                                    • Instruction Fuzzy Hash: C0110330604394AEC712BB68EC13F6D77E8EB46B10F9008F9F802A6D93CA749E10C655
                                    Function 008769F8 Relevance: 13.6, APIs: 9, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@HeaderPresent$qqrv.VCLIMG250(00000000,00876AC0), ref: 00876A1A
                                      • Part of subcall function 00876ACC: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 00876AEF
                                      • Part of subcall function 00876ACC: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00876AFA
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(00000000,00876AC0), ref: 00876A2A
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00876AC0), ref: 00876A4C
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00876AC0), ref: 00876A5D
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250(00000000,00876AC0), ref: 00876A73
                                    • @Vcl@Imaging@Pngimage@TPNGList@Add$qqrp17System@TMetaClass.VCLIMG250(00000000,00876AC0), ref: 00876A90
                                    • @Vcl@Graphics@ColorToRGB$qqr21System@Uitypes@TColor.VCL250.BPL(00000000,00876AC0), ref: 00876A9B
                                    • @Vcl@Imaging@Pngimage@TChunktRNS@SetTransparentColor$qqrxui.VCLIMG250(00000000,00876AC0), ref: 00876AA5
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00876AC7), ref: 00876ABA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Vcl@$Imaging@Pngimage@$L250$Meta$List@System@@$Image@$ClassClass$qqrxp14Class.Clr$qqrpv.Item$qqruiObjectp17String$Add$qqrp17B$qqr21ChunktClass$qqrp17Class20ColorColor$qqrxuiColor.Error$qqrp17FromGraphics@HeaderHeader$qqrvItemLoadPresent$qqrvRaiseRec.String$qqrp20TransparentUitypes@Unicode
                                    • String ID:
                                    • API String ID: 2400781239-0
                                    • Opcode ID: 0119efffb27b3d8e21c6e1fa42f92b6c6b0e9e501a9aedc85d26ace225845667
                                    • Instruction ID: 0082f5933b8107bef0ae84934f5312ea35d67a9618a20e5efe7c1ca9677132f4
                                    • Opcode Fuzzy Hash: 0119efffb27b3d8e21c6e1fa42f92b6c6b0e9e501a9aedc85d26ace225845667
                                    • Instruction Fuzzy Hash: 8A213630A046189FCB00DBA8D8569AEB7B1FB49310F51C4B5E418E736AEB71EE15DF41
                                    Function 00C1C3DC Relevance: 13.6, APIs: 9, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C404
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C417
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C422
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C42A
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C431
                                    • @Oxrtl@System@Processes@Processes@TProcess@WindowList$qqr114System@%DelphiInterface$87System@Sysutils@%TFunc__2$57System@%DelphiInterface$30Oxrtl@System@Processes@IWindow%o%%.OXCOMPONENTSRTL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C444
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1C471,?,?,?,?,00000000,00000000,00000000), ref: 00C1C44E
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1C478,?,?,?,00000000,00000000,00000000), ref: 00C1C463
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1C478,?,?,?,00000000,00000000,00000000), ref: 00C1C46B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17L250$System@@$Interface%.Intf$Clear$qqrr44$Processes@$Copy$qqrr44Interface%x44Oxrtl@Unicode$Asg$qqrr20Func__2$57Interface$30Interface$87List$qqr114Object@$bctr$qqrv.Process@String.Stringx20Sysutils@%WindowWindow%o%%
                                    • String ID:
                                    • API String ID: 2024498020-0
                                    • Opcode ID: 84303f85dda74daeb4f4b4e76dd33b6aad0f8c379caf3ccc85429e34b0fded7f
                                    • Instruction ID: f4aa61bfb6a30863be72ae18e99131d5d3c30df9a462a23fa5368334b93ee9ef
                                    • Opcode Fuzzy Hash: 84303f85dda74daeb4f4b4e76dd33b6aad0f8c379caf3ccc85429e34b0fded7f
                                    • Instruction Fuzzy Hash: 5401A1346002046BD700EA6CCC92FADB7E9EFC7710F6085F9F810A7696DB74EE159658
                                    Function 00878280 Relevance: 13.6, APIs: 9, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 0087828F
                                    • @Vcl@Graphics@TSharedImage@Release$qqrv.VCL250.BPL ref: 0087829B
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@GetBitmap$qqrv.VCLIMG250 ref: 008782AD
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?,?,?,?,008782B2), ref: 00878CF9
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00879165,?,00000000,00879194,?,?,?,?,?,008782B2), ref: 00878D43
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(?,?,?,00000000,00879165,?,00000000,00879194,?,?,?,?,?,008782B2), ref: 00878D62
                                      • Part of subcall function 00878CBC: @System@Classes@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878DA6
                                      • Part of subcall function 00878CBC: @System@@CallDynaInst$qqrv.RTL250.BPL(00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878DC0
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(00000000,00879154,?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000), ref: 00878DF9
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@GetBitmap$qqrv.VCLIMG250 ref: 008782BF
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL ref: 00878D7F
                                      • Part of subcall function 00878CBC: DeleteObject.GDI32(?), ref: 00878E12
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00879154,?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000), ref: 00878E34
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL(?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,00879165,?,00000000,00879194), ref: 00878E57
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 00878E6F
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00878FF2
                                      • Part of subcall function 00878CBC: @Vcl@Graphics@TBitmap@GetScanline$qqri.VCL250.BPL ref: 0087904E
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@NewBitmap$qqrv.VCLIMG250 ref: 008782B8
                                      • Part of subcall function 008793B0: @System@TObject@Free$qqrv.RTL250.BPL(?,008782EF), ref: 008793B6
                                      • Part of subcall function 008793B0: @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?,008782EF), ref: 008793C2
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 008782D8
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@NewImage$qqrv.VCLIMG250 ref: 008782E3
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@NewBitmap$qqrv.VCLIMG250 ref: 008782EA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$L250$Graphics@$Bitmap@$Image@System@$Imaging@Jpeg@$Bitmap$qqrvPixelScanline$qqri.$System@@$Bitmap@$bctr$qqrv.Class$qqrxp14Class.Format$qqr25Format.Handle$qqrp9MetaObjectp17P__.$CallClasses@CopyDeleteDynaE__.Free$qqrv.Image$qqrvInst$qqrv.ObjectObject@Palette$qqrp10Rect$qqriiii.Release$qqrv.Shared
                                    • String ID:
                                    • API String ID: 512073828-0
                                    • Opcode ID: 0d09af7c3d80127f408e4ae658885bbd74b6d074879d342e0442a26295f4af8e
                                    • Instruction ID: fe8910d373103264a17b59092fc2c131efa0c7461c59a20f17752ae3b0caeccb
                                    • Opcode Fuzzy Hash: 0d09af7c3d80127f408e4ae658885bbd74b6d074879d342e0442a26295f4af8e
                                    • Instruction Fuzzy Hash: 9A011A707105408B8B40EB2CC88995A77E6FF8971A724916AF80DCB35BCE70DC4ACB91
                                    Function 0085DC98 Relevance: 13.5, APIs: 9, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085DC9A
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085DCA9
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085DCB4
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085DCBF
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085DCCA
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085DCD5
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085DCE0
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 0085DCEB
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085DCF6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$FreeMem$qqrpv.$System@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4017372846-0
                                    • Opcode ID: cfd2e36c328ace4a0f7e05e922568e567736c0f8504edc0e89860d45bb5966af
                                    • Instruction ID: f250a185fbcd51ba4d8ec5d8ecc31ce16b51daed693fea26a88eef9d108309c2
                                    • Opcode Fuzzy Hash: cfd2e36c328ace4a0f7e05e922568e567736c0f8504edc0e89860d45bb5966af
                                    • Instruction Fuzzy Hash: B9F09831690E5487CA20B63CCC967CBA3D4FF053C3B048825B9D5C7296CE266D8E57C6
                                    Function 00C323BC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Winapi@Winsock2@WinSock2@InitLibrary$qqrv.AXCOMPONENTSRTL.BPL(00000000,00C32648), ref: 00C323EE
                                    • @Axrtl@Winapi@Winsock2@WinSock2@GetHostByName$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00C32648), ref: 00C323F5
                                    • GetLastError.KERNEL32(?,00000000,00000000), ref: 00C32408
                                    • @System@Sysutils@IntToStr$qqrj.RTL250.BPL(00000000,00000000), ref: 00C32414
                                    • @Axrtl@Winapi@Winsock2@WinSock2@Inet_NtoA$qqr29Axrtl@Winapi@Winsock2@TInAddr.AXCOMPONENTSRTL.BPL(?,00000001,00000000), ref: 00C32444
                                    • @System@@UStrFromPChar$qqrr20System@UnicodeStringpc.RTL250.BPL(?,?,00000001,00000000), ref: 00C32452
                                    • @Axrtl@Winapi@Iphlpapi@IPHelper@IcmpCreateFile$qqrv.AXCOMPONENTSRTL.BPL ref: 00C32461
                                    • GetLastError.KERNEL32(?,00000000,00000000), ref: 00C32477
                                    • @System@Sysutils@IntToStr$qqrj.RTL250.BPL(00000000,00000000,?,00000000,00000000), ref: 00C32483
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00C3264F), ref: 00C3263A
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C3264F), ref: 00C32642
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@L250Winapi@$System@Winsock2@$Sock2@System@@$ErrorLastStr$qqrj.Sysutils@Unicode$A$qqr29Addr.ArrayChar$qqrr20Clr$qqrpv.Clr$qqrpvi.CreateFile$qqrv.FromHelper@HostIcmpInet_InitIphlpapi@Library$qqrv.Name$qqrx20String.Stringpc.
                                    • String ID: GetHostByName
                                    • API String ID: 2824079550-1825089423
                                    • Opcode ID: 03c07da40b6f7a1f13264decf96b13ad2cf73cab82579661c5f6d42e36939caa
                                    • Instruction ID: 8c6374ae25307e933fc63ead50e646d277239ec82c32a4dd1bb2c7ac45d156cb
                                    • Opcode Fuzzy Hash: 03c07da40b6f7a1f13264decf96b13ad2cf73cab82579661c5f6d42e36939caa
                                    • Instruction Fuzzy Hash: 96115E70E103489FDB11DF96C892AAEBBB8FF48710F958079F808E7241DB349D018A50
                                    Function 00C36180 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Win@Internet@THTTPFormDataPost@$bctr$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL ref: 00C36195
                                    • @Axrtl@System@Win@Internet@THTTPFormDataPost@AddFileField$qqrx20System@UnicodeStringt1p28System@Classes@TMemoryStreamt1.AXCOMPONENTSRTL.BPL(Content-Type: application/octet-stream,?,00000000,00C361F5), ref: 00C361CD
                                    • @Axrtl@System@Win@Internet@THTTPFormDataPost@Post$qqrruip22System@Classes@TStream.AXCOMPONENTSRTL.BPL(Content-Type: application/octet-stream,?,00000000,00C361F5), ref: 00C361DA
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00C361FC,00C361F5), ref: 00C361EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Axrtl@DataFormInternet@Win@$Classes@Post@Unicode$Field$qqrx20FileFreeL250MemoryNil$qqrpv.Post$qqrruip22Post@$bctr$qqrx20Stream.Streamt1.String.Stringt1p28Sysutils@
                                    • String ID: Content-Type: application/octet-stream$file$test.jpg
                                    • API String ID: 479589128-481463604
                                    • Opcode ID: c6b695779465ef9e127542dd3c5ddd25934b91bb3152febcd238c2875bbf9145
                                    • Instruction ID: 4202d923af3a3f978caa2cf3d35bad7e351f79098ca6a5a380853d8f4591b39a
                                    • Opcode Fuzzy Hash: c6b695779465ef9e127542dd3c5ddd25934b91bb3152febcd238c2875bbf9145
                                    • Instruction Fuzzy Hash: 6201D130718208BF8B04DF59D8928AFB7E9EB89710B62C1B5F80497351DB71AF05DAC0
                                    Function 0088C520 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0088C5AF,00000000,00000000), ref: 0088C5A2
                                      • Part of subcall function 008797B0: GetDC.USER32(00000000), ref: 008797B4
                                      • Part of subcall function 008797B0: GetDeviceCaps.GDI32(00000000,0000000C), ref: 008797BE
                                      • Part of subcall function 008797B0: GetDeviceCaps.GDI32(00000000,0000000E), ref: 008797C8
                                      • Part of subcall function 008797B0: ReleaseDC.USER32(00000000,00000000), ref: 008797EB
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(008778B4,00000000,0088C5A8,?,00000000,00000000), ref: 0088C551
                                    • @Vcl@Graphics@TPicture@RegisterFileFormat$qqrx20System@UnicodeStringt1p17System@TMetaClass.VCL250.BPL(008778B4,00000000,0088C5A8,?,00000000,00000000), ref: 0088C563
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(008778B4,008778B4,00000000,0088C5A8,?,00000000,00000000), ref: 0088C576
                                    • @Vcl@Graphics@TPicture@RegisterFileFormat$qqrx20System@UnicodeStringt1p17System@TMetaClass.VCL250.BPL(008778B4,008778B4,00000000,0088C5A8,?,00000000,00000000), ref: 0088C588
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$CapsClass.DeviceFileFormat$qqrx20Graphics@LoadMetaPicture@Rec.RegisterStringString$qqrp20Stringt1p17UnicodeVcl@$ArrayClr$qqrpvi.ReleaseSystem@@
                                    • String ID: jpeg$jpg
                                    • API String ID: 496777365-766737687
                                    • Opcode ID: 76885951f94178214f028c6bbffcaeefea9d833968a1b0ae0d6b3c6576b1bf46
                                    • Instruction ID: b8fb09f8ce9afd0d1891802f8484df35b184d50cede59e43f3f90ea811d39476
                                    • Opcode Fuzzy Hash: 76885951f94178214f028c6bbffcaeefea9d833968a1b0ae0d6b3c6576b1bf46
                                    • Instruction Fuzzy Hash: 2F016235200304AFCB00EBADDC46E5A77B9FB89310F504460FA00D7769DA70BD45CBA6
                                    Function 0085F0DC Relevance: 12.2, APIs: 8, Instructions: 234windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 0085F0F4
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000006,00000000,0085F35B), ref: 0085F1E0
                                      • Part of subcall function 00859758: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(0085A01F,?,?,?,?,0085ECD2,00000006,00000000,0085ED37,?,?,00000000,0085ED6B), ref: 00859758
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Graphics@L250Vcl@$Pixel$Bitmap@Bitmap@$bctr$qqrv.Exit$qqrv.FinallyFormat$qqr25Format.System@@
                                    • String ID:
                                    • API String ID: 4144409616-0
                                    • Opcode ID: 5ba838fa36bed7f834d49d2cb910b388c529cddc7a2139118f9d858db4d0da09
                                    • Instruction ID: 08d745c45192043b544b877b43f50fc7c11594af049a61b842944a6fc6795541
                                    • Opcode Fuzzy Hash: 5ba838fa36bed7f834d49d2cb910b388c529cddc7a2139118f9d858db4d0da09
                                    • Instruction Fuzzy Hash: 0691F675A00109CFDB00DFA8C885AEEBBF5FB49312F1540A5E904E7352D735AD49CBA1
                                    Function 00864964 Relevance: 12.2, APIs: 8, Instructions: 166COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(?,00000064,?), ref: 008649D9
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,00000064,?,00000000,00864B3E,?,0000FFFD,?), ref: 008649ED
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,?,00000064,?,00000000,00864B3E,?,0000FFFD,?), ref: 008649FE
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,?,00000064,?,00000000,00864B3E,?,0000FFFD,?), ref: 00864A1C
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@AddUnique$qqr21System@Uitypes@TColor.VCLIMG250(?,0000FFFD,?), ref: 00864A92
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,00864B3E,?,0000FFFD,?), ref: 00864ADC
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00864B45,0000FFFD,?), ref: 00864B2A
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00864B45,0000FFFD,?), ref: 00864B38
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$ArrayColor$Asg$qqrrpvpvt2.CallClear$qqrrpvpv.Clr$qqrpv.DynaGifimg@Imaging@Inst$qqrv.LoadMap@Rec.Rect$qqriiii.StringString$qqrp20Types@Uitypes@Unique$qqr21Vcl@
                                    • String ID:
                                    • API String ID: 1903084962-0
                                    • Opcode ID: 6dd7a794d405bff4b4deb03144bd0d8c53ad8fe96871cd372366a7447ab6adab
                                    • Instruction ID: 62bde97201f8dbb16707151843b433eaac52ae48f5a07a85d678f7f99ddd4583
                                    • Opcode Fuzzy Hash: 6dd7a794d405bff4b4deb03144bd0d8c53ad8fe96871cd372366a7447ab6adab
                                    • Instruction Fuzzy Hash: 89612574A00659AFCB00CFA8C584AAEBBF5FF09311F1185A5EC55DB361D234EE44CB91
                                    Function 0085A2B0 Relevance: 12.2, APIs: 8, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0085A4B8: @System@@FreeMem$qqrpv.RTL250.BPL(?,0085A2D7,00000000,0085A4A7), ref: 0085A4C2
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000,0085A4A7), ref: 0085A2FC
                                    • GetObjectW.GDI32(?,00000002,?), ref: 0085A363
                                    • GetPaletteEntries.GDI32(?,00000000,00000000,-00000027), ref: 0085A38B
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,0085A47A,?,00000000,0085A4A7), ref: 0085A3D2
                                      • Part of subcall function 00852558: GlobalAlloc.KERNEL32(00000002,?,0085A443,00000000,0085A47A,?,00000000,0085A4A7), ref: 0085255A
                                      • Part of subcall function 00852558: GlobalLock.KERNEL32(00000000,00000002,?,0085A443,00000000,0085A47A,?,00000000,0085A4A7), ref: 00852560
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085A47A,?,00000000,0085A4A7), ref: 0085A457
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,0085A47A,?,00000000,0085A4A7), ref: 0085A466
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,0085A47A,?,00000000,0085A4A7), ref: 0085A46B
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0085A4AE), ref: 0085A4A1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$Global$AllocChar$qqrpvic.Clr$qqrpv.EntriesExcept$qqrv.Exception@$bctr$qqrx20FillFreeLoadLockMem$qqri.Mem$qqrpv.ObjectPaletteRaiseRec.StringString$qqrp20String.Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 4281104650-0
                                    • Opcode ID: 59abfabdc21924d1bcf48d34ba29048df58a3ca6597fa5050847344458a6c346
                                    • Instruction ID: 769345ef470dc8fdffddfb37e5017fcaf71866348eea6e2776fb0dfaa6721bf3
                                    • Opcode Fuzzy Hash: 59abfabdc21924d1bcf48d34ba29048df58a3ca6597fa5050847344458a6c346
                                    • Instruction Fuzzy Hash: 2A512674A00208EFDB48CFA8C985A9DBBF5FF48315B1181A9E804EB352D778DE48DB55
                                    Function 00874D30 Relevance: 12.1, APIs: 8, Instructions: 111COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 00874D44
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00874D4E
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00874D6B
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00874D88
                                    • @Vcl@Imaging@Pngimage@TPngImage@HasPixelInformation$qqrv.VCLIMG250(00000000,00000000,00000000,00000058,00000000), ref: 00874D8F
                                      • Part of subcall function 00874E78: @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250(?,00874D94,00000000,00000000,00000000,00000058,00000000), ref: 00874E87
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetPixelInformation$qqrv.VCLIMG250(00000000,00000000,00000000,00000058,00000000), ref: 00874DD7
                                    • @System@@TRUNC$qqrv.RTL250.BPL ref: 00874E04
                                    • @System@@TRUNC$qqrv.RTL250.BPL ref: 00874E31
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$C$qqrv.CapsDeviceImage@Information$qqrvL250PixelSystem@@$ClassClass$qqrp17FromItemList@MetaReleaseSystem@
                                    • String ID:
                                    • API String ID: 3219879543-0
                                    • Opcode ID: 80a31751d220300e7ae94bb606a1cd6048748bde5c58473a11bbcfffcd57f208
                                    • Instruction ID: 241fffe4f106a0cb49985be11312686019d970d9af31564015c5aaa8bb2320c7
                                    • Opcode Fuzzy Hash: 80a31751d220300e7ae94bb606a1cd6048748bde5c58473a11bbcfffcd57f208
                                    • Instruction Fuzzy Hash: DF414C71608301ABC300EF29C88494BBBE1FF89351F41896DF899D7266DB31D9998B93
                                    Function 00BDF228 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtOpenSession$qqruiui.OXCOMPONENTSRTL(00000000,00BDF358), ref: 00BDF251
                                      • Part of subcall function 00BD8BF8: @Oxrtl@Winapi@Wevtapi@WevtApi@EvtOpenSession$qqr36Oxrtl@Winapi@Wevtapi@EVT_LOGIN_CLASSp34Oxrtl@Winapi@Wevtapi@EVT_RPC_LOGINuiui.OXCOMPONENTSRTL ref: 00BD8C27
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@WevtGetXMLQuery$qqrx20System@UnicodeStringx59System@%DelphiInterface$32Oxrtl@System@Eventlog@ICondition%.OXCOMPONENTSRTL(?,00000000,00BDF33B,?,00000000,00BDF358), ref: 00BDF27E
                                      • Part of subcall function 00BDF7BC: @System@@InitializeRecord$qqrpvt1.RTL250.BPL(?,00000000), ref: 00BDF7DC
                                      • Part of subcall function 00BDF7BC: @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID.RTL250.BPL(00000000,00BDF8FD,?,?,00000000), ref: 00BDF7FD
                                      • Part of subcall function 00BDF7BC: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BDF8FD,?,?,00000000), ref: 00BDF81A
                                      • Part of subcall function 00BDF7BC: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BDF8FD,?,?,00000000), ref: 00BDF82B
                                      • Part of subcall function 00BDF7BC: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,00BDF8FD,?,?,00000000), ref: 00BDF85D
                                      • Part of subcall function 00BDF7BC: @System@Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL250.BPL(?,?,00000000,00BDF8FD,?,?,00000000), ref: 00BDF888
                                      • Part of subcall function 00BDF7BC: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(?,?,00000000,00BDF8FD,?,?,00000000), ref: 00BDF893
                                      • Part of subcall function 00BDF7BC: @System@Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL250.BPL(?,?,00000000,00BDF8FD,?,?,00000000), ref: 00BDF8C4
                                      • Part of subcall function 00BDF7BC: @System@@UStrClr$qqrpv.RTL250.BPL(00BDF904,00BDF8FD,?,?,00000000), ref: 00BDF8D9
                                      • Part of subcall function 00BDF7BC: @System@@UStrClr$qqrpv.RTL250.BPL(00BDF904,00BDF8FD,?,?,00000000), ref: 00BDF8E1
                                      • Part of subcall function 00BDF7BC: @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BDF904,00BDF8FD,?,?,00000000), ref: 00BDF8E9
                                      • Part of subcall function 00BDF7BC: @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BDF904,00BDF8FD,?,?,00000000), ref: 00BDF8F7
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,00BDF2C1,?,?,00000000,00BDF33B,?,00000000,00BDF358), ref: 00BDF2A3
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtQuery$qqruipbt2ui.OXCOMPONENTSRTL(?,00000000,00BDF2C1,?,?,00000000,00BDF33B,?,00000000,00BDF358), ref: 00BDF2AF
                                      • Part of subcall function 00BD9D7C: @Oxrtl@Winapi@Wevtapi@WevtApi@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?), ref: 00BD9D94
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@WevtListQueryResult$qqrxuixuix20System@UnicodeStringxjrjpxvx59System@%DelphiInterface$32Oxrtl@System@Eventlog@ICondition%.OXCOMPONENTSRTL(?,?,?,?,?,?,00000000,00BDF31E,?,?,00000000,00BDF33B,?,00000000,00BDF358), ref: 00BDF303
                                      • Part of subcall function 00BDF368: @Oxrtl@System@Eventlog@TWindowsEventLog@WevtGetLogCount$qqrxuix20System@UnicodeString.OXCOMPONENTSRTL(00000000,00BDF62C,?,?,?,00000000,?,00BDF308,?,?,?,?,?,?,00000000,00BDF31E), ref: 00BDF39D
                                      • Part of subcall function 00BDF368: @Oxrtl@System@Eventlog@TWindowsEventLog@TWindowsEventRecordWevt@$bctr$qqrpv.OXCOMPONENTSRTL(00000000,00BDF62C,?,?,?,00000000,?,00BDF308,?,?,?,?,?,?,00000000,00BDF31E), ref: 00BDF3DC
                                      • Part of subcall function 00BDF368: @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00BDF613,00000000,00BDF62C,?,?,?,00000000,?,00BDF308,?,?,?,?,?,?,00000000), ref: 00BDF606
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtClose$qqrui.OXCOMPONENTSRTL(00BDF325,?,?,?,00000000,00BDF31E,?,?,00000000,00BDF33B,?,00000000,00BDF358), ref: 00BDF318
                                      • Part of subcall function 00BD8D34: @Oxrtl@Winapi@Wevtapi@WevtApi@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00BD8D40
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtClose$qqrui.OXCOMPONENTSRTL(00BDF342,?,00000000,00BDF358), ref: 00BDF335
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BDF35F), ref: 00BDF352
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Oxrtl@$Unicode$System@@$Wevt$Wevtapi@Winapi@$Api@$Eventlog@$DelphiEventString.System@%Windows$Log@$Clr$qqrpv.Interface$17StringSysutils@$Asg$qqrr20Close$qqruiCondition%Format$qqrx20Interface$32IntfLen$qqrx20OpenProc$qqrx20Record$qqrpvt1.Recxi.Stringpx14Stringx20$Cast$qqrr44Char$qqrx20Clear$qqrr44Count$qqrxuix20FinalizeFreeInitializeInterface%.Interface%rx5_Interface%x44ListNil$qqrpv.NuiuiQueryQuery$qqruipbt2uiQuery$qqrx20RecordResult$qqrxuixuix20Session$qqr36Session$qqruiuiSp34Stringx59Stringxjrjpxvx59Wevt@$bctr$qqrpv
                                    • String ID:
                                    • API String ID: 1723597173-0
                                    • Opcode ID: ddf38327c55d5d8a1b81b3ceaf3ac33d0b392c87573b216c021ceacde9e17ea2
                                    • Instruction ID: e1b63c88c7102479feb4736582bd3eaa33c5bae29353474d577039904aa41f8d
                                    • Opcode Fuzzy Hash: ddf38327c55d5d8a1b81b3ceaf3ac33d0b392c87573b216c021ceacde9e17ea2
                                    • Instruction Fuzzy Hash: 4F318075A08609AFDB01CFA5DC528BEFBF9EB49710B5244B6F805E3750E6349E10CA24
                                    Function 0085DB64 Relevance: 12.1, APIs: 8, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085DB71
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC03
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC18
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC2D
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC42
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC57
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC6C
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00000000,?,00000001,?,0085F0D6,?,?,?,?,?,?,?,0085F208), ref: 0085DC7F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Mem$qqri.$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.System@
                                    • String ID:
                                    • API String ID: 3732308598-0
                                    • Opcode ID: 21425a41dc27740f5d8772bdcc2dce74524e5b6fa9d58c7795455b133be394de
                                    • Instruction ID: a3bbc1e193378e58d2e156943668ea02b245affe1b17abc76f5cc659d2cca3d4
                                    • Opcode Fuzzy Hash: 21425a41dc27740f5d8772bdcc2dce74524e5b6fa9d58c7795455b133be394de
                                    • Instruction Fuzzy Hash: 0431AEB2A002104BEF14DF7CCC8639936D4FF0431AF08897AED15CB346EAB9C4898786
                                    Function 00871100 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunktEXt@LoadFromStream$qqrp22System@Classes@TStreamx27System@%StaticArray$ci$i4$%i.VCLIMG250(?,00000000,00871219), ref: 0087112A
                                      • Part of subcall function 008713A8: @Vcl@Imaging@Pngimage@TChunk@LoadFromStream$qqrp22System@Classes@TStreamx27System@%StaticArray$ci$i4$%i.VCLIMG250(?,?), ref: 008713C4
                                      • Part of subcall function 008713A8: @System@@LStrFromPChar$qqrr27System@%AnsiStringT$us$i0$%pcus.RTL250.BPL(?,?), ref: 008713E2
                                      • Part of subcall function 008713A8: @System@@LStrSetLength$qqrr27System@%AnsiStringT$us$i0$%ius.RTL250.BPL(?,?), ref: 008713FD
                                      • Part of subcall function 008713A8: @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL(?,?), ref: 00871405
                                      • Part of subcall function 008713A8: @System@Move$qqrpxvpvi.RTL250.BPL(?,?), ref: 0087142C
                                    • @System@@LStrFromPChar$qqrr27System@%AnsiStringT$us$i0$%pcus.RTL250.BPL(?,00000000,00871219), ref: 00871150
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(?,00000000,00871219), ref: 0087117F
                                    • @System@@LStrSetLength$qqrr27System@%AnsiStringT$us$i0$%ius.RTL250.BPL(?,00000000,?,00000000,00871219), ref: 008711E1
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL(?,00000000,?,00000000,00871219), ref: 008711E9
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,00000000,?,00000000,00871219), ref: 008711F6
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?,00000000,?,00000000,00871219), ref: 008711FE
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00871220), ref: 00871213
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$StringSystem@%$Ansi$FromSystem@$A$qqrr27Array$ci$i4$%iChar$qqrr27Classes@Clr$qqrpv.Imaging@Length$qqrr27LoadMove$qqrpxvpvi.Pngimage@StaticStream$qqrp22Streamx27T$us$i0$%.T$us$i0$%ius.T$us$i0$%pcus.UniqueVcl@$Chunk@ChunktFreeMem$qqrpv.
                                    • String ID:
                                    • API String ID: 1934183205-0
                                    • Opcode ID: bea3062af9d1119b29849b3593a230fa5fe8f44852ab74b6a398594ed89735a2
                                    • Instruction ID: 658d204f23e897ed49d9e56b92f7aa6438a11bd7cf9143bc0a9e0b2278e99000
                                    • Opcode Fuzzy Hash: bea3062af9d1119b29849b3593a230fa5fe8f44852ab74b6a398594ed89735a2
                                    • Instruction Fuzzy Hash: 6A315E70A001499FCF05DFACC9856AEBBF5FF49300F5481A5E914EB75ADA30DA44CBA1
                                    Function 00BEE1DC Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BEE1FD
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BEE203
                                    • @System@Sysutils@RaiseLastOSError$qqrv.RTL250.BPL(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BEE217
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00BEE2CF,?,00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BEE240
                                    • @Oxrtl@System@Filemapped@TCustomMappedMemory@GetFixedPageSize$qqrxj.OXCOMPONENTSRTL(00000000,00000000,00000000,00000000,00000000,00000002,00000004,00000000,00000000,00000000,00000000,00BEE2CF,?,00000000,80000000,00000007), ref: 00BEE296
                                    • @System@Math@Min$qqrxjxj.RTL250.BPL(00000000,?,00000000,00000000,00000000,00000000,00000000,00000002,00000004,00000000,00000000,00000000,00000000,00BEE2CF,?,00000000), ref: 00BEE29D
                                    • @Oxrtl@System@Filemapped@TCustomMappedMemory@$bctr$qqrx20System@UnicodeStringxuixuixuixp20_SECURITY_ATTRIBUTESxjxj.OXCOMPONENTSRTL(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000002,00000004,00000000,00000000,00000000), ref: 00BEE2B4
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000002,00000004,00000000,00000000,00000000), ref: 00BEE2C0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$CustomFileFilemapped@MappedOxrtl@String.System@@$Asg$qqrr20Char$qqrx20CreateError$qqrv.FixedLastMath@Memory@Memory@$bctr$qqrx20Min$qqrxjxj.PageRaiseSizeSize$qqrxjStringx20Stringxuixuixuixp20_SxjxjSysutils@
                                    • String ID:
                                    • API String ID: 2886096286-0
                                    • Opcode ID: a9ff3a6c1310e58998e131e006eeaf5ce4e75392abb1af3fcd5068c086bccc32
                                    • Instruction ID: 9928e084f0ab3dffc5dd65686d5dd95a8c3bb63a1d095d551433e98912376da4
                                    • Opcode Fuzzy Hash: a9ff3a6c1310e58998e131e006eeaf5ce4e75392abb1af3fcd5068c086bccc32
                                    • Instruction Fuzzy Hash: CF316F75A00248FFEF20DFA5C885F9D7BF8EB09714F1081A9FA24AA281D7759A44CB54
                                    Function 00871558 Relevance: 12.1, APIs: 8, Instructions: 86windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00871657), ref: 00871580
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@PrepareImageData$qqrv.VCLIMG250(00000000,00871657), ref: 008715A5
                                      • Part of subcall function 00871A00: @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,?,008715AA,00000000,00871657), ref: 00871A18
                                      • Part of subcall function 00871A00: @Vcl@Imaging@Pngimage@TChunkIHDR@FreeImageData$qqrv.VCLIMG250(?,?,?,?,008715AA,00000000,00871657), ref: 00871A1F
                                      • Part of subcall function 00871A00: @System@@GetMem$qqri.RTL250.BPL(?,?,?,?,?,?,008715AA,00000000,00871657), ref: 00871AFC
                                      • Part of subcall function 00871A00: @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,?,?,?,008715AA,00000000,00871657), ref: 00871B20
                                      • Part of subcall function 00871A00: @System@@GetMem$qqri.RTL250.BPL(?), ref: 00871B40
                                      • Part of subcall function 00871A00: @System@@FillChar$qqrpvic.RTL250.BPL(?), ref: 00871B64
                                      • Part of subcall function 00871A00: CreateCompatibleDC.GDI32(00000000), ref: 00871B6B
                                      • Part of subcall function 00871A00: @Vcl@Graphics@TCanvas@SetHandle$qqrp5HDC__.VCL250.BPL(00000000), ref: 00871B84
                                      • Part of subcall function 00871A00: CreateHalftonePalette.GDI32(?,00000000), ref: 00871BA6
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000,00871657), ref: 008715CF
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000,00871657), ref: 008715F9
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(00000000,00871657), ref: 00871612
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00871657), ref: 0087162B
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00871657), ref: 0087163C
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0087165E), ref: 00871651
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$Vcl@$Char$qqrpvic.FillImaging@Pngimage@$ChunkCreateData$qqrvGraphics@ImageMem$qqri.MetaMove$qqrpxvpvi.String$C__.Canvas@Class$qqrxp14Class.Class20Clr$qqrpv.CompatibleCopyE__.Error$qqrp17FreeHalftoneHandle$qqrp5Image@LoadObjectp17PalettePalette$qqrp10PrepareRaiseRec.String$qqrp20Unicode
                                    • String ID:
                                    • API String ID: 3245896039-0
                                    • Opcode ID: d81d0731f638921c47567918d244e56d14a94b224b00a564571689681a5399c3
                                    • Instruction ID: d45186c0631b943e659ab89f17829e57725808f112a2aee5a6ade173602e5edb
                                    • Opcode Fuzzy Hash: d81d0731f638921c47567918d244e56d14a94b224b00a564571689681a5399c3
                                    • Instruction Fuzzy Hash: 4D318E757009049FCB08DF2CD88498AB7A6FF89311F1481B6ED08DB35ADB71BD09CAA4
                                    Function 008681DC Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008681EC
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00000000,?), ref: 008681FD
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00000000,?), ref: 00868218
                                    • @System@@GetMem$qqri.RTL250.BPL(00000000,00000000,?), ref: 00868226
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00000000,?), ref: 00868235
                                    • @System@Classes@TList@SetCapacity$qqri.RTL250.BPL(00000000,00000000,?), ref: 00868244
                                    • @System@Classes@TList@Add$qqrpv.RTL250.BPL(00000000,00000000,?), ref: 0086826A
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(00000000,00000000,?), ref: 008682A8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$Object@$bctr$qqrv.System@@$Classes@List@$Add$qqrpv.AfterCapacity$qqri.ClassConstruction$qqrxp14Create$qqrpvzc.Mem$qqri.Object.
                                    • String ID:
                                    • API String ID: 3259746152-0
                                    • Opcode ID: f7c2af1bb043142c39582c922b6b11ae96e22a7d7db9c5096951d820a995ad6a
                                    • Instruction ID: 1a0f97245fae9357194ccec2b83a2321a2aea9e706491c57adc83805307fd38b
                                    • Opcode Fuzzy Hash: f7c2af1bb043142c39582c922b6b11ae96e22a7d7db9c5096951d820a995ad6a
                                    • Instruction Fuzzy Hash: A3318E31A00A458FC720DF2DC88064ABBF1FF48314B04C6A9D89DCB316D731E989CB91
                                    Function 00C1F004 Relevance: 12.1, APIs: 8, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C1F0CC), ref: 00C1F030
                                    • GetWindowTextLengthW.USER32(?), ref: 00C1F039
                                    • @System@GetMemory$qi.RTL250.BPL(00000001,00000000,00C1F0CC), ref: 00C1F04C
                                      • Part of subcall function 00BC292C: @System@@FillChar$qqrpvic.RTL250.BPL(00BF11CB,00000000,00BF15D2), ref: 00BC292E
                                    • GetWindowTextW.USER32(?,?,00000001), ref: 00C1F078
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(00000000,00C1F0AF,?,00000000,00C1F0CC), ref: 00C1F087
                                    • @System@Sysutils@Trim$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C1F0AF,?,00000000,00C1F0CC), ref: 00C1F092
                                    • @System@FreeMemory$qpv.RTL250.BPL(?,00C1F0B6,00000000,00C1F0CC), ref: 00C1F0A8
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C1F0D3), ref: 00C1F0C6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@Unicode$String.TextWindow$Asg$qqrr20Char$qqrpvic.Char$qqrr20Clr$qqrpv.FillFreeFromLengthMemory$qi.Memory$qpv.Stringpb.Stringx20Sysutils@Trim$qqrx20
                                    • String ID:
                                    • API String ID: 972987104-0
                                    • Opcode ID: 10ce358cc4fbc1f58af280e5863382dff24e79fc0823fee56d69cc3e79cd9244
                                    • Instruction ID: 40e4a718d66dc063d804c2246ac978c45fb4892cc5eba293606bf0bc31aea342
                                    • Opcode Fuzzy Hash: 10ce358cc4fbc1f58af280e5863382dff24e79fc0823fee56d69cc3e79cd9244
                                    • Instruction Fuzzy Hash: 3B219F75A04604AFC710DFA8DC52D9EB7F9EB8E300B5184BDF800E3752DA34ED029A60
                                    Function 00867AFC Relevance: 12.1, APIs: 8, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(00000000,00867BAC), ref: 00867B1F
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(00000000,00867BAC), ref: 00867B33
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00867B42
                                    • MulDiv.KERNEL32(00000001,00000064,00000000), ref: 00867B4E
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,00000001,00000064,00000000), ref: 00867B62
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,00000001,00000064,00000000), ref: 00867B73
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL ref: 00867B8B
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00867BB3), ref: 00867BA6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@L250List@Vcl@$System@$Count$qqrvSystem@@$CallClr$qqrpv.DynaFrame$qqriImageInst$qqrv.Item$qqriLoadRec.Rect$qqriiii.StringString$qqrp20Types@
                                    • String ID:
                                    • API String ID: 992647586-0
                                    • Opcode ID: 00a1251d3370b92d58a37053e14197e981be3e3217a9fada88eee7276b3d324d
                                    • Instruction ID: a0c6bb4394a3994eb348f251b22355b8aa5d0f26f0cc36536e88018c75ad5a6f
                                    • Opcode Fuzzy Hash: 00a1251d3370b92d58a37053e14197e981be3e3217a9fada88eee7276b3d324d
                                    • Instruction Fuzzy Hash: F6118471B046099FD704EF79CC419AFB7FDFB48310B518075F911D3291DA34D9098AA1
                                    Function 008768FC Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 00876902
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @System@@GetMem$qqri.RTL250.BPL(?), ref: 00876944
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?), ref: 00876962
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00876976
                                    • @Vcl@Imaging@Pngimage@TPNGList@Add$qqrp17System@TMetaClass.VCLIMG250 ref: 0087698D
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 0087699B
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 008769AD
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250 ref: 008769B4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$L250System@@$System@$List@Meta$Char$qqrpvic.Chunk@ClassFillHeader$qqrv$Add$qqrp17Class$qqrp17Class$qqrxp14Class.Clr$qqrpv.Data$qqrxuiFromImage@ItemItem$qqruiMem$qqri.Objectp17Resize
                                    • String ID:
                                    • API String ID: 926818194-0
                                    • Opcode ID: a3de9095180220ea41dd4004b1d7b67f5b921b176667ae789869d9021342ff67
                                    • Instruction ID: 5889219b13528928db8ea684da76387e7f8b31be101de835f7b6d3dfa08ebd16
                                    • Opcode Fuzzy Hash: a3de9095180220ea41dd4004b1d7b67f5b921b176667ae789869d9021342ff67
                                    • Instruction Fuzzy Hash: 2C117F712046908BCB00DB28D8C03956B91FB05315F1880B6EE4CCF34BE675DC9987A6
                                    Function 0085A82C Relevance: 12.1, APIs: 8, Instructions: 56windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A83A
                                    • @Vcl@Imaging@Gifimg@TColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085A84C
                                    • GetPaletteEntries.GDI32(?,00000000,00000100,00000000), ref: 0085A85E
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250(?,00000000,00000100,00000000), ref: 0085A867
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,00000100,00000000), ref: 0085A879
                                    • GetPaletteEntries.GDI32(?,00000000,00000100,?), ref: 0085A88D
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250(?,00000000,00000100,?,?,00000000,00000100,00000000), ref: 0085A896
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00000000,00000100,00000000), ref: 0085A8A3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ColorGifimg@Imaging@L250System@@Vcl@$Colors$qqriEntriesLookup@Palette$AfterClassConstruction$qqrxp14Create$qqrpvzc.Lookup@$bctr$qqrp10Mem$qqri.Object.System@
                                    • String ID:
                                    • API String ID: 2887988062-0
                                    • Opcode ID: 38033f67314681d3a29bf2157a903b1f73bd0db50afa06f0c4602817baa89f2b
                                    • Instruction ID: a0a4b85a9da58dff8b0ed5cfc0448ee6c3841d3d8cc33959f20625ddb058903e
                                    • Opcode Fuzzy Hash: 38033f67314681d3a29bf2157a903b1f73bd0db50afa06f0c4602817baa89f2b
                                    • Instruction Fuzzy Hash: E401F5327442041BD714AA7C4CC2B5A7A84FF41751F1842B8B808DF386E9A5DC4D43A6
                                    Function 00874838 Relevance: 12.0, APIs: 8, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv.VCLIMG250 ref: 00874845
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPngImage@InitializeGamma$qqrv.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748B7
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748D5
                                      • Part of subcall function 008748B0: @System@TObject@Free$qqrv.RTL250.BPL(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748DA
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748EB
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00874854
                                    • @Vcl@Imaging@Pngimage@TPngImage@AssignPNG$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250 ref: 00874861
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Image@System@$L250List@$AssignChunks$qqrvClass$qqrxp14Class.ClearFree$qqrv.G$qqrp30Gamma$qqrvImageInitializeItem$qqruiMetaObject@Objectp17PointerSize$qqrxuiSystem@@
                                    • String ID:
                                    • API String ID: 2698546465-0
                                    • Opcode ID: 84cba143d7930396e7518dfb8372acb5c6362da312681461a05c00541b183835
                                    • Instruction ID: a9667068509967a1a673ae0f5874f8cbbbc7d7d43a288bc227855d48374a58b2
                                    • Opcode Fuzzy Hash: 84cba143d7930396e7518dfb8372acb5c6362da312681461a05c00541b183835
                                    • Instruction Fuzzy Hash: 75F06220B005584B4610BBAE8C8551AA7CAFFC9756328D175F90CCB32ACFB0CC0E9397
                                    Function 008630CC Relevance: 12.0, APIs: 8, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 008630CE
                                    • @Vcl@Imaging@Gifimg@TGIFList@Remove$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 008630E3
                                      • Part of subcall function 008599C0: @System@Classes@TList@RemoveItem$qqrpv23System@Types@TDirection.RTL250.BPL ref: 008599C5
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Clear$qqrv.VCLIMG250 ref: 008630EA
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 008630F2
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 008630FA
                                    • DeleteObject.GDI32(?), ref: 00863107
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL(?), ref: 00863112
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL(?), ref: 0086311D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Gifimg@Imaging@Vcl@$Classes@Free$qqrv.List@Object@System@@$BeforeClassClear$qqrvDeleteDestroy$qqrxp14Destruction$qqrxp14Direction.Frame@ItemItem$qqrpv23ObjectObject.Objectzc.Persistent@$bdtr$qqrv.RemoveRemove$qqrp27Types@
                                    • String ID:
                                    • API String ID: 667677621-0
                                    • Opcode ID: c5a3488d4b4c8176c4656286b75d6571478474a9fcfeada575ce642b35aa5719
                                    • Instruction ID: 972beee7064326772ada569ba28e38269cf8e0c60849af5e7f302f754e9f3c5a
                                    • Opcode Fuzzy Hash: c5a3488d4b4c8176c4656286b75d6571478474a9fcfeada575ce642b35aa5719
                                    • Instruction Fuzzy Hash: 3FF03921710E10478A20FA3C9992A5F73D9FF06B823851818F884EB642EF25EE4D8797
                                    Function 00BC71F8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Win@Registry@TRegistry@ReadIntegerDef$qqrx20System@UnicodeStringi.AXCOMPONENTSRTL.BPL(00000000,?,?,00BC6F93,?,?,?,00000000,00BC6FC7), ref: 00BC722F
                                    • @Axrtl@System@Win@Registry@TRegistry@ReadIntegerDef$qqrx20System@UnicodeStringi.AXCOMPONENTSRTL.BPL(00000000,?,?,00BC6F93,?,?,?,00000000,00BC6FC7), ref: 00BC7261
                                    • @Axrtl@System@Win@Registry@TRegistry@ReadIntegerDef$qqrx20System@UnicodeStringi.AXCOMPONENTSRTL.BPL(00000000,?,?,00BC6F93,?,?,?,00000000,00BC6FC7), ref: 00BC72A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Registry@System@$Axrtl@Def$qqrx20IntegerReadStringi.UnicodeWin@
                                    • String ID: Release
                                    • API String ID: 141221748-1375353473
                                    • Opcode ID: 6ad819d027614711b181666c56569fe67ed669b8b0865d15947900309da48421
                                    • Instruction ID: 14e7e8678b86ab23520ea5a171e7ca9930e590a4553d7f1e08022a8dd5b2dcf8
                                    • Opcode Fuzzy Hash: 6ad819d027614711b181666c56569fe67ed669b8b0865d15947900309da48421
                                    • Instruction Fuzzy Hash: BE5175215DC6D5C9EF36462989D1F7D2EC0D763300F6814DEE892CE246DE688942BF2B
                                    Function 00863F74 Relevance: 10.6, APIs: 7, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00863F20: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00863F69,?,00000000,?,00863FA8,00000000,00864092,?,?,00000000,00000000), ref: 00863F46
                                      • Part of subcall function 00863F20: @System@@UStrClr$qqrpv.RTL250.BPL(00863F70,00000000,?,00863FA8,00000000,00864092,?,?,00000000,00000000), ref: 00863F63
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FE6
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FED
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FF4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@ClearImage$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FFB
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000), ref: 0086406B
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(?,?,00000000,00000000), ref: 00864077
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00864099,00000000), ref: 0086408C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$System@$Frame@L250$String$Clr$qqrpv.FreeImage$qqrvLoadRec.String$qqrp20System@@$Bitmap$qqrvClearItem@Mask$qqrvSeverityx20UnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 181367939-0
                                    • Opcode ID: 48b6ea15153849e6ac3cf0030b6027a5b0580ef1bcb3c1b1dd846b7816143986
                                    • Instruction ID: bce4939649e16599525292c59372f7d8e51df3f8d71a8c1ae75a3da2a25a2053
                                    • Opcode Fuzzy Hash: 48b6ea15153849e6ac3cf0030b6027a5b0580ef1bcb3c1b1dd846b7816143986
                                    • Instruction Fuzzy Hash: 35416930B00214DBCB00DF68C9816AEBBF2FF48304B5691A4E804DB356EB75EE44CB96
                                    Function 0085951C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetObjectW.GDI32(?,00000054,?), ref: 0085954C
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,0085963E), ref: 0085958E
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085963E), ref: 0085955F
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085963E), ref: 008595E3
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00859645), ref: 00859638
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$LoadRec.StringString$qqrp20$ArrayChar$qqrpvic.Clr$qqrpvi.Except$qqrv.Exception@$bctr$qqrx20FillObjectRaiseString.Sysutils@Unicode
                                    • String ID: (
                                    • API String ID: 3116673104-3887548279
                                    • Opcode ID: 9fed4076e0759eb6030e87299a8e4de0481b4a78ac303a54a8ce9d1b9f13814b
                                    • Instruction ID: 8f57e62fc9f4d6d54d3687c2083e411d03081fed6f9a6fd231fb3a5437caa3e3
                                    • Opcode Fuzzy Hash: 9fed4076e0759eb6030e87299a8e4de0481b4a78ac303a54a8ce9d1b9f13814b
                                    • Instruction Fuzzy Hash: B8318F71A04208CBDB15CFA8C885699B7A6FB89302B04C169EC48EF349EB74D95DCB55
                                    Function 0086AF3C Relevance: 10.6, APIs: 7, Instructions: 93windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0086B05D), ref: 0086AF6B
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetDoDither$qqrv.VCLIMG250(00000000,0086B040,?,00000000,0086B05D), ref: 0086AFC9
                                    • @Vcl@Imaging@Gifimg@WebPalette$qqrv.VCLIMG250(00000000,0086B040,?,00000000,0086B05D), ref: 0086AFD2
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Gifimg@Imaging@Vcl@$Dither$qqrvExcept$qqrv.Exception@$bctr$qqrx20Image@LoadPalette$qqrvRaiseRec.StringString$qqrp20String.System@@Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 3662990854-0
                                    • Opcode ID: 1006e514d488a97621f97a72d175ad57d9defde3b1f3c5f5bcd32015ee5b2462
                                    • Instruction ID: 57fd6144b995316b73ab14ecc9fb952d96dc1153946a58d0318b8f34934ffe19
                                    • Opcode Fuzzy Hash: 1006e514d488a97621f97a72d175ad57d9defde3b1f3c5f5bcd32015ee5b2462
                                    • Instruction Fuzzy Hash: 0131E774A00648EFDB40DFA9C581A5ABBF5FB09304F6280A4E811EB762D734DE84DB52
                                    Function 0086A8E8 Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A925
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A936
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A94B
                                    • @Vcl@Imaging@Gifimg@TGIFImage@InternalClear$qqrv.VCLIMG250(00000000,0086AA68,?,?,?,?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A961
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 00869899
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A0
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A8
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698B3
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFHeader@Prepare$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698C7
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000,0086AA68,?,?,?,?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A969
                                    • @Vcl@Imaging@Gifimg@TGIFItem@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250(?,00000000,0086AA68,?,?,?,?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A9A5
                                      • Part of subcall function 00859760: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085976A
                                      • Part of subcall function 00859760: @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00859779
                                      • Part of subcall function 00859760: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00859787
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0086A9E3,0086AA68,?,?,?,?,00000000,00000000,?,00000000,0086AA8A), ref: 0086A9D6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@L250Vcl@$System@$Clear$qqrvImage@System@@$AfterBitmap$qqrvCallClassClasses@ColorConstruction$qqrxp14Create$qqrpvzc.Draw$qqrvDynaFreeFree$qqrv.Header@ImageInst$qqrv.InternalItem@$bctr$qqrp28List@LoadMap@Object.Object@Object@$bctr$qqrv.Position$qqrv.Prepare$qqrvRec.Rect$qqriiii.StopStream@StringString$qqrp20Types@
                                    • String ID:
                                    • API String ID: 1535187660-0
                                    • Opcode ID: 5c629f2ccd5ebd4dd11e8035a7427824d774a51136ad50fda69f8c0d49f1865d
                                    • Instruction ID: f991ec72adc113e60e884d8d6f698deb48b82a5be1eeabcb5964fcb7b9752899
                                    • Opcode Fuzzy Hash: 5c629f2ccd5ebd4dd11e8035a7427824d774a51136ad50fda69f8c0d49f1865d
                                    • Instruction Fuzzy Hash: 8B314C74A10608AFCB05DFA9C85199EBBF9FB4D710B6244A5F801E7790DB35AE00DF61
                                    Function 0085A60C Relevance: 10.6, APIs: 7, Instructions: 85windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A61A
                                    • @Vcl@Imaging@Gifimg@TColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085A62C
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 0085A636
                                    • GetPaletteEntries.GDI32(?,00000000,00000100,00000000), ref: 0085A649
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250 ref: 0085A652
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000,00000100,00000000), ref: 0085A65C
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085A6D4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$ColorGifimg@Imaging@Mem$qqri.Vcl@$AfterClassColors$qqriConstruction$qqrxp14Create$qqrpvzc.EntriesLookup@Lookup@$bctr$qqrp10Object.PaletteSystem@
                                    • String ID:
                                    • API String ID: 1462609734-0
                                    • Opcode ID: 432db41eafcef3a3aa116472e96c1e888f013615a1b37cc71e39dabccfda0967
                                    • Instruction ID: cad3dcc380a13e5abcff77c63c3ce97dc73af0c29328bd23839f964669810e15
                                    • Opcode Fuzzy Hash: 432db41eafcef3a3aa116472e96c1e888f013615a1b37cc71e39dabccfda0967
                                    • Instruction Fuzzy Hash: CB2127316041610BD7149B2D8CD172ABBD2FF91322F1883A5EC58CF396DA71C84A83A2
                                    Function 00871C74 Relevance: 10.6, APIs: 7, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00871C88
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250 ref: 00871C93
                                      • Part of subcall function 00870BF8: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 00870C06
                                      • Part of subcall function 00870BF8: @System@@AsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00870C11
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 00871CB9
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 00871CD6
                                    • @System@Sysutils@CompareMem$qqrpvt1i.RTL250.BPL ref: 00871D3C
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00871D57
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 00871D62
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Chunk@L250$Data$qqrxuiResizeSystem@System@@$Char$qqrpvic.Fill$Class$qqrxp14Class.CompareHeader$qqrvItem$qqruiList@Mem$qqrpvt1i.MetaObjectp17Sysutils@
                                    • String ID:
                                    • API String ID: 2087187517-0
                                    • Opcode ID: 45d16291457cd14865302192629f1f4f505278c6706442f6ef2d420a5b5cdc1f
                                    • Instruction ID: 7e283bd2251c6d9f5abaccb709b7b2ce929dfbfe88727219897b70a9c8f685b2
                                    • Opcode Fuzzy Hash: 45d16291457cd14865302192629f1f4f505278c6706442f6ef2d420a5b5cdc1f
                                    • Instruction Fuzzy Hash: 222149103181D556CB11AB6D040927E7AE2FF93306F84C12BF4ECDFB86C519E9099767
                                    Function 00871EBC Relevance: 10.6, APIs: 7, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@LoadFromStream$qqrp22System@Classes@TStreamx27System@%StaticArray$ci$i4$%i.VCLIMG250(?,00000000,00871F9C), ref: 00871EE5
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(00000000,00870FD7), ref: 00870F40
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870F6A
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F7D
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F8C
                                      • Part of subcall function 00870F18: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?), ref: 00870FAB
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?), ref: 00870FBC
                                      • Part of subcall function 00870F18: @System@@UStrClr$qqrpv.RTL250.BPL(00870FDE), ref: 00870FD1
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,00871F9C), ref: 00871F07
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,00000000,00871F9C), ref: 00871F18
                                      • Part of subcall function 00874CA4: @System@@UStrAddRef$qqrpv.RTL250.BPL(?,?,?,00870A23), ref: 00874CB1
                                      • Part of subcall function 00874CA4: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CCB
                                      • Part of subcall function 00874CA4: @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CD0
                                      • Part of subcall function 00874CA4: @System@@UStrClr$qqrpv.RTL250.BPL(00874CF2,?,?,?,00870A23), ref: 00874CE5
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,00871F9C), ref: 00871F2A
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,00000000,00871F9C), ref: 00871F38
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250(?,00000000,00871F9C), ref: 00871F3F
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00871FA3), ref: 00871F96
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Imaging@Vcl@$Pngimage@System@@$String$Chunk@Clr$qqrpv.LoadRaiseStaticSystem@%Unicode$Array$uci$i65536$%iClass20Error$qqrp17Image@MetaPngimage@update_crc$qqruip32Rec.String$qqrp20$Array$ci$i4$%iByteChar$qqrpvic.Classes@Data$qqrxuiExcept$qqrv.Exception@$bctr$qqrx20FillFromHeader$qqrvMove$qqrpxvpvi.Ref$qqrpv.ResizeStream$qqrp22Streamx27String.Swap$qqrxiSysutils@
                                    • String ID:
                                    • API String ID: 2390923579-0
                                    • Opcode ID: db24d3eff9dc515f5a6e4daaf4bcc300624a02e7338e4b0cc0e9e091d3209935
                                    • Instruction ID: df2ba01f3ca8d147d5d43066a88e78ad8ea3cb4f5f81f10f2bf2a4febeaab620
                                    • Opcode Fuzzy Hash: db24d3eff9dc515f5a6e4daaf4bcc300624a02e7338e4b0cc0e9e091d3209935
                                    • Instruction Fuzzy Hash: 0021DE34A042489FCF05DF6CC889AAE7BA5FB09310F44C4B6E818D778ACB74D9058B92
                                    Function 008657B9 Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 008657BF
                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 008657CF
                                    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,Function_000300C6), ref: 00865803
                                    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,00EE0086), ref: 00865835
                                    • SetTextColor.GDI32(?,00000000), ref: 0086583F
                                    • SetTextColor.GDI32(?,00000000), ref: 00865849
                                    • SelectObject.GDI32(?,00000000), ref: 00865869
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Color$Text$Stretch$ObjectSelect
                                    • String ID:
                                    • API String ID: 995802362-0
                                    • Opcode ID: b7475016be60d9c5d5968939943976286269e63a6a71b9977e308c1905f2930e
                                    • Instruction ID: 70cac308e5ff4a9928923dc12967d4895ab44777f8390b506903e3d21285d445
                                    • Opcode Fuzzy Hash: b7475016be60d9c5d5968939943976286269e63a6a71b9977e308c1905f2930e
                                    • Instruction Fuzzy Hash: 742145B6A00209AFDB90EEECC985E9F73ECFB0D310F110550BA18E3240DA74EE448B61
                                    Function 00874464 Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250 ref: 0087447B
                                      • Part of subcall function 00870BF8: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 00870C06
                                      • Part of subcall function 00870BF8: @System@@AsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00870C11
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 0087448E
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 008744A1
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250(00000000,00000100,?), ref: 008744B7
                                    • GetPaletteEntries.GDI32(?,00000000,00000100,?), ref: 008744C0
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250(?,00000000,00000100,?), ref: 008744CA
                                    • @Vcl@Imaging@Pngimage@TChunk@SaveToStream$qqrp22System@Classes@TStream.VCLIMG250(?,00000000,00000100,?), ref: 00874528
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Chunk@$Header$qqrvSystem@$L250System@@$Char$qqrpvic.Class$qqrxp14Class.Classes@Data$qqrxuiEntriesFillItem$qqruiList@MetaObjectp17PaletteResizeSaveStreamStream$qqrp22
                                    • String ID:
                                    • API String ID: 2788236936-0
                                    • Opcode ID: c8f4dfea0b4485c05e9ba5d5bd77bda2d3c2ec5083edb69344c2df129aecae19
                                    • Instruction ID: 7ce146d20de43dd13b78b20ec569cc348ca88232d73fd1f81c4b504ce64395f8
                                    • Opcode Fuzzy Hash: c8f4dfea0b4485c05e9ba5d5bd77bda2d3c2ec5083edb69344c2df129aecae19
                                    • Instruction Fuzzy Hash: 0821FB752046A08BC3319B2CC480A5AB7E4FF89710F048699E9D9C7346D634FA46CB92
                                    Function 00C271DC Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Lock$qqrv.OXCOMPONENTSRTL ref: 00C27201
                                      • Part of subcall function 00C266CC: @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(?,00C26311), ref: 00C266D2
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C27289), ref: 00C27216
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00C27289), ref: 00C27228
                                    • @System@Generics@Collections@%TList__1$p61Oxrtl@System@Securitycenter@SecurityUtils@TSecurityAppProduct%@GetItem$qqri.OXCOMPONENTSRTL(00000000,00C27289), ref: 00C27242
                                    • @System@Sysutils@SameText$qqrx20System@UnicodeStringt1.RTL250.BPL(00000000,00C27289), ref: 00C27252
                                    • @System@@TryFinallyExit$qqrv.RTL250.BPL(00000000,00C27289), ref: 00C27260
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Unlock$qqrv.OXCOMPONENTSRTL(00C27290), ref: 00C27283
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Security$L250$Oxrtl@Securitycenter@System@@Utils@$Center@Exit$qqrv.FinallySystemUnicode$Collections@%CriticalEnter$qqrv.Generics@Item$qqriLen$qqrx20List__1$p61Lock$qqrvProduct%@SameSection@String.Stringt1.Syncobjs@Sysutils@Text$qqrx20Unlock$qqrv
                                    • String ID:
                                    • API String ID: 2262530383-0
                                    • Opcode ID: 1223654e16a11e48d7729259ec2aac30ad960bd7a0d6d1895eff15a0c300019c
                                    • Instruction ID: 02c22befc34fdbe3a5e223518bff98c91b06dedf1556d867b01ad7a30bb72c48
                                    • Opcode Fuzzy Hash: 1223654e16a11e48d7729259ec2aac30ad960bd7a0d6d1895eff15a0c300019c
                                    • Instruction Fuzzy Hash: 9F214A34A08218EF8B11DFA9E8C195DB7F4EF49320B6586A9F824E7B61D734DE01DB50
                                    Function 00C14054 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C1411D,BC10EFC8,?,00C10CE0), ref: 00C14078
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1411D,BC10EFC8,?,00C10CE0), ref: 00C1408B
                                    • @Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv.OXCOMPONENTSRTL(00000000,00C1411D,BC10EFC8,?,00C10CE0), ref: 00C140A6
                                    • @Oxrtl@Winapi@Powrprof@PowrProf@GetActivePwrScheme$qqrrui.OXCOMPONENTSRTL(00000000,00C1411D,BC10EFC8,?,00C10CE0), ref: 00C140D7
                                    • @Oxrtl@System@Powerutils@PowerUtils@EnumSchemesXP$qqr114System@%DelphiInterface$87System@Sysutils@%TFunc__2$p56Oxrtl@System@Powerutils@PowerUtils@TXPEnumSchemeInfoDatao%%.OXCOMPONENTSRTL(00000000,00C1411D,BC10EFC8,?,00C10CE0), ref: 00C140F4
                                    • @Oxrtl@System@Utils@SysUtils@GetTickCount64$qqrv.OXCOMPONENTSRTL(00000000,00C1411D,BC10EFC8,?,00C10CE0), ref: 00C140F9
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C14124,?,00C10CE0), ref: 00C14117
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Utils@$Oxrtl@$DelphiSystem@%$Interface$17L250$Count64$qqrvEnumInterface%.IntfPowerPowerutils@System@@Tick$ActiveClear$qqrr44Copy$qqrr44Datao%%Func__2$p56InfoInterface$87Interface%x44Object@$bctr$qqrv.P$qqr114PowrPowrprof@Prof@SchemeScheme$qqrruiSchemesSysutils@%Winapi@
                                    • String ID:
                                    • API String ID: 2378340558-0
                                    • Opcode ID: 7f6337afeac000faf0ac339c2bace0fa0f1e71584bdb95ce73f274ed65499c4c
                                    • Instruction ID: 0e21eb03f302c69734233943b1262d3abb316424efab6f5e79372c4c48cd870b
                                    • Opcode Fuzzy Hash: 7f6337afeac000faf0ac339c2bace0fa0f1e71584bdb95ce73f274ed65499c4c
                                    • Instruction Fuzzy Hash: CC21C430900204DFD718DF6AC581AA977E5EB4A324F6183FADA248B2D6D731DE81EB54
                                    Function 00876618 Relevance: 10.6, APIs: 7, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@SetMaxIdatSize$qqrxi.VCLIMG250 ref: 00876638
                                    • @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv.VCLIMG250 ref: 00876659
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPngImage@InitializeGamma$qqrv.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748B7
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748D5
                                      • Part of subcall function 008748B0: @System@TObject@Free$qqrv.RTL250.BPL(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748DA
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748EB
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250 ref: 0087666D
                                      • Part of subcall function 0087084C: @System@@GetMem$qqri.RTL250.BPL(00000000,038D2148,00870789,?,?,0087021B), ref: 00870863
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 00876690
                                      • Part of subcall function 00870B4C: @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(?,00000000,008708B6), ref: 00870B56
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetItem$qqruipxv.VCLIMG250 ref: 008766B0
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250 ref: 008766B9
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000), ref: 008766C7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$List@$Item$qqrui$Pointer$Image@$L250Size$qqrxui$Chunks$qqrvClearFree$qqrv.Gamma$qqrvIdatInitializeItem$qqruipxvMem$qqri.Object@Size$qqrxiSystem@System@@
                                    • String ID:
                                    • API String ID: 3456118653-0
                                    • Opcode ID: ca4b39bea396d224384e72765a4b76fe521228032bd75ed1083bcc7d745fd295
                                    • Instruction ID: f8d3a7052ff7a6e18167e3d114425c0882e80ee7c413d1d5c8f16337dc6de258
                                    • Opcode Fuzzy Hash: ca4b39bea396d224384e72765a4b76fe521228032bd75ed1083bcc7d745fd295
                                    • Instruction Fuzzy Hash: 0C21F8353052548FCB519F288880AD977E1EB89320F1480A5FC8CDF35ACA30DA45DBA2
                                    Function 00871440 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 00871465
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00871472
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL ref: 00871480
                                    • @System@Move$qqrpxvpvi.RTL250.BPL ref: 0087149C
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL ref: 008714B8
                                    • @System@Move$qqrpxvpvi.RTL250.BPL ref: 008714D5
                                    • @Vcl@Imaging@Pngimage@TChunk@SaveToStream$qqrp22System@Classes@TStream.VCLIMG250 ref: 008714DE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$String$System@System@@$A$qqrr27AnsiChunk@Imaging@Move$qqrpxvpvi.Pngimage@System@%T$us$i0$%.UniqueVcl@$Char$qqrpvic.Classes@Data$qqrxuiFillResizeSaveStreamStream$qqrp22
                                    • String ID:
                                    • API String ID: 753902907-0
                                    • Opcode ID: f63130424db90e3e67648ee0b6fd2a598118d06edf7247a32d5d53faa4cb7ac3
                                    • Instruction ID: 0af65439b00e8fe9ff452268fb7579b0d5a4ce45eef55f2a83ace1c539213b4a
                                    • Opcode Fuzzy Hash: f63130424db90e3e67648ee0b6fd2a598118d06edf7247a32d5d53faa4cb7ac3
                                    • Instruction Fuzzy Hash: D111F3313005018BDF18DE3DC9C9A2677E6EF8831572881A9E809DF75EDA30ED59CB91
                                    Function 00870F18 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(00000000,00870FD7), ref: 00870F40
                                      • Part of subcall function 00870BA8: @System@@ReallocMem$qqrrpvi.RTL250.BPL ref: 00870BAF
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870F6A
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F7D
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F8C
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?), ref: 00870FAB
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?), ref: 00870FBC
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00870FDE), ref: 00870FD1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Vcl@$System@$L250Pngimage@$Array$uci$i65536$%iPngimage@update_crc$qqruip32StaticStringSystem@%System@@$ByteChunk@Class20Clr$qqrpv.Data$qqrxuiError$qqrp17Image@LoadMem$qqrrpvi.MetaRaiseReallocRec.ResizeString$qqrp20Swap$qqrxiUnicode
                                    • String ID:
                                    • API String ID: 3111016341-0
                                    • Opcode ID: d721aab5614d827862d26dab68fae8203c1b1c11b68f869082f5b9b5f75ce96f
                                    • Instruction ID: 302514a33d7fcdab43cdacd058fb6aac526fe862f0655ca20e5660dea1d7e21e
                                    • Opcode Fuzzy Hash: d721aab5614d827862d26dab68fae8203c1b1c11b68f869082f5b9b5f75ce96f
                                    • Instruction Fuzzy Hash: A8213C34A00658DFCB10DF68C88199EB7A5FB49320F51C6A4E828E7395DB70EE04CB91
                                    Function 00870C44 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00870C5D
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870C7E
                                    • @System@TObject@ClassName$qqrv.RTL250.BPL(00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870C99
                                    • @System@TObject@ClassName$qqrv.RTL250.BPL(00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CA6
                                    • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CC7
                                    • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL250.BPL(?,00000000,00870CF2,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CD7
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00870CF9,?,00000000,00870D70,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00870CEC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$Class$Name$qqrv.Object@Unicode$AnsiClr$qqrpv.Copy$qqrx20Create$qqrpvzc.FromObject@$bctr$qqrv.Str$qqrr27StringStringii.Stringus.System@%T$us$i0$%x20
                                    • String ID:
                                    • API String ID: 3338369605-0
                                    • Opcode ID: cc67acc94c55ce95bf4ca398e54df4c8d1b7ea038b3edd59159454f495efc611
                                    • Instruction ID: cd2c24482a44f0ce8ee1973eadb6f72b86c0f063b998abd73ff45cf82806a464
                                    • Opcode Fuzzy Hash: cc67acc94c55ce95bf4ca398e54df4c8d1b7ea038b3edd59159454f495efc611
                                    • Instruction Fuzzy Hash: EF119330A00649DFDB01DFA8C891A5EBBB5FB49300F4081B4E814D3785DA35AA48CA52
                                    Function 00864DD4 Relevance: 10.6, APIs: 7, Instructions: 62windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00859758: @Vcl@Graphics@TBitmap@SetPixelFormat$qqr25Vcl@Graphics@TPixelFormat.VCL250.BPL(0085A01F,?,?,?,?,0085ECD2,00000006,00000000,0085ED37,?,?,00000000,0085ED6B), ref: 00859758
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00864E13
                                    • @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 00864E1D
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00864E24
                                    • @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 00864E2E
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00864E35
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000), ref: 00864E48
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00864E5C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Graphics@Vcl@$L250$Bitmap@$Canvas$qqrv.$Brush@Pixel$BrushColor$qqr21Color.Format$qqr25Format.Style$qqr24Style.System@Uitypes@
                                    • String ID:
                                    • API String ID: 3171129552-0
                                    • Opcode ID: f44f50d12b2ba3e8830fa8479a94f4fd015bf2ad09c4972577ea45fa86385c2f
                                    • Instruction ID: ac53e08ad4dfc703f36f4cb52c01b9398243217a774cf3f75e282e3de7f1cef1
                                    • Opcode Fuzzy Hash: f44f50d12b2ba3e8830fa8479a94f4fd015bf2ad09c4972577ea45fa86385c2f
                                    • Instruction Fuzzy Hash: 0611E9347002058FC344EF2CC88989DBBE5FF4A21271445B8F80ACB322DE31EC0A8B81
                                    Function 00864158 Relevance: 10.6, APIs: 7, Instructions: 60windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,008641FF,?,?,?,?,00000000,00000000,00000000), ref: 00864191
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetScanline$qqri.VCLIMG250(00000000,008641FF,?,?,?,?,00000000,00000000,00000000), ref: 008641A3
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250(00000000,008641FF,?,?,?,?,00000000,00000000,00000000), ref: 008641B0
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,008641FF,?,?,?,?,00000000,00000000,00000000), ref: 008641C7
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(00000000,008641FF,?,?,?,?,00000000,00000000,00000000), ref: 008641D6
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(00000000,008641FF,?,?,?,?,00000000,00000000,00000000), ref: 008641DD
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00864206,?,?,?,00000000,00000000,00000000), ref: 008641F9
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Frame@Gifimg@Imaging@System@Vcl@$L250$FreeLoadRec.StringString$qqrp20$ActiveArrayBitmap$qqrvClr$qqrpvi.ColorMap$qqrvMask$qqrvScanline$qqriSystem@@
                                    • String ID:
                                    • API String ID: 3424213211-0
                                    • Opcode ID: 14630a27f210d245adb2aebcb8abf7454bbad3dcf015495f419e24ef83e3a25c
                                    • Instruction ID: caeb5d829a2cde33dc07c4a04c59d321a822241c6e9113ce77aa08af5dda9673
                                    • Opcode Fuzzy Hash: 14630a27f210d245adb2aebcb8abf7454bbad3dcf015495f419e24ef83e3a25c
                                    • Instruction Fuzzy Hash: 5511A034B00214BBC711EB6CDC82A6DB7E9FF8A740F664461F850DB752DA74AD84C792
                                    Function 00BED384 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Filemapped@TMappedStream@GetActivePage$qqrv.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED395
                                      • Part of subcall function 00BECBD4: @System@Generics@Collections@%TList__1$p35Oxrtl@System@Filemapped@TMappedPage%@GetItem$qqri.OXCOMPONENTSRTL(?,00BECB16), ref: 00BECBEB
                                    • @System@Generics@Collections@%TList__1$p35Oxrtl@System@Filemapped@TMappedPage%@GetItem$qqri.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED3BA
                                    • @System@Generics@Collections@%TList__1$p35Oxrtl@System@Filemapped@TMappedPage%@GetItem$qqri.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED3D4
                                    • @Oxrtl@System@Filemapped@TCustomMappedMemory@GetActive$qqrv.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED3D9
                                    • @System@Generics@Collections@%TList__1$p35Oxrtl@System@Filemapped@TMappedPage%@GetItem$qqri.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED3E7
                                    • @Oxrtl@System@Filemapped@TCustomMappedMemory@GetOpen$qqrv.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED3EC
                                    • @System@Generics@Collections@%TList__1$p35Oxrtl@System@Filemapped@TMappedPage%@GetItem$qqri.OXCOMPONENTSRTL(?,00000000,?,?,00BED216,?,?,?,?), ref: 00BED3FA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Filemapped@MappedOxrtl@$Collections@%Generics@Item$qqriList__1$p35Page%@$CustomMemory@$ActiveActive$qqrvOpen$qqrvPage$qqrvStream@
                                    • String ID:
                                    • API String ID: 1928653049-0
                                    • Opcode ID: 79d249ab9e07c485e9440c407f62ede4b21d36c66bf0bc8d10cf1cb32212b237
                                    • Instruction ID: 57e78464b7ed7444bedd5fa48d3cff186995af1a32221c26e9a35f7f6614ef6a
                                    • Opcode Fuzzy Hash: 79d249ab9e07c485e9440c407f62ede4b21d36c66bf0bc8d10cf1cb32212b237
                                    • Instruction Fuzzy Hash: 7C1161317005908B8B10EF2BC6C5915BBE5EF95744B1884D5EC0A9F36AEB71EC43C7A2
                                    Function 0086A800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000,0086A8C2), ref: 0086A823
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?,00000000,0086A8C2), ref: 0086A85C
                                    • @System@Sysutils@UpperCase$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,0086A8C2), ref: 0086A867
                                    • @System@@UStrEqual$qqrv.RTL250.BPL(?,00000000,0086A8C2), ref: 0086A874
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(?,?,0086A8A7), ref: 0086A89A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Classes@Stream@System@@Unicode$Array$qqrr20Case$qqrx20Equal$qqrv.FromPosition$qqrv.Position$qqrxj.String.Stringpci.Sysutils@Upper
                                    • String ID: GIF
                                    • API String ID: 4012715843-881873598
                                    • Opcode ID: bd2e0ceba6558275a16979fcf02870d1c25cf888f66d685ad55f2fac88436da7
                                    • Instruction ID: aa203ddeb8bf4ba63caa229097e7ec0cbf1a283d4936776c909a620648895c79
                                    • Opcode Fuzzy Hash: bd2e0ceba6558275a16979fcf02870d1c25cf888f66d685ad55f2fac88436da7
                                    • Instruction Fuzzy Hash: E4116D309042099FDF09DF98C8529AEBBB5FB49300B5244B5E911F7750DB346E05DFA2
                                    Function 00BD5074 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00BD50FD,?,?,?,?,00000000), ref: 00BD5093
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BD50FD,?,?,?,?,00000000), ref: 00BD50A6
                                    • @Oxrtl@System@Display@Display@IsFullScreenWindow$qqrv.OXCOMPONENTSRTL(00000000,00BD50FD,?,?,?,?,00000000), ref: 00BD50AB
                                    • GetForegroundWindow.USER32(00000000,00BD50FD,?,?,?,?,00000000), ref: 00BD50B4
                                    • @Oxrtl@System@Display@Display@ShellWindow$qqrv.OXCOMPONENTSRTL(00000000,00BD50FD,?,?,?,?,00000000), ref: 00BD50BF
                                      • Part of subcall function 00BD59A8: GetShellWindow.USER32 ref: 00BD59AB
                                    • @Oxrtl@System@Display@Display@EnumWindows$qqr63System@%DelphiInterface$36System@Sysutils@%TFunc__2$p6HWND__o%%.OXCOMPONENTSRTL(00000000,00BD50FD,?,?,?,?,00000000), ref: 00BD50D9
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BD5104,?,?,?,00000000), ref: 00BD50F7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Display@$DelphiSystem@%$Interface$17L250Oxrtl@$Interface%.IntfShellSystem@@WindowWindow$qqrv$Clear$qqrr44Copy$qqrr44D__o%%EnumForegroundFullFunc__2$p6Interface$36Interface%x44Object@$bctr$qqrv.ScreenSysutils@%Windows$qqr63
                                    • String ID:
                                    • API String ID: 2161489036-0
                                    • Opcode ID: faa7602bb814004bb5233694a785dc3bfb6fbddeb303bcd0f6712e15cc99df59
                                    • Instruction ID: 399862e587f8d0e22a756ad2aecd075af68ebfd58589cd3b3d63c3ceb6be1a3b
                                    • Opcode Fuzzy Hash: faa7602bb814004bb5233694a785dc3bfb6fbddeb303bcd0f6712e15cc99df59
                                    • Instruction Fuzzy Hash: 9F01D671600A45AFD320EF7D8841F05FBE5EB8635075046A7E450D3791FB31D80087A5
                                    Function 00C13348 Relevance: 10.6, APIs: 7, Instructions: 51windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL ref: 00C13368
                                    • @Oxrtl@System@Powerutils@PowerUtils@GetPowerSource$qqrv.OXCOMPONENTSRTL ref: 00C13377
                                    • @Axrtl@Project@Eventnotifier@EventNotifier@NotifyAsync$qqruiuii.AXCOMPONENTSRTL.BPL ref: 00C13393
                                    • @System@TGUID@_op_Equality$qqrrx5_GUIDt1.RTL250.BPL ref: 00C133A5
                                    • @Oxrtl@System@Powerutils@PowerUtils@GetPowerSource$qqrv.OXCOMPONENTSRTL ref: 00C133BC
                                      • Part of subcall function 00C131F8: @Oxrtl@System@Powerutils@PowerUtils@GetIsBatteryDischarging$qqrv.OXCOMPONENTSRTL ref: 00C131FB
                                    • @Axrtl@Project@Eventnotifier@EventNotifier@NotifyAsync$qqruiuii.AXCOMPONENTSRTL.BPL ref: 00C133D8
                                    • @Axrtl@System@Sysutils@SysUtils@DefWindowProc$qqruir24Winapi@Messages@TMessage.AXCOMPONENTSRTL.BPL ref: 00C133E4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Axrtl@Power$Utils@$Oxrtl@Powerutils@$Async$qqruiuii.EventEventnotifier@Notifier@NotifyOsinfo@Project@Source$qqrvWin@$BatteryD@_op_Discharging$qqrvDt1.Equality$qqrrx5_Info@L250Message.Messages@Proc$qqruir24Sysutils@Versiont1.Winapi@WindowWindowsWindows$qqr39
                                    • String ID:
                                    • API String ID: 1819957905-0
                                    • Opcode ID: f5481e91c12143d989d1ca2a8337974570467cfb9174864cc5943199243dcaf7
                                    • Instruction ID: ff5f2e05a03127f807a77f3d089cd3f70353d9cf9d2be3f8d0d4d6a1479d2e11
                                    • Opcode Fuzzy Hash: f5481e91c12143d989d1ca2a8337974570467cfb9174864cc5943199243dcaf7
                                    • Instruction Fuzzy Hash: B601E9347042D49FDB31AB56D8857AD37A56B033187C840EAD4B247227CAF09BCAF765
                                    Function 00C5C038 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayAddRef$qqrpv.RTL250.BPL(?,?,00000000,00000000), ref: 00C5C059
                                    • @System@@InitializeRecord$qqrpvt1.RTL250.BPL(?,?,00000000,00000000), ref: 00C5C067
                                    • @Oxrtl@System@Rtti@TRttiContextHelper@Lock$qqrv.OXCOMPONENTSRTL(00000000,00C5C242,?,?,?,00000000,00000000), ref: 00C5C07D
                                    • @System@@CopyRecord$qqrv.RTL250.BPL(00000000,00C5C242,?,?,?,00000000,00000000), ref: 00C5C08E
                                    • @System@TObject@ClassType$qqrv.RTL250.BPL(00000000,00C5C0CC,?,00000000,00C5C242,?,?,?,00000000,00000000), ref: 00C5C0A4
                                    • @System@Rtti@TRttiContext@GetType$qqrp17System@TMetaClass.RTL250.BPL(00000000,00C5C0CC,?,00000000,00C5C242,?,?,?,00000000,00000000), ref: 00C5C0AE
                                    • @Oxrtl@System@Rtti@TRttiContextHelper@Unlock$qqrv.OXCOMPONENTSRTL(00C5C0D3,00000000,00C5C242,?,?,?,00000000,00000000), ref: 00C5C0C6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$RttiRtti@System@@$ContextHelper@Oxrtl@$ArrayClassClass.Context@CopyInitializeLock$qqrvMetaObject@Record$qqrpvt1.Record$qqrv.Ref$qqrpv.Type$qqrp17Type$qqrv.Unlock$qqrv
                                    • String ID:
                                    • API String ID: 2439359828-0
                                    • Opcode ID: a0f147fedda8149cba03a0b764e64f4311ef02d0e6aaaf62ec8c355860a6e038
                                    • Instruction ID: 9da405636a4217ba45eacfcdf6e61b7ba67e20cc3b05102889cb5915bb70781c
                                    • Opcode Fuzzy Hash: a0f147fedda8149cba03a0b764e64f4311ef02d0e6aaaf62ec8c355860a6e038
                                    • Instruction Fuzzy Hash: 5E112A74A14208EFDB01DF68CC92BDEBBF8FB49700F9144BAE400E3691E6356E44CA64
                                    Function 00C012A4 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C012B2
                                    • @System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(05000100,?,?,?,?,BC108FF0,6F647475,?,?,?,?,?,?,BC108FF4,?,BC108FFC), ref: 00C012C1
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C01329,BC108FE8,05000100,?,?,?,?,BC108FF0,6F647475), ref: 00C012D8
                                    • @Axrtl@System@Win@Internet@THTTPFormDataPost@$bctr$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(BC108FF0,6F647475,?,?,?,?,?,?,BC108FF4,?,BC108FFC,BC109000,?), ref: 00C012F4
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(BC108FF0,6F647475,?,?,?,?,?,?,BC108FF4,?,BC108FFC,BC109000,?), ref: 00C01304
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(BC108FF0,6F647475,?,?,?,?,?,?,BC108FF4,?,BC108FFC,BC109000,?), ref: 00C0130E
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C01330,?,?,?,?,?,BC108FF4,?,BC108FFC,BC109000,?), ref: 00C01323
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$DelphiInterface$17System@%$Interface%.IntfUnicode$String.$Asg$qqrr20Axrtl@ClassClear$qqrr44Copy$qqrr44Create$qqrpvzc.DataFormInterface%x44Internet@Object@$bctr$qqrv.Post@$bctr$qqrx20Ref$qqrx44Stringx20Win@
                                    • String ID:
                                    • API String ID: 751059966-0
                                    • Opcode ID: 1f270414be060b1854bb22de36fc34400e9df2c3dd64e76e5be892bfaa40b493
                                    • Instruction ID: 6048c834225fb1b7b28b305996517efb5d0d690ab260fcda4a672f0ff2d0b997
                                    • Opcode Fuzzy Hash: 1f270414be060b1854bb22de36fc34400e9df2c3dd64e76e5be892bfaa40b493
                                    • Instruction Fuzzy Hash: 2801DE302042446FC700EF3CC882E5ABBD8DB8A39075489BAFC08CB656EA35D905C7A0
                                    Function 00BFB05C Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00BFB0DB,?,?,?,?,00000000,00000000), ref: 00BFB07F
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BFB0DB,?,?,?,?,00000000,00000000), ref: 00BFB092
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BFB0DB,?,?,?,?,00000000,00000000), ref: 00BFB09C
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BFB0DB,?,?,?,?,00000000,00000000), ref: 00BFB0AD
                                    • @System@Generics@Collections@TListHelper@InternalPack4$qqrx85System@%DelphiInterface$58System@Generics@Collections@TListHelper@TInternalEmptyFunc%.RTL250.BPL(00000000,00BFB0DB,?,?,?,?,00000000,00000000), ref: 00BFB0B8
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BFB0E2,?,?,?,00000000,00000000), ref: 00BFB0CD
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BFB0E2,?,?,?,00000000,00000000), ref: 00BFB0D5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17$L250$Interface%.IntfSystem@@$Copy$qqrr44Interface%x44$Clear$qqrr44Collections@Generics@Helper@InternalList$EmptyFunc%.Interface$58Object@$bctr$qqrv.Pack4$qqrx85
                                    • String ID:
                                    • API String ID: 4147781702-0
                                    • Opcode ID: 29daf969fcb3db0367043dcf83fee7b047e0b7b5560e85e9a1612f0773cbb3f2
                                    • Instruction ID: 4c9f89ecf2b042a4e50d8c36f780a83ea984dd69ae50ae9272ada910a9599f69
                                    • Opcode Fuzzy Hash: 29daf969fcb3db0367043dcf83fee7b047e0b7b5560e85e9a1612f0773cbb3f2
                                    • Instruction Fuzzy Hash: 2E01D8316006086BD711EA79CC52E9AB7EDDBC5720BA089F5E81093A96DF30EE098514
                                    Function 00BCE044 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00BCE0C3,?,?,?,?,00000000,00000000), ref: 00BCE067
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE0C3,?,?,?,?,00000000,00000000), ref: 00BCE07A
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE0C3,?,?,?,?,00000000,00000000), ref: 00BCE084
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE0C3,?,?,?,?,00000000,00000000), ref: 00BCE095
                                    • @System@Generics@Collections@TListHelper@InternalPackManaged$qqrx85System@%DelphiInterface$58System@Generics@Collections@TListHelper@TInternalEmptyFunc%.RTL250.BPL(00000000,00BCE0C3,?,?,?,?,00000000,00000000), ref: 00BCE0A0
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCE0CA,?,?,?,00000000,00000000), ref: 00BCE0B5
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCE0CA,?,?,?,00000000,00000000), ref: 00BCE0BD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17$L250$Interface%.IntfSystem@@$Copy$qqrr44Interface%x44$Clear$qqrr44Collections@Generics@Helper@InternalList$EmptyFunc%.Interface$58Managed$qqrx85Object@$bctr$qqrv.Pack
                                    • String ID:
                                    • API String ID: 1205184527-0
                                    • Opcode ID: 926809e16fbb83c220c425d1bae0eb5f08dc806a81cf140055e4ad93f1b26d4d
                                    • Instruction ID: 7331dbf05b7f2939783602bc642eb876e8eccb30c89850a10ebc1a3605cbcb59
                                    • Opcode Fuzzy Hash: 926809e16fbb83c220c425d1bae0eb5f08dc806a81cf140055e4ad93f1b26d4d
                                    • Instruction Fuzzy Hash: 4D01FC31600608ABD710EE79CC53F9AB7EDDBC5720BA085FAE81093A96DB70EE044554
                                    Function 00C4A148 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C4A1C7,?,?,?,?,00000000,00000000), ref: 00C4A16B
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C4A1C7,?,?,?,?,00000000,00000000), ref: 00C4A17E
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C4A1C7,?,?,?,?,00000000,00000000), ref: 00C4A188
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C4A1C7,?,?,?,?,00000000,00000000), ref: 00C4A199
                                    • @System@Generics@Collections@TListHelper@InternalPackN$qqrx85System@%DelphiInterface$58System@Generics@Collections@TListHelper@TInternalEmptyFunc%.RTL250.BPL(00000000,00C4A1C7,?,?,?,?,00000000,00000000), ref: 00C4A1A4
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C4A1CE,?,?,?,00000000,00000000), ref: 00C4A1B9
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C4A1CE,?,?,?,00000000,00000000), ref: 00C4A1C1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17$L250$Interface%.IntfSystem@@$Copy$qqrr44Interface%x44$Clear$qqrr44Collections@Generics@Helper@InternalList$EmptyFunc%.Interface$58N$qqrx85Object@$bctr$qqrv.Pack
                                    • String ID:
                                    • API String ID: 3450639749-0
                                    • Opcode ID: e5ab6b1345eb793e02e56b499c7c07ec79fe0ede340dd514ee257fcd1c14f76f
                                    • Instruction ID: d66b16db45c95bda936dcc3c43d771b556d0d7ed320b19eec657ce8c21c91d45
                                    • Opcode Fuzzy Hash: e5ab6b1345eb793e02e56b499c7c07ec79fe0ede340dd514ee257fcd1c14f76f
                                    • Instruction Fuzzy Hash: 0601D835640644BBD311EA69CC82F9EB7EDEBC5720FA085B5E81063A96DB30EE048514
                                    Function 00C1B3D8 Relevance: 10.5, APIs: 7, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C1B3E7
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C1B46F,?), ref: 00C1B404
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(?), ref: 00C1B412
                                    • @System@Generics@Collections@%TList__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%@$bctr$qqrx128System@%DelphiInterface$100System@Generics@Defaults@%IComparer__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%%.OXCOMPONENTSRTL ref: 00C1B440
                                    • @Oxrtl@System@Processes@Processes@TProcessList@SetFilter$qqrxp41Oxrtl@System@Processes@TProcessListFilter.OXCOMPONENTSRTL ref: 00C1B44D
                                    • @Oxrtl@System@Processes@Processes@TProcessList@Update$qqrv.OXCOMPONENTSRTL ref: 00C1B454
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1B476), ref: 00C1B469
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Processes@$DelphiSystem@%$Oxrtl@$L250$Interface$17ProcessSystem@@$Generics@Interface$31Interface%.IntfList@$ClassClear$qqrr44Collections@%Comparer__1$58Copy$qqrr44Create$qqrpvzc.Defaults@%FilterFilter$qqrxp41Interface$100Interface%x44ListList__1$58Object@$bctr$qqrv.Process%%%Process%%@$bctr$qqrx128Update$qqrv
                                    • String ID:
                                    • API String ID: 3973300412-0
                                    • Opcode ID: 505df1a0e9595d17478a7c6288b4e93f7a8bd81859dc5da5047901ba9bc5c131
                                    • Instruction ID: 2a75b7cf1c2da954e0c6da7ff2582bbe6a916b39e93d2981380b1a94236adaac
                                    • Opcode Fuzzy Hash: 505df1a0e9595d17478a7c6288b4e93f7a8bd81859dc5da5047901ba9bc5c131
                                    • Instruction Fuzzy Hash: 090176307006086B8300EB288C82EAD77DADB8B750794C0B5F80093352DB399D01BA91
                                    Function 00868A24 Relevance: 10.5, APIs: 7, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A2F
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A46
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A59
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A61
                                      • Part of subcall function 0085F404: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,0085F3E2), ref: 0085F410
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A6D
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@ImportColorMap$qqrx52System@%DynamicArray$28Vcl@Imaging@Gifimg@TGIFColor%i.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A78
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetColorMap$qqrv.VCLIMG250(?,00000000,?,00868B7C), ref: 00868A80
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Color$List@$Frame$qqriImageImage@Map$qqrvMap@$ArrayArray$28Clear$qqrrpvpv.Clear$qqrvColor%iCount$qqrvDynamicImportItem$qqriL250Map$qqrx52System@%System@@
                                    • String ID:
                                    • API String ID: 2184157757-0
                                    • Opcode ID: 0b72a438ea1a94ae5c041036874608fcacdef8910b7df7ab1c48afaef8d6984b
                                    • Instruction ID: 76f151e513d3adbe0ae71aeec42b0985535b577334dbaf86aa658ac102613ee1
                                    • Opcode Fuzzy Hash: 0b72a438ea1a94ae5c041036874608fcacdef8910b7df7ab1c48afaef8d6984b
                                    • Instruction Fuzzy Hash: 7301D275210560CFCB10EB2DC581E167BA4FF8471571681E2ED48CF32BDA20EC428BA2
                                    Function 00BE0198 Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@GetEnumerator$qqrv.OXCOMPONENTSRTL(00000000,00BE0321), ref: 00BE01CD
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@TEnumerator@MoveNext$qqrv.OXCOMPONENTSRTL(00000000,00BE0304,?,00000000,00BE0321), ref: 00BE02D9
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BE0328), ref: 00BE031B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Collections@%ConditionEventEventlog@Generics@Interface$57Internal%%@List__1$84Log@Oxrtl@Windows$Clear$qqrr44Enumerator$qqrvEnumerator@Interface$17Interface%.IntfL250MoveNext$qqrvSystem@@
                                    • String ID:
                                    • API String ID: 1763407181-0
                                    • Opcode ID: a32b368be1186c10a4a8b4c81d5b0298d73c7796f4eb7eabe773c1de734f8a43
                                    • Instruction ID: 6f998c66198476c3007195c597bd245bfb8e8af91e6a835e69824ed1dd647bb9
                                    • Opcode Fuzzy Hash: a32b368be1186c10a4a8b4c81d5b0298d73c7796f4eb7eabe773c1de734f8a43
                                    • Instruction Fuzzy Hash: B4518434A142C4EFDF14EEA6C089BAD77E2EF55304F2484E9D901A7251C7F19D85DB12
                                    Function 00860EA4 Relevance: 9.1, APIs: 6, Instructions: 130COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(00000000,00861008), ref: 00860ED3
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0086100F), ref: 00861002
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$ArrayClr$qqrpvi.Move$qqrpxvpvi.System@System@@
                                    • String ID:
                                    • API String ID: 2002125811-0
                                    • Opcode ID: 96069c1a23a2046fdbf1d4869dc06e154c645884c4f63ebe32055dad7baf22ad
                                    • Instruction ID: 9cc2325e930ec354d598dda9e5d66cf29143e15ed924a75261d1c4f5f7c62175
                                    • Opcode Fuzzy Hash: 96069c1a23a2046fdbf1d4869dc06e154c645884c4f63ebe32055dad7baf22ad
                                    • Instruction Fuzzy Hash: 0C514C74A087449FC720DF78C484AAEBBF4FF49310B118A99E895D7792DB30E9498F25
                                    Function 00864828 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@ImportPalette$qqrp10HPALETTE__.VCLIMG250(?,00000000,0000FFFD,?), ref: 00864869
                                      • Part of subcall function 0085F5D0: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250 ref: 0085F5DF
                                      • Part of subcall function 0085F5D0: GetPaletteEntries.GDI32(?,00000000,00000100,?), ref: 0085F5F1
                                      • Part of subcall function 0085F5D0: @Vcl@Imaging@Gifimg@TGIFColorMap@SetCapacity$qqri.VCLIMG250(?,00000000,00000100,?), ref: 0085F604
                                    • MulDiv.KERNEL32(?,00000064,?), ref: 008648A3
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,00000064,?,?,00000000,0000FFFD,?), ref: 008648B7
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,?,00000064,?,?,00000000,0000FFFD,?), ref: 008648C8
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,?,00000064,?,?,00000000,0000FFFD,?), ref: 008648E6
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0086495C,?), ref: 0086494F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$ColorGifimg@Imaging@Map@System@Vcl@$System@@$CallCapacity$qqriClear$qqrvClr$qqrpv.DynaEntriesImportInst$qqrv.LoadPalettePalette$qqrp10Rec.Rect$qqriiii.StringString$qqrp20Types@
                                    • String ID:
                                    • API String ID: 2448153998-0
                                    • Opcode ID: 2e3e92eb9a6759188f415749f231a714d91d44d123f495f29e4097252c0b4e9e
                                    • Instruction ID: 2830b88eb393430cd2839c9982e8abdc6353af1fbe4cdfe134285be32c08ca47
                                    • Opcode Fuzzy Hash: 2e3e92eb9a6759188f415749f231a714d91d44d123f495f29e4097252c0b4e9e
                                    • Instruction Fuzzy Hash: C341F475A00609AFDB04DF68C989AAEBBF9FB49311F1180A5FD44DB361D634EE44CB60
                                    Function 008646FC Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@ImportPalette$qqrp10HPALETTE__.VCLIMG250(?,0000FFFD,?), ref: 00864739
                                      • Part of subcall function 0085F5D0: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250 ref: 0085F5DF
                                      • Part of subcall function 0085F5D0: GetPaletteEntries.GDI32(?,00000000,00000100,?), ref: 0085F5F1
                                      • Part of subcall function 0085F5D0: @Vcl@Imaging@Gifimg@TGIFColorMap@SetCapacity$qqri.VCLIMG250(?,00000000,00000100,?), ref: 0085F604
                                    • MulDiv.KERNEL32(?,00000064,?), ref: 00864773
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,00000000,?,00000064,?,?,0000FFFD,?), ref: 00864787
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,00000000,?,00000064,?,?,0000FFFD,?), ref: 00864798
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,00000000,?,00000064,?,?,0000FFFD,?), ref: 008647B6
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00864822), ref: 00864815
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$ColorGifimg@Imaging@Map@System@Vcl@$System@@$CallCapacity$qqriClear$qqrvClr$qqrpv.DynaEntriesImportInst$qqrv.LoadPalettePalette$qqrp10Rec.Rect$qqriiii.StringString$qqrp20Types@
                                    • String ID:
                                    • API String ID: 2448153998-0
                                    • Opcode ID: 7647aa6e71db9026ee199c933a08963fec79c0ee5c24f7e2c2ce8b78e8041dcc
                                    • Instruction ID: f95d128a4951861e5a7cb06df88e2a8dd94a1e7bb675fa0861df674edd38a802
                                    • Opcode Fuzzy Hash: 7647aa6e71db9026ee199c933a08963fec79c0ee5c24f7e2c2ce8b78e8041dcc
                                    • Instruction Fuzzy Hash: 57411478600648AFDB00DF68C985AAEBBF5FB09311F1180A1FD85DB361D634EE45CBA1
                                    Function 0086B8A4 Relevance: 9.1, APIs: 6, Instructions: 106memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 0086B8E8
                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0086B919
                                    • GlobalLock.KERNEL32(?,00000000,0086B994,?,00000002,00000000), ref: 0086B93F
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,?,00000000,0086B994,?,00000002,00000000), ref: 0086B965
                                    • GlobalUnlock.KERNEL32(?,0086B98A,0086B994,?,00000002,00000000), ref: 0086B97D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Global$L250System@$AllocLockMove$qqrpxvpvi.Object@$bctr$qqrv.Unlock
                                    • String ID:
                                    • API String ID: 1945186209-0
                                    • Opcode ID: 69826ccc84eb7d278574767650f3a2c05c638ba9425b121add9a1b57085b3f0d
                                    • Instruction ID: 6551cc78d64692413c618aa146066af110094d51a5181d6c131fbe77869705b7
                                    • Opcode Fuzzy Hash: 69826ccc84eb7d278574767650f3a2c05c638ba9425b121add9a1b57085b3f0d
                                    • Instruction Fuzzy Hash: C7318934604604AFD705CF69D89192ABBF9FF8A714B6244B5F804CB7A0EB34AD40DB50
                                    Function 00874304 Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@LoadFromStream$qqrp22System@Classes@TStreamx27System@%StaticArray$ci$i4$%i.VCLIMG250(?,00000000,0087444D), ref: 00874334
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(00000000,00870FD7), ref: 00870F40
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870F6A
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F7D
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F8C
                                      • Part of subcall function 00870F18: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?), ref: 00870FAB
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?), ref: 00870FBC
                                      • Part of subcall function 00870F18: @System@@UStrClr$qqrpv.RTL250.BPL(00870FDE), ref: 00870FD1
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0087444D), ref: 00874374
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?,00000000,0087444D), ref: 00874388
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(?,00000000,0087444D), ref: 008743AC
                                    • CreatePalette.GDI32(00000300), ref: 00874426
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00874454), ref: 00874447
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Imaging@Vcl@$L250Pngimage@$String$LoadStaticSystem@%System@@$Array$uci$i65536$%iChunk@Class20Clr$qqrpv.Error$qqrp17Image@MetaPngimage@update_crc$qqruip32RaiseRec.String$qqrp20Unicode$Array$ci$i4$%iByteChar$qqrpvic.Classes@CreateData$qqrxuiFillFromPaletteResizeStream$qqrp22Streamx27Swap$qqrxi
                                    • String ID:
                                    • API String ID: 4035725829-0
                                    • Opcode ID: a4d8c48c9bcf5dc7be40b7ff20220d2300363a7af6d0d020a17fde42fdb8014c
                                    • Instruction ID: 804a35f97ea1aac2c906561f5664189bdbb6d6e76cc63450fffc68e00f218513
                                    • Opcode Fuzzy Hash: a4d8c48c9bcf5dc7be40b7ff20220d2300363a7af6d0d020a17fde42fdb8014c
                                    • Instruction Fuzzy Hash: 3E41BFB06051588BCB05CF28D8906AABBE5FF49300F49C0EAE94DDB346D674DE45CBA5
                                    Function 00879420 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@NewImage$qqrv.VCLIMG250(?,?,?,?,008793AC), ref: 00879437
                                      • Part of subcall function 008793CC: @Vcl@Graphics@TSharedImage@Release$qqrv.VCL250.BPL(0088D300,?,008781EC), ref: 008793D7
                                      • Part of subcall function 008793CC: @System@TObject@$bctr$qqrv.RTL250.BPL(0088D300,?,008781EC), ref: 008793E3
                                    • @System@TObject@Free$qqrv.RTL250.BPL(?,?,?,?,008793AC), ref: 00879442
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,?,?,008793AC), ref: 0087945C
                                    • @System@Classes@TStream@SetSize64$qqrxj.RTL250.BPL(00000000,?,?,?,?,?,008793AC), ref: 0087946D
                                    • @System@Classes@TStream@ReadBuffer$qqrpvi.RTL250.BPL(00000000,?,?,?,?,?,008793AC), ref: 0087947D
                                      • Part of subcall function 008797F4: memset.MSVCRT ref: 0087984C
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(00000000,00000000,00000000,00879542,?,00000000,?,?,?,?,?,008793AC), ref: 008794D2
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$Classes@Stream@$Image@Object@$bctr$qqrv.Vcl@$Buffer$qqrpvi.Free$qqrv.Graphics@Image$qqrvImaging@Jpeg@Object@Position$qqrxj.ReadRelease$qqrv.SharedSize64$qqrxj.memset
                                    • String ID:
                                    • API String ID: 2870053791-0
                                    • Opcode ID: daa45716cbe1fd6a3c29c0c90c89842ab8aa48e64637699f680897d4ba727ab2
                                    • Instruction ID: 25329947d3bbf721c9297d654a2737457255f563835f4849c858675a0b8ac375
                                    • Opcode Fuzzy Hash: daa45716cbe1fd6a3c29c0c90c89842ab8aa48e64637699f680897d4ba727ab2
                                    • Instruction Fuzzy Hash: 5E311735A042189FCB14EF68C885A8AB7F5FB49310F1481E5E808EB366D631EE45DB91
                                    Function 008684A0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868BAD), ref: 008684DA
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868BAD), ref: 008684ED
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868BAD), ref: 0086852C
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(?,00000000,00000000,?,00868BAD), ref: 00868543
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(?,00000000,00000000,?,00868BAD), ref: 00868560
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@SetTransparentColorIndex$qqruc.VCLIMG250(?,00000000,00000000,?,00868BAD), ref: 00868571
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Classes@Get$qqri.Gifimg@Imaging@L250List@System@Vcl@$ColorControlExtension@GraphicTransparent$Frame@Index$qqrucIndex$qqrvTransparent$qqrv
                                    • String ID:
                                    • API String ID: 201045467-0
                                    • Opcode ID: e23b439ef9fb0ef12812b06092a17b093b04cad72a51bd9d4387325a5b4364ef
                                    • Instruction ID: 1d3c780495fb121b72b006abad548562686deed6284b48be514ca6817a283aab
                                    • Opcode Fuzzy Hash: e23b439ef9fb0ef12812b06092a17b093b04cad72a51bd9d4387325a5b4364ef
                                    • Instruction Fuzzy Hash: 9D313770208295DFC701DB28C444A6ABBE0FFA5350F068A99F8D9CB362C730D814DB63
                                    Function 0085FF30 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0085FF6D
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0085FF8E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetActiveColorMap$qqrv.VCLIMG250 ref: 0085FF93
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0085FFAB
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0085FFC1
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0085FFD8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$List@$Frame$qqriImage$ActiveColorCount$qqrvFrame@Map$qqrv
                                    • String ID:
                                    • API String ID: 4100431884-0
                                    • Opcode ID: c4edcc95de2d0dd78555889eeb8281bd10de0828bff52a1a06130f4b52715db2
                                    • Instruction ID: a04cfb18e191ffd435048b779f9c7aa717432112a468eb6b7c0ab36f7d6057ed
                                    • Opcode Fuzzy Hash: c4edcc95de2d0dd78555889eeb8281bd10de0828bff52a1a06130f4b52715db2
                                    • Instruction Fuzzy Hash: AD3128793086208FC301EF1DC480D29B7E4FF99711B1289A9F994CB322DA31EC46CB92
                                    Function 0085E0B2 Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085E0D2
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085E0EB
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085E104
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085E11D
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085E136
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085E14F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Char$qqrpvic.FillL250System@@
                                    • String ID:
                                    • API String ID: 4233932837-0
                                    • Opcode ID: 107b7a02aa87a3d0541aa8b96e0fb0614ffd4f63e358869f2c1a4663ae1c4718
                                    • Instruction ID: a0ba43f888b538c504dde73e570e00442f391910c72cea8ce20a1382a90e7f68
                                    • Opcode Fuzzy Hash: 107b7a02aa87a3d0541aa8b96e0fb0614ffd4f63e358869f2c1a4663ae1c4718
                                    • Instruction Fuzzy Hash: D22161717415448BDF08DF2DC8C278936D2BF88216B4DC4B5EC59DE30ADE39D8568BA4
                                    Function 0085941C Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL250.BPL(?,?,?,?,?,00866D64), ref: 008594CE
                                      • Part of subcall function 008592EC: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00859322
                                      • Part of subcall function 008592EC: @System@@UStrClr$qqrpv.RTL250.BPL(0085934C), ref: 0085933F
                                    • @System@@LStrFromArray$qqrr27System@%AnsiStringT$us$i0$%pcius.RTL250.BPL(00000000), ref: 0085949A
                                    • @System@@LStrCat$qqrr27System@%AnsiStringT$us$i0$%x27System@%AnsiStringT$us$i0$%.RTL250.BPL(00000000), ref: 008594A8
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00859513,?,?,00866D64), ref: 008594F3
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(00859513,?,?,00866D64), ref: 008594FE
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(00859513,?,?,00866D64), ref: 00859506
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$String$AnsiClr$qqrpv.System@%$System@$FromT$us$i0$%.$Array$qqrr27Cat$qqrr27LoadRec.Str$qqrr20String$qqrp20Stringx27T$us$i0$%pcius.T$us$i0$%x27Unicode
                                    • String ID:
                                    • API String ID: 30012600-0
                                    • Opcode ID: 7267bd07258198fa40e427126540771cf6d46e24750028421c383420585219a1
                                    • Instruction ID: 2a29fe1defcef2cbc5c28f61dfc28574e5ce445bdbb7bb82200fa94416828c7f
                                    • Opcode Fuzzy Hash: 7267bd07258198fa40e427126540771cf6d46e24750028421c383420585219a1
                                    • Instruction Fuzzy Hash: 89218930A045089FCB11DB68C846BDEBBB9FB49305F5141F5E958E7241DBB1AE88CF82
                                    Function 0085A182 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1B7
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1D8
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1E7
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1EC
                                    • GdiFlush.GDI32(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1F1
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085A24F,?,?,?,00000000,00000000,00000000), ref: 0085A242
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Unicode$ArrayClr$qqrpvi.Flush
                                    • String ID:
                                    • API String ID: 2323212731-0
                                    • Opcode ID: 9337065ee04c823e9d49cc60c74420e0e7fb58dfb3ad0765785c9245d0b3af4e
                                    • Instruction ID: 385960c3b539bbe75406fbf219c73cefb50d591c0f287e6576d8095bb9874d63
                                    • Opcode Fuzzy Hash: 9337065ee04c823e9d49cc60c74420e0e7fb58dfb3ad0765785c9245d0b3af4e
                                    • Instruction Fuzzy Hash: CC21AE357006049FCB18DF6DC8C2B59B7E6FB88711F018165FC10DB792EAB4AC088B52
                                    Function 0085A184 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1B7
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1D8
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1E7
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1EC
                                    • GdiFlush.GDI32(00000000,0085A248,?,?,?,?,00000000,00000000,00000000), ref: 0085A1F1
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085A24F,?,?,?,00000000,00000000,00000000), ref: 0085A242
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Unicode$ArrayClr$qqrpvi.Flush
                                    • String ID:
                                    • API String ID: 2323212731-0
                                    • Opcode ID: fdc88e77f48c022260ffa04df6eec75e13d9c03fd1801c66f865c1415fe840da
                                    • Instruction ID: 694ab80cb59bdcfc7305b3660e7202de05a0a76d3dc9389e939dcd67b0935fa5
                                    • Opcode Fuzzy Hash: fdc88e77f48c022260ffa04df6eec75e13d9c03fd1801c66f865c1415fe840da
                                    • Instruction Fuzzy Hash: A5219D357406049FCB18DF6DC8C2B59B7E6FB88711F1181A5EC14DB796EAB4AC088B52
                                    Function 008596A0 Relevance: 9.1, APIs: 6, Instructions: 68windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0085951C: GetObjectW.GDI32(?,00000054,?), ref: 0085954C
                                      • Part of subcall function 0085951C: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085963E), ref: 0085955F
                                      • Part of subcall function 0085951C: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085963E), ref: 008595E3
                                      • Part of subcall function 0085951C: @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00859645), ref: 00859638
                                    • CreateCompatibleDC.GDI32(00000000), ref: 008596C3
                                    • SelectPalette.GDI32(?,?,00000000), ref: 008596E4
                                    • RealizePalette.GDI32(?), ref: 008596F0
                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0085970C
                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 00859734
                                    • DeleteDC.GDI32(?), ref: 0085973D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Palette$LoadRec.SelectStringString$qqrp20$ArrayBitsClr$qqrpvi.CompatibleCreateDeleteObjectRealizeSystem@@
                                    • String ID:
                                    • API String ID: 1499322820-0
                                    • Opcode ID: c7450dcc87c0fdf4d7aa2871108200c4026ece472f0e9c2f1e5878cdcd863eed
                                    • Instruction ID: 86f6d78509eebcaf9db3e431b93ec9fd0a7f033cf0077b177408e3b7479b3a1e
                                    • Opcode Fuzzy Hash: c7450dcc87c0fdf4d7aa2871108200c4026ece472f0e9c2f1e5878cdcd863eed
                                    • Instruction Fuzzy Hash: 9F116D75A00204BBDB119FAC8C81F5EBBECEB4A711F508461F918E7281EA7899048765
                                    Function 0085EEE8 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@WebPalette$qqrv.VCLIMG250(0085EFD8,?,00000000,00000000,?,0085F1C7,00000006,00000000,0085F35B), ref: 0085EF3F
                                    • GetStockObject.GDI32(0000000F), ref: 0085EF65
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(0085EFD8,?,00000000,00000000,?,0085F1C7,00000006,00000000,0085F35B), ref: 0085EF83
                                    • @Vcl@Graphics@CopyPalette$qqrp10HPALETTE__.VCL250.BPL(0085EFD8,?,00000000,00000000,?,0085F1C7,00000006,00000000,0085F35B), ref: 0085EF92
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(0085EFD8,?,00000000,00000000,?,0085F1C7,00000006,00000000,0085F35B), ref: 0085EFA5
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085EFD8,?,00000000,00000000,?,0085F1C7,00000006,00000000,0085F35B), ref: 0085EFCB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$LoadRec.StringString$qqrp20Vcl@$ArrayClr$qqrpvi.CopyE__.Gifimg@Graphics@Imaging@ObjectPalette$qqrp10Palette$qqrvStockSystem@@
                                    • String ID:
                                    • API String ID: 2311951666-0
                                    • Opcode ID: 324178e0ab9604ac03a8b4e6fa610c21f117c2fc9e2d8a982a2424202aa0726f
                                    • Instruction ID: 6836c041165c9dc4a693ef9380904f11a13e0515a2a57de46941e07607e43a69
                                    • Opcode Fuzzy Hash: 324178e0ab9604ac03a8b4e6fa610c21f117c2fc9e2d8a982a2424202aa0726f
                                    • Instruction Fuzzy Hash: D2115430304309ABD728EBE8CDC2659B799F749756F6108F0BE41C6292DDA05A0C9266
                                    Function 00C020F1 Relevance: 9.1, APIs: 6, Instructions: 62threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL(00000000,00C0213A), ref: 00C0210A
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00C02141), ref: 00C02134
                                    • @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL ref: 00C02147
                                    • ResetEvent.KERNEL32(?,?,00000000,00C021A8), ref: 00C02175
                                    • SetEvent.KERNEL32(00000000,?,?,00000000,00C021A8), ref: 00C0218A
                                    • @System@Syncobjs@TCriticalSection@Leave$qqrv.RTL250.BPL(00C021AF), ref: 00C021A2
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$CriticalEventSection@Syncobjs@Thread@$Axrtl@Check$qqrui.Enter$qqrv.FreeLeave$qqrv.Nil$qqrpv.ResetSleepSysutils@
                                    • String ID:
                                    • API String ID: 2473972354-0
                                    • Opcode ID: 97d89dce0b7b653b05db364446f3caa95e3e658e632d0c2a4f4a281299084372
                                    • Instruction ID: 4c1bb569f789499fa6d256b4a745351dc6e12f49486e53973fee52bc34f88ffb
                                    • Opcode Fuzzy Hash: 97d89dce0b7b653b05db364446f3caa95e3e658e632d0c2a4f4a281299084372
                                    • Instruction Fuzzy Hash: 9C210634A04244EFDB05DBA4C999EADBBF5EF49701FA684E4E804A76A1C734EE00DA10
                                    Function 00C4B0FC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C4B10A
                                    • @System@@InitializeRecord$qqrpvt1.RTL250.BPL ref: 00C4B120
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@$bctr$qqrix77System@%DelphiInterface$50System@Generics@Defaults@%IEqualityComparer__1$uj%%.OXCOMPONENTSRTL(?,00000000,00C4B1C5), ref: 00C4B13E
                                    • @System@Generics@Collections@%TEnumerable__1$63System@Generics@Collections@%TPair__2$uj20System@UnicodeString%%@GetEnumerator$qqrv.OXCOMPONENTSRTL(?,00000000,00C4B1C5), ref: 00C4B145
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@AddOrSetValue$qqrxujx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,00000000,00C4B1C5), ref: 00C4B173
                                      • Part of subcall function 00C4B4E8: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Hash$qqrxuj.OXCOMPONENTSRTL(?,00C4B0D3,?,?,?,?,00C4B086,?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B4FB
                                      • Part of subcall function 00C4B4E8: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@GetBucketIndex$qqrxuji.OXCOMPONENTSRTL(?,00C4B0D3,?,00C4B0D3,?,?,?,?,00C4B086,?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B50C
                                      • Part of subcall function 00C4B4E8: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@DoSetValue$qqrix20System@UnicodeString.OXCOMPONENTSRTL(?,00C4B0D3,?,00C4B0D3,?,?,?,?,00C4B086,?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B51C
                                    • @System@Generics@Collections@%TEnumerator__1$63System@Generics@Collections@%TPair__2$uj20System@UnicodeString%%@MoveNext$qqrv.OXCOMPONENTSRTL(00000000,00C4B1A2,?,?,00000000,00C4B1C5), ref: 00C4B17B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Generics@$Collections@%Unicode$Dictionary__2$uj20$String%@$L250Pair__2$uj20StringString%%@System@@$BucketClassComparer__1$uj%%Create$qqrpvzc.Defaults@%DelphiEnumerable__1$63Enumerator$qqrvEnumerator__1$63EqualityHash$qqrxujIndex$qqrxujiInitializeInterface$50MoveNext$qqrvRecord$qqrpvt1.String%@$bctr$qqrix77System@%Value$qqrix20Value$qqrxujx20
                                    • String ID:
                                    • API String ID: 726299679-0
                                    • Opcode ID: 5ddce2964a713398af36ebe92459d21826e549ff0c1638b17c8f06767fa5c1c5
                                    • Instruction ID: 1b1191d36b9ccb2a39e7f3fafa126ea57bd63bd1d5c74bb19bbe935bd067358d
                                    • Opcode Fuzzy Hash: 5ddce2964a713398af36ebe92459d21826e549ff0c1638b17c8f06767fa5c1c5
                                    • Instruction Fuzzy Hash: FD11B275A006099FCF11DFA4CCA29AEB7B9FF4A300B108574F820A77A1DB35AD14DB61
                                    Function 00C4B00C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C4B01A
                                    • @System@@InitializeRecord$qqrpvt1.RTL250.BPL ref: 00C4B030
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@$bctr$qqrix77System@%DelphiInterface$50System@Generics@Defaults@%IEqualityComparer__1$uj%%.OXCOMPONENTSRTL(00000000,00000000,00C4B0D3), ref: 00C4B04C
                                    • @System@Generics@Collections@%TEnumerable__1$63System@Generics@Collections@%TPair__2$uj20System@UnicodeString%%@GetEnumerator$qqrv.OXCOMPONENTSRTL(00000000,00000000,00C4B0D3), ref: 00C4B053
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@AddOrSetValue$qqrxujx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B081
                                      • Part of subcall function 00C4B4E8: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Hash$qqrxuj.OXCOMPONENTSRTL(?,00C4B0D3,?,?,?,?,00C4B086,?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B4FB
                                      • Part of subcall function 00C4B4E8: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@GetBucketIndex$qqrxuji.OXCOMPONENTSRTL(?,00C4B0D3,?,00C4B0D3,?,?,?,?,00C4B086,?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B50C
                                      • Part of subcall function 00C4B4E8: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@DoSetValue$qqrix20System@UnicodeString.OXCOMPONENTSRTL(?,00C4B0D3,?,00C4B0D3,?,?,?,?,00C4B086,?,?,?,00000000,00000000,00C4B0D3), ref: 00C4B51C
                                    • @System@Generics@Collections@%TEnumerator__1$63System@Generics@Collections@%TPair__2$uj20System@UnicodeString%%@MoveNext$qqrv.OXCOMPONENTSRTL(00000000,00C4B0B0,?,00000000,00000000,00C4B0D3), ref: 00C4B089
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Generics@$Collections@%Unicode$Dictionary__2$uj20$String%@$L250Pair__2$uj20StringString%%@System@@$BucketClassComparer__1$uj%%Create$qqrpvzc.Defaults@%DelphiEnumerable__1$63Enumerator$qqrvEnumerator__1$63EqualityHash$qqrxujIndex$qqrxujiInitializeInterface$50MoveNext$qqrvRecord$qqrpvt1.String%@$bctr$qqrix77System@%Value$qqrix20Value$qqrxujx20
                                    • String ID:
                                    • API String ID: 726299679-0
                                    • Opcode ID: 739b8e1d2f859432eb936400e965d052805a71e8fd8a6e955ab9979613c74b09
                                    • Instruction ID: 900f9c73bf4608f7b9196c005f1abfe70225b16a8665aef340994919c0348e71
                                    • Opcode Fuzzy Hash: 739b8e1d2f859432eb936400e965d052805a71e8fd8a6e955ab9979613c74b09
                                    • Instruction Fuzzy Hash: 2011B2B4A046099FCB11DFA4CC92AAFBBB5FB4A300F104575F820A77A1DB369D04DB52
                                    Function 00BEE078 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Filemapped@TCustomMappedMemory@GetOpen$qqrv.OXCOMPONENTSRTL ref: 00BEE086
                                    • CloseHandle.KERNEL32(?), ref: 00BEE09F
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL ref: 00BEE0C0
                                    • CreateFileMappingW.KERNEL32(?,?,?,?,?,00000000), ref: 00BEE0DA
                                    • @System@Sysutils@RaiseLastOSError$qqrv.RTL250.BPL(?,?,?,?,?,00000000), ref: 00BEE0E8
                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00BEE0ED
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Last$Char$qqrx20CloseCreateCustomErrorError$qqrv.FileFilemapped@HandleMappedMappingMemory@Open$qqrvOxrtl@RaiseString.System@@Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 589665527-0
                                    • Opcode ID: 12796cb255261f63a2f1573da36e07d2826c91289c73fb16a67ba7506420dabf
                                    • Instruction ID: 457aab16ee2b5d5992232c3a978f4a7892f7471994f7254773f53265e6da6a74
                                    • Opcode Fuzzy Hash: 12796cb255261f63a2f1573da36e07d2826c91289c73fb16a67ba7506420dabf
                                    • Instruction Fuzzy Hash: 95112E71604B449F8760DFADC881E47B7F9AF5C210B144AADE199C3762EB70F9448761
                                    Function 00869780 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00869789
                                    • @Vcl@Graphics@TGraphic@$bctr$qqrv.VCL250.BPL ref: 00869796
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 008697A4
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 008697B5
                                    • @Vcl@Imaging@Gifimg@TGIFImage@NewImage$qqrv.VCLIMG250 ref: 00869818
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0086982C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@$ImageL250$System@@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Graphic@$bctr$qqrv.Graphics@Header@$bctr$qqrp28Image$qqrvImage@List@$bctr$qqrp28Object.System@
                                    • String ID:
                                    • API String ID: 795866490-0
                                    • Opcode ID: 1e649e3e58ba1d46dd9d89fb7704689d9939714a9949b60a6881bdccd610fe0c
                                    • Instruction ID: bb02aa1acf03f566e458b29a33851be88d8f014e7e65db5b88588ae6e0df6158
                                    • Opcode Fuzzy Hash: 1e649e3e58ba1d46dd9d89fb7704689d9939714a9949b60a6881bdccd610fe0c
                                    • Instruction Fuzzy Hash: A111BE30705BD08FC321EB3D99402627FE1BF1A245B04056AE8C6C7792D726A9098BA6
                                    Function 00C1E014 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C1E0CB), ref: 00C1E03D
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1E0CB), ref: 00C1E052
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C1E0CB), ref: 00C1E05F
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1E0CB), ref: 00C1E070
                                    • @Oxrtl@System@Processes@Processes@EnumProcesses$qqr75System@%DelphiInterface$48System@Sysutils@%TFunc__2$18tagPROCESSENTRY32Wo%%.OXCOMPONENTSRTL(00000000,00C1E0AE,?,00000000,00C1E0CB), ref: 00C1E08D
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1E0B5,00000000,00C1E0CB), ref: 00C1E0A8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17L250$System@@$Interface%.Intf$Copy$qqrr44Interface%x44Processes@Unicode$Asg$qqrr20Clear$qqrr44EnumFunc__2$18tagInterface$48Object@$bctr$qqrv.Oxrtl@Processes$qqr75String.Stringx20Sysutils@%Wo%%
                                    • String ID:
                                    • API String ID: 3463499553-0
                                    • Opcode ID: e4778b8f1771e138c3ebb6c4a5a279fb3dd7afb2eb211b0968bca5862b82cd04
                                    • Instruction ID: 45b46453db47f7d63e680543a556b8c711f7d71c87054bd1ffb525a7b328ee04
                                    • Opcode Fuzzy Hash: e4778b8f1771e138c3ebb6c4a5a279fb3dd7afb2eb211b0968bca5862b82cd04
                                    • Instruction Fuzzy Hash: B311E330A00208AF8701DFADC89198EB7F9EF8A71075186E9F810E3742C670DE40EA94
                                    Function 00C2A07C Relevance: 9.1, APIs: 6, Instructions: 53threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,?,?,00000000,?,00C2A049), ref: 00C2A0A0
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,00000000,000000FF,?,?,?,00000000,?,00C2A049), ref: 00C2A0B4
                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF,?,?,?,00000000,?,00C2A049), ref: 00C2A0BA
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(00000000,?,00000000,000000FF,?,?,?,00000000,?,00C2A049), ref: 00C2A0C4
                                    • @Oxrtl@System@Threadex@TCancelationToken@GetResumeHandle$qqrv.OXCOMPONENTSRTL(00000000,?,00000000,000000FF,?,?,?,00000000,?,00C2A049), ref: 00C2A0CF
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C2A10B,00000000,?,00C2A049), ref: 00C2A0FE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: ArrayL250System@@$Length$qqrpxv.$CancelationClear$qqrrpvpv.Handle$qqrvMultipleObjectsOxrtl@ResumeSystem@Threadex@Token@Wait
                                    • String ID:
                                    • API String ID: 2572360659-0
                                    • Opcode ID: 92f0fe6dac1bdff229953ca81fd8ec64df0c7d760d9baacd247631f62af9a177
                                    • Instruction ID: d2a4759cb0adce339cdbe746b9d2070d423ef02b80d963ac78034549c5f6242f
                                    • Opcode Fuzzy Hash: 92f0fe6dac1bdff229953ca81fd8ec64df0c7d760d9baacd247631f62af9a177
                                    • Instruction Fuzzy Hash: 69019234704214EFD710EB69DD82E5DB3E8EB09350F6049B4F802EBB52DA31AE04EB55
                                    Function 00C261A8 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C261B1
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C261C2
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C261CD
                                    • @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL ref: 00C261D8
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00000000,00C26217,?,00000000,00C26243), ref: 00C26208
                                    • @System@Syncobjs@TCriticalSection@Leave$qqrv.RTL250.BPL(00C2624A), ref: 00C2623D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Clear$qqrr44CriticalDelphiInterface$17Interface%.IntfSection@Syncobjs@System@%$BeforeDestruction$qqrxp14Enter$qqrv.FreeLeave$qqrv.Nil$qqrpv.Objectzc.Sysutils@
                                    • String ID:
                                    • API String ID: 3610381008-0
                                    • Opcode ID: 0ecf88737d8695cbb296f645161a12f376d3176c8eb8c81176f822122a6912c2
                                    • Instruction ID: 9a87b5e51488788fe021b2a9b3ef95cef1c5232590c67a70baf2fa1b01540a9d
                                    • Opcode Fuzzy Hash: 0ecf88737d8695cbb296f645161a12f376d3176c8eb8c81176f822122a6912c2
                                    • Instruction Fuzzy Hash: 26116531A14244EFDB11DF68E952D5DB7F8EB4A7147A184F5F800E3A52D634AE10DA24
                                    Function 008761E4 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,?,0087636C), ref: 008761EE
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetTransparencyMode$qqrv.VCLIMG250(?,?,0087636C), ref: 008761FB
                                      • Part of subcall function 008767A8: @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250(?,00000000,?,008758FA), ref: 008767AF
                                      • Part of subcall function 008767A8: @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250(?,00000000,?,008758FA), ref: 008767C4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Image@System@$Header$qqrvL250List@MetaSystem@@$ClassClass$qqrp17Class$qqrxp14Class.Clr$qqrpv.FromItemItem$qqruiMode$qqrvObjectp17Transparency
                                    • String ID:
                                    • API String ID: 870891445-0
                                    • Opcode ID: 3dbf12d8253202f0c03b04029dcc220e116ceeebd06c0b37e3917a5c1b4a0e5c
                                    • Instruction ID: ffeff449d326ec86a5f6240fcafad3414c6f738fabee655f00ba58aa7fdbebea
                                    • Opcode Fuzzy Hash: 3dbf12d8253202f0c03b04029dcc220e116ceeebd06c0b37e3917a5c1b4a0e5c
                                    • Instruction Fuzzy Hash: 3101D430228908CECBD59BAE988A46877D1F71231971494A2FC9DDF71BFD11EC206B26
                                    Function 00C1E354 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C1E402), ref: 00C1E37A
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1E402), ref: 00C1E38F
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C1E402), ref: 00C1E39C
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1E402), ref: 00C1E3A7
                                    • @Oxrtl@System@Processes@Processes@EnumProcesses$qqr75System@%DelphiInterface$48System@Sysutils@%TFunc__2$18tagPROCESSENTRY32Wo%%.OXCOMPONENTSRTL(00000000,00C1E3E5,?,00000000,00C1E402), ref: 00C1E3C4
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1E3EC,00000000,00C1E402), ref: 00C1E3DF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17L250$System@@$Interface%.Intf$Copy$qqrr44Interface%x44Processes@Unicode$Asg$qqrr20Clear$qqrr44EnumFunc__2$18tagInterface$48Object@$bctr$qqrv.Oxrtl@Processes$qqr75String.Stringx20Sysutils@%Wo%%
                                    • String ID:
                                    • API String ID: 3463499553-0
                                    • Opcode ID: 1851a60645ce8441c911b97dd24f385a9ca402161d301438c884872b74a1e2e7
                                    • Instruction ID: 6b2b711a8665b52f5376ecc9976de61d7bbb90073ee4cd419bb1c00848d0db06
                                    • Opcode Fuzzy Hash: 1851a60645ce8441c911b97dd24f385a9ca402161d301438c884872b74a1e2e7
                                    • Instruction Fuzzy Hash: F611A531A00248AFC705DF7DC852D9EB7F9EB8A7107A1C6B4F820E3792DA34DA50DA54
                                    Function 00864CD8 Relevance: 9.0, APIs: 6, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?), ref: 00864CEC
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?), ref: 00864CFB
                                    • @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00864D59,?,?), ref: 00864D16
                                      • Part of subcall function 00864BC4: @Vcl@Imaging@Gifimg@TGIFColorMap@Add$qqr21System@Uitypes@TColor.VCLIMG250 ref: 00864C01
                                      • Part of subcall function 00864BC4: @Vcl@Imaging@Gifimg@TGIFFrame@GetScanline$qqri.VCLIMG250(?,00000003), ref: 00864C5D
                                      • Part of subcall function 00864BC4: @System@TObject@Free$qqrv.RTL250.BPL(00864CAD,00000003), ref: 00864CA0
                                    • @Vcl@Graphics@TBitmap@ReleaseHandle$qqrv.VCL250.BPL(00864D60), ref: 00864D43
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00864D60), ref: 00864D4B
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00864D60), ref: 00864D53
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Vcl@$Graphics@System@$Free$qqrv.Object@$Bitmap@Bitmap@$bctr$qqrv.ColorGifimg@Imaging@$Add$qqr21Frame@Handle$qqrp9Handle$qqrv.Map@P__.ReleaseScanline$qqriUitypes@
                                    • String ID:
                                    • API String ID: 1693447162-0
                                    • Opcode ID: ef025dc06d7c75aceb44a7ffeeb115a0aa0aaf1ce0cb45e8ad35473dd4270703
                                    • Instruction ID: 264077795bc263518cc027bc3d64d9254d27ce1416db6e1d2ace6d035dbf7d16
                                    • Opcode Fuzzy Hash: ef025dc06d7c75aceb44a7ffeeb115a0aa0aaf1ce0cb45e8ad35473dd4270703
                                    • Instruction Fuzzy Hash: 78012D31604208AFCB01EFACD89299DB7E5FB49710F6141A5F904D7351DB31AE04DB41
                                    Function 00BE0050 Relevance: 9.0, APIs: 6, Instructions: 49timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@%TSingleCondition__1$16System@TDateTime%@$bctr$qqrx16System@TDateTimex43Oxrtl@System@Eventlog@TEventConditionMethod.OXCOMPONENTSRTL(?,?,00000000,00BE00D2,?,?,?,?,00000000), ref: 00BE007B
                                      • Part of subcall function 00BE2BF4: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00BE2C00
                                      • Part of subcall function 00BE2BF4: @Oxrtl@System@Eventlog@TWindowsEventLog@TCustomCondition@$bctr$qqrx43Oxrtl@System@Eventlog@TEventConditionMethod.OXCOMPONENTSRTL(?,?,?,00BDFE64,?,?,00000000,00BDFEB6,?,?,?,?,00000000), ref: 00BE2C0D
                                      • Part of subcall function 00BE2BF4: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,?,?,00BDFE64,?,?,00000000,00BDFEB6,?,?,?,?,00000000), ref: 00BE2C24
                                    • @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID.RTL250.BPL(?,?,00000000,00BE00D2,?,?,?,?,00000000), ref: 00BE0091
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@TCondition@Conditions$qqrv.OXCOMPONENTSRTL(?,?,?,00000000,00BE00D2,?,?,?,?,00000000), ref: 00BE009C
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@Add$qqrx84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%.OXCOMPONENTSRTL(?,?,00000000,00BE00D2,?,?,?,?,00000000), ref: 00BE00A2
                                    • @System@@IntfCast$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%rx5_GUID.RTL250.BPL(?,?,00000000,00BE00D2,?,?,?,?,00000000), ref: 00BE00B7
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BE00D9,00BE00D2,?,?,?,?,00000000), ref: 00BE00CC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiEventEventlog@Oxrtl@System@%$Interface$17L250System@@Windows$ConditionLog@$Intf$Cast$qqrr44DateInterface$57Interface%rx5_Interface%x44Method$Add$qqrx84AfterClassClear$qqrr44Collections@%Condition@Condition@$bctr$qqrx43Condition__1$16Conditions$qqrvConstruction$qqrxp14Create$qqrpvzc.CustomGenerics@Interface%.Internal%Internal%%@List__1$84Log@%Object.SingleTime%@$bctr$qqrx16Timex43
                                    • String ID:
                                    • API String ID: 2453698350-0
                                    • Opcode ID: bc430b2b70c8704a46317beb7c4a8a9eb53073f331f8d3711c9d5c677146c3b2
                                    • Instruction ID: 28f3325eafaa39649d659bc53909dac77105afa5bc1a38083e70b3e148507a5e
                                    • Opcode Fuzzy Hash: bc430b2b70c8704a46317beb7c4a8a9eb53073f331f8d3711c9d5c677146c3b2
                                    • Instruction Fuzzy Hash: 870147313006886F9711FA7F8C01E1DB7EADBC57207A084F5F900E3693DBB08D419214
                                    Function 00C21038 Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C21047
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C210C3,?,?,?,?,00000000,?,00C1B445), ref: 00C21064
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C210C3,?,?,?,?,00000000,?,00C1B445), ref: 00C2108A
                                    • @System@Generics@Defaults@%TComparer__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%@Default$qqrv.OXCOMPONENTSRTL(00000000,00C210C3,?,?,?,?,00000000,?,00C1B445), ref: 00C2109D
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C210C3,?,?,?,?,00000000,?,00C1B445), ref: 00C210A8
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C210CA,?,?,?,00000000,?,00C1B445), ref: 00C210BD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17L250$System@@$Interface%.Intf$Copy$qqrr44Interface%x44$ClassClear$qqrr44Comparer__1$58Create$qqrpvzc.Default$qqrvDefaults@%Generics@Interface$31Object@$bctr$qqrv.Oxrtl@Process%%@Processes@
                                    • String ID:
                                    • API String ID: 1052113539-0
                                    • Opcode ID: fc66986081b0e5f4a058c1f61160a3c4218fba5887f1759a5aa5790cae1773c9
                                    • Instruction ID: 38621d5e6a2c3ebb14c89520517805966f232a45ba33df32973a50cd6cbd7177
                                    • Opcode Fuzzy Hash: fc66986081b0e5f4a058c1f61160a3c4218fba5887f1759a5aa5790cae1773c9
                                    • Instruction Fuzzy Hash: B3012271600A48BFC310EF29E942E49B7F8FB86310B60466AE804A3E52D774AE55CBD5
                                    Function 00C210E8 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C210F7
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C2116E,?,?,?,?,00000000), ref: 00C21114
                                    • @System@Generics@Defaults@%TComparer__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%@Default$qqrv.OXCOMPONENTSRTL(00000000,00C2116E,?,?,?,?,00000000), ref: 00C2113D
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C2116E,?,?,?,?,00000000), ref: 00C21148
                                    • @System@Generics@Collections@%TList__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%@InsertRange$qqrixp105System@Generics@Collections@%TEnumerable__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%.OXCOMPONENTSRTL(00000000,00C2116E,?,?,?,?,00000000), ref: 00C21153
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C21175,?,?,?,00000000), ref: 00C21168
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$L250$Generics@Interface$17Interface$31Oxrtl@Processes@System@@$Collections@%Interface%.IntfProcess%%@$ClassClear$qqrr44Comparer__1$58Copy$qqrr44Create$qqrpvzc.Default$qqrvDefaults@%Enumerable__1$58InsertInterface%x44List__1$58Object@$bctr$qqrv.Process%%Range$qqrixp105
                                    • String ID:
                                    • API String ID: 1955736265-0
                                    • Opcode ID: 047e5318b6b12e936d5b7ad8cec175a84ac2b11ac05cd7d915219b7eeae32f43
                                    • Instruction ID: bb6ded7d4bb6186bf44d07a5391d883aa66f295fa1ce6e18e2c843026a71d18a
                                    • Opcode Fuzzy Hash: 047e5318b6b12e936d5b7ad8cec175a84ac2b11ac05cd7d915219b7eeae32f43
                                    • Instruction Fuzzy Hash: D501F571700648ABC311DF29ED42A5EF7F5FB867107648669E40493F51DB71AE118BD0
                                    Function 00C4A0C0 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C4A138,?,?,?,?,00000000,00000000), ref: 00C4A0E1
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C4A138,?,?,?,?,00000000,00000000), ref: 00C4A0F4
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C4A138,?,?,?,?,00000000,00000000), ref: 00C4A10A
                                    • @System@Generics@Collections@TListHelper@InternalPackN$qqrx85System@%DelphiInterface$58System@Generics@Collections@TListHelper@TInternalEmptyFunc%.RTL250.BPL(00000000,00C4A138,?,?,?,?,00000000,00000000), ref: 00C4A115
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C4A13F,?,?,?,00000000,00000000), ref: 00C4A12A
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C4A13F,?,?,?,00000000,00000000), ref: 00C4A132
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$Interface$17L250$Interface%.IntfSystem@@$Clear$qqrr44Collections@Copy$qqrr44Generics@Helper@Interface%x44InternalList$EmptyFunc%.Interface$58N$qqrx85Object@$bctr$qqrv.Pack
                                    • String ID:
                                    • API String ID: 1563090510-0
                                    • Opcode ID: cd52a8247720bbcf254248af83e04ae2ecf5efdd7c4bbce5ac6294d6e7f720ed
                                    • Instruction ID: 385ee85e90ae81e4e7cf3ce84d9e530a2a575a3ac7a3765974f3e095d19ccdb0
                                    • Opcode Fuzzy Hash: cd52a8247720bbcf254248af83e04ae2ecf5efdd7c4bbce5ac6294d6e7f720ed
                                    • Instruction Fuzzy Hash: 9401F735600744BBD310EF69CC42F8EB7E9EBC5720FA085B5E810A3696DB30AE048654
                                    Function 00BF5174 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00BF5183
                                      • Part of subcall function 00BC292C: @System@@FillChar$qqrpvic.RTL250.BPL(00BF11CB,00000000,00BF15D2), ref: 00BC292E
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(?,00000104,00000000,00BF51EB), ref: 00BF51B1
                                    • PathUnExpandEnvStringsW.SHLWAPI(00000000,?,00000104,00000000,00BF51EB), ref: 00BF51B7
                                    • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL250.BPL(00000000,?,00000104,00000000,00BF51EB), ref: 00BF51C5
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,?,00000104,00000000,00BF51EB), ref: 00BF51D0
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(00BF51F2,00000000,00BF51EB), ref: 00BF51E5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$System@Unicode$String.$Asg$qqrr20Char$qqrpvic.Char$qqrr20Char$qqrx20ExpandFillFreeFromMem$qqri.Mem$qqrpv.PathStringpb.StringsStringx20
                                    • String ID:
                                    • API String ID: 4288763625-0
                                    • Opcode ID: 9fe136d561ebc57354f6e0c0f2be1adf3292045d5b403d31c3ee7933c7b01eb5
                                    • Instruction ID: 4fe64c551f972f886284b6444e5692aa999272bbc0b33f8971cb007059dca0b4
                                    • Opcode Fuzzy Hash: 9fe136d561ebc57354f6e0c0f2be1adf3292045d5b403d31c3ee7933c7b01eb5
                                    • Instruction Fuzzy Hash: BFF08770B00608ABD710EBADCC52E2E76ECEB4A700B6108F9B600E7252DA74EE009220
                                    Function 00C4B230 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Grow$qqrv.OXCOMPONENTSRTL(?,?,?,?,00C492CC,?,?,00000000,00C4931E,?,?,?,?), ref: 00C4B245
                                      • Part of subcall function 00C4A9D0: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Rehash$qqri.OXCOMPONENTSRTL(?,?,00C4B24A,?,?,?,?,00C492CC,?,?,00000000,00C4931E,?,?,?,?), ref: 00C4A9F1
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Hash$qqrxuj.OXCOMPONENTSRTL(?,?,?,?,?,?,00C492CC,?,?,00000000,00C4931E,?,?,?,?), ref: 00C4B252
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@GetBucketIndex$qqrxuji.OXCOMPONENTSRTL(?,?,?,?,?,?,?,?,00C492CC,?,?,00000000,00C4931E), ref: 00C4B263
                                    • @System@Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?,?,?,?,?,00C492CC,?,?,00000000,00C4931E), ref: 00C4B279
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(?,?,?,?,?,?,?,?,00C492CC,?,?,00000000,00C4931E), ref: 00C4B27E
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@DoAdd$qqriixujx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,?,?,?,?,?,?,?,00C492CC,?,?,00000000,00C4931E), ref: 00C4B295
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$Collections@%Dictionary__2$uj20Generics@String%@$L250String$Add$qqriixujx20BucketExcept$qqrv.Exception@$bctr$qqrp20Grow$qqrvHash$qqrxujIndex$qqrxujiRaiseRec.Rehash$qqriSystem@@Sysutils@
                                    • String ID:
                                    • API String ID: 1604382720-0
                                    • Opcode ID: a8f8dac9bc7e2795982e30fd6898f4d9b3784a90d34bc28b1aa6253b20810b58
                                    • Instruction ID: 22804c183e9057f4702d4eb742506924258ed59a565b7f1332336b36fc45f881
                                    • Opcode Fuzzy Hash: a8f8dac9bc7e2795982e30fd6898f4d9b3784a90d34bc28b1aa6253b20810b58
                                    • Instruction Fuzzy Hash: B0F04F35704208BB9B00AFA8DC81E5E77EAFF48360710D469FD08DB322DA76DD55AB90
                                    Function 00C6815C Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Desktop@Desktop@GetTaskBarProcessFileName$qqrui.OXCOMPONENTSRTL(00000000,00C681CD), ref: 00C68189
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C681CD), ref: 00C68194
                                    • @System@Sysutils@TStringHelper@IsEmpty$qqrv.RTL250.BPL(00000000,00C681CD), ref: 00C6819C
                                    • @Oxrtl@System@Desktop@Desktop@GetTaskBarProcessId$qqrv.OXCOMPONENTSRTL(00000000,00C681CD), ref: 00C681A9
                                      • Part of subcall function 00C67F90: @Oxrtl@System@Desktop@Desktop@GetTaskBarWindow$qqrv.OXCOMPONENTSRTL(?,00C67F7E), ref: 00C67F93
                                      • Part of subcall function 00C67F90: @Oxrtl@System@Processes@Processes@GetWindowProcess$qqrp6HWND__.OXCOMPONENTSRTL(?,00C67F7E), ref: 00C67F9F
                                    • @Oxrtl@System@Desktop@Desktop@RestartTaskBarInternal$qqruio.OXCOMPONENTSRTL(00000000,00C681CD), ref: 00C681B0
                                      • Part of subcall function 00C6897C: @Oxrtl@System@Desktop@Desktop@GetTaskBarProcessFileName$qqrui.OXCOMPONENTSRTL(00000000,00C68A23), ref: 00C689A9
                                      • Part of subcall function 00C6897C: @System@Sysutils@TStringHelper@IsEmpty$qqrv.RTL250.BPL(00000000,00C68A23), ref: 00C689B1
                                      • Part of subcall function 00C6897C: @Oxrtl@System@Desktop@Desktop@Refresh$qqroo.OXCOMPONENTSRTL(00000000,00C68A23), ref: 00C689BE
                                      • Part of subcall function 00C6897C: Sleep.KERNEL32(000009C4,00000000,00C68A23), ref: 00C689C8
                                      • Part of subcall function 00C6897C: @Oxrtl@System@Processes@Processes@TerminateProcessById$qqruiuijpqqr20System@UnicodeStringuiui47Oxrtl@System@Processes@TProcessStopServiceStageo$o.OXCOMPONENTSRTL(00002710,00000000,000009C4,00000000,00C68A23), ref: 00C689E8
                                      • Part of subcall function 00C6897C: Sleep.KERNEL32(000005DC,000009C4,00000000,00C68A23), ref: 00C689F6
                                      • Part of subcall function 00C6897C: @Oxrtl@System@Desktop@Desktop@CheckStartTaskBarProcess$qqr20System@UnicodeStringo.OXCOMPONENTSRTL(000005DC,000009C4,00000000,00C68A23), ref: 00C68A04
                                      • Part of subcall function 00C6897C: @System@@UStrClr$qqrpv.RTL250.BPL(00C68A2A), ref: 00C68A1D
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C681D4), ref: 00C681C7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Desktop@$Oxrtl@$Task$L250ProcessProcesses@$Unicode$System@@$Clr$qqrpv.Empty$qqrv.FileHelper@Name$qqruiSleepStringSysutils@$Asg$qqrr20CheckId$qqruiuijpqqr20Id$qqrvInternal$qqruioProcess$qqr20Process$qqrp6Refresh$qqrooRestartServiceStageo$oStartStopString.StringoStringuiui47Stringx20TerminateWindowWindow$qqrv
                                    • String ID:
                                    • API String ID: 1329923755-0
                                    • Opcode ID: 9a1a9a891a268d9c23868b4af9ec5e20a06be48b3ff9bf613545a9e55a1734af
                                    • Instruction ID: 3ae919dc5a695fb2fc56f287a7491f2c5b9411cbb17e692b99594a37e38936c0
                                    • Opcode Fuzzy Hash: 9a1a9a891a268d9c23868b4af9ec5e20a06be48b3ff9bf613545a9e55a1734af
                                    • Instruction Fuzzy Hash: 5001A430A04208AF9B20EFB5DCD289EB7F9EF8A700B558AB4E410E7251EF359E05D651
                                    Function 00C6825C Relevance: 9.0, APIs: 6, Instructions: 41windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Desktop@Desktop@GetDesktopWindow$qqrrp6HWND__.OXCOMPONENTSRTL(00000001), ref: 00C6826B
                                      • Part of subcall function 00C67EA8: @Axrtl@Winapi@User32@User32@GetShellWindow$qqrv.AXCOMPONENTSRTL.BPL ref: 00C67EB0
                                      • Part of subcall function 00C67EA8: FindWindowExW.USER32(00000000,00000000,SHELLDLL_DefView,00000000), ref: 00C67EBF
                                      • Part of subcall function 00C67EA8: EnumWindows.USER32(00C67D78,00000000), ref: 00C67ED6
                                    • PostMessageW.USER32(?,00000100,00000074,00000000), ref: 00C68285
                                    • PostMessageW.USER32(?,00000101,00000074,00000000), ref: 00C68297
                                    • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 00C682AA
                                    • @Oxrtl@System@Desktop@Desktop@RefreshSettings$qqrv.OXCOMPONENTSRTL(?,00000101,00000074,00000000,?,00000100,00000074,00000000,00000001), ref: 00C682B3
                                    • @Oxrtl@System@Desktop@Desktop@RefreshTaskBar$qqrv.OXCOMPONENTSRTL(?,00000101,00000074,00000000,?,00000100,00000074,00000000,00000001), ref: 00C682BE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Desktop@$Oxrtl@System@$MessagePostRefreshUser32@$Axrtl@Bar$qqrvChangeDesktopEnumFindNotifySettings$qqrvShellTaskWinapi@WindowWindow$qqrrp6Window$qqrv.Windows
                                    • String ID:
                                    • API String ID: 1973621378-0
                                    • Opcode ID: d8880c14105f528775ea32befc67cad4cd414405faccf5778fd6f8d3bb304e81
                                    • Instruction ID: 017a3f33415dcf5056c5c035b0c7fb9386110a155022264c0f9ddbe849684e87
                                    • Opcode Fuzzy Hash: d8880c14105f528775ea32befc67cad4cd414405faccf5778fd6f8d3bb304e81
                                    • Instruction Fuzzy Hash: BEF09A31BC8B4439EA71A2B84C87FD963981B01B14F200295B654AA1C2DDE276899228
                                    Function 008745AC Relevance: 9.0, APIs: 6, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0087461C,?,?,?,00000000), ref: 008745CD
                                    • @Vcl@Imaging@Pngimage@TChunkgAMA@GetValue$qqrv.VCLIMG250(00000000,0087461C,?,?,?,00000000), ref: 008745D8
                                      • Part of subcall function 0087466C: @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(?,008745DD,00000000,0087461C,?,?,?,00000000), ref: 0087467C
                                    • @Vcl@Imaging@Pngimage@TChunkgAMA@SetValue$qqrxui.VCLIMG250(00000000,0087461C,?,?,?,00000000), ref: 008745E1
                                      • Part of subcall function 00874810: @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(?,?,008745E6,00000000,0087461C,?,?,?,00000000), ref: 00874823
                                      • Part of subcall function 00874810: @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250(?,?,008745E6,00000000,0087461C,?,?,?,00000000), ref: 0087482A
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0087461C,?,?,?,00000000), ref: 008745F0
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,0087461C,?,?,?,00000000), ref: 00874601
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00874623,?,?,00000000), ref: 00874616
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@System@Vcl@$L250$Chunk@ChunkgData$qqrxuiMetaResizeStringSystem@@$ByteClass$qqrxp14Class.Class20Clr$qqrpv.Error$qqrp17Image@LoadObjectp17RaiseRec.String$qqrp20Swap$qqrxiUnicodeValue$qqrvValue$qqrxui
                                    • String ID:
                                    • API String ID: 2608915238-0
                                    • Opcode ID: 50734208c6a5e75a3a4786701c1fcdf8bff68664e605114533fed285e23e136e
                                    • Instruction ID: e55458057d2f5519392990d5633cad753185664ffda2cc10ddd7c208e1291bfc
                                    • Opcode Fuzzy Hash: 50734208c6a5e75a3a4786701c1fcdf8bff68664e605114533fed285e23e136e
                                    • Instruction Fuzzy Hash: 48F0AF34310604ABD701EB6CDC4291973A9FB8A700B619071F804C736ADBB4ED04C656
                                    Function 00870CF9 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL ref: 00870D13
                                    • @System@Move$qqrpxvpvi.RTL250.BPL ref: 00870D1F
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00870D29
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00870D77), ref: 00870D5A
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00870D77), ref: 00870D62
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(00870D77), ref: 00870D6A
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$Clr$qqrpv.String$A$qqrr27AnsiArrayClr$qqrpvi.Mem$qqri.Move$qqrpxvpvi.System@System@%T$us$i0$%.Unique
                                    • String ID:
                                    • API String ID: 805824587-0
                                    • Opcode ID: 593bb7f6ed048cf4a4bad67861fa7ea720be34bd96789d6b14195696008c49c7
                                    • Instruction ID: bbaaba9ff54c7cfbbf83271b65dfb0d84a267ac6dac0fb2b73b5ea8744ef399a
                                    • Opcode Fuzzy Hash: 593bb7f6ed048cf4a4bad67861fa7ea720be34bd96789d6b14195696008c49c7
                                    • Instruction Fuzzy Hash: DA011670A006099FDB00DFA9C085A9EF7F9FF84300BA0C0A6E818E7255D734EA09CB11
                                    Function 00BF7164 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAddRef$qqrpv.RTL250.BPL ref: 00BF7176
                                    • @System@Sysutils@TStringHelper@GetLength$qqrv.RTL250.BPL(00000000,00BF7235), ref: 00BF718C
                                    • @Oxrtl@System@Eventlog@Appcrashutils@TWindowsEventRecordHelper@GetFileName$qqrv.OXCOMPONENTSRTL(00000000,00BF7235), ref: 00BF719A
                                      • Part of subcall function 00BF7540: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF76A4,BC108FE0,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F), ref: 00BF756E
                                      • Part of subcall function 00BF7540: @System@Sysutils@ExtractFileExt$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7597
                                      • Part of subcall function 00BF7540: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF759F
                                      • Part of subcall function 00BF7540: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF75BE
                                      • Part of subcall function 00BF7540: @System@Sysutils@TryStrToInt$qqrx20System@UnicodeStringri.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF75C9
                                      • Part of subcall function 00BF7540: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF75D9
                                      • Part of subcall function 00BF7540: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF75E3
                                      • Part of subcall function 00BF7540: @System@Pos$qqrx20System@UnicodeStringt1i.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF75F9
                                      • Part of subcall function 00BF7540: @System@Sysutils@ExtractFileExt$qqrx20System@UnicodeString.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7608
                                      • Part of subcall function 00BF7540: @System@Sysutils@SameText$qqrx20System@UnicodeStringt1.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7615
                                      • Part of subcall function 00BF7540: @Oxrtl@System@Fileutils@FileUtils@FileIconIndex$qqrx20System@UnicodeString.OXCOMPONENTSRTL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7621
                                      • Part of subcall function 00BF7540: @System@Sysutils@ExtractFileExt$qqrx20System@UnicodeString.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7630
                                      • Part of subcall function 00BF7540: @System@Sysutils@SameText$qqrx20System@UnicodeStringt1.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF763D
                                      • Part of subcall function 00BF7540: @System@Pos$qqrx20System@UnicodeStringt1i.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7653
                                      • Part of subcall function 00BF7540: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(BC108FC8,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF719F,00000000,00BF7235), ref: 00BF7662
                                    • @System@Sysutils@TStringHelper@GetLength$qqrv.RTL250.BPL(00000000,00BF7235), ref: 00BF71A2
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00000000,00BF7235), ref: 00BF71AD
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@$bctr$qqrx20System@UnicodeStringo.AXCOMPONENTSRTL.BPL(00000000,00000000,00BF7235), ref: 00BF71C0
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@IsValueExist$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF7218,?,00000000,00000000,00BF7235), ref: 00BF71DE
                                    • @Axrtl@System@Fileversioninfo@TFileVersionInfo@GetValue$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF7218,?,00000000,00000000,00BF7235), ref: 00BF71F1
                                    • @System@Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF7218,?,00000000,00000000,00BF7235), ref: 00BF71FD
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00BF721F,00000000,00000000,00BF7235), ref: 00BF7212
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF723C), ref: 00BF722F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$String.$FileSysutils@$System@@$Extract$Axrtl@Ext$qqrx20Fileversioninfo@Helper@Len$qqrx20StringVersion$Asg$qqrr20Clr$qqrpv.Info@Length$qqrv.Oxrtl@Pos$qqrx20SameStringt1.Stringt1i.Stringx20Text$qqrx20$Appcrashutils@Copy$qqrx20EventEventlog@Exist$qqrx20Fileutils@FreeIconIndex$qqrx20Info@$bctr$qqrx20Int$qqrx20Name$qqrvName$qqrx20Nil$qqrpv.RecordRef$qqrpv.Stringii.Stringo.Stringri.Utils@ValueValue$qqrx20Windows
                                    • String ID: %s (%s)$FileDescription$ProductName
                                    • API String ID: 2270111523-921371273
                                    • Opcode ID: 288332fc12d77485d6e32529a4c76d7765436032db4d107c6e84205429a71dfe
                                    • Instruction ID: ba1bb8d7f03f59c0c04dae591fcf2e9514a940a7300b48339839e83d66d03679
                                    • Opcode Fuzzy Hash: 288332fc12d77485d6e32529a4c76d7765436032db4d107c6e84205429a71dfe
                                    • Instruction Fuzzy Hash: E7F0623064864CAF9700EB68CD439ADB2ECDB4AB407A144F5FA04F3651FB789F189554
                                    Function 00C130AC Relevance: 9.0, APIs: 6, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000), ref: 00C130B9
                                    • @System@@InitializeRecord$qqrpvt1.RTL250.BPL(00000000), ref: 00C130C7
                                      • Part of subcall function 00BC292C: @System@@FillChar$qqrpvic.RTL250.BPL(00BF11CB,00000000,00BF15D2), ref: 00BC292E
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C13126,BC10EFC4,00000000), ref: 00C130ED
                                    • @Oxrtl@Winapi@Powrprof@PowrProf@EnumPwrSchemes$qqrpqqsuiuipbuit3p34Oxrtl@Winapi@Powrprof@POWER_POLICYi$ii.OXCOMPONENTSRTL(00000000,00C13126,BC10EFC4,00000000), ref: 00C130FA
                                      • Part of subcall function 00C10460: @Oxrtl@Winapi@Powrprof@PowrProf@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00C10470
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00C1312D,00000000), ref: 00C13118
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1312D,00000000), ref: 00C13120
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$System@$DelphiInterface$17System@%$Interface%.IntfOxrtl@Powrprof@Winapi@$PowrProf@Record$qqrpvt1.$Char$qqrpvic.Clear$qqrr44Copy$qqrr44EnumFillFinalizeInitializeInterface%x44Proc$qqrx20Ref$qqrx44Schemes$qqrpqqsuiuipbuit3p34StringUnicodeYi$ii
                                    • String ID:
                                    • API String ID: 1220958512-0
                                    • Opcode ID: 69859676927e951fef5db1f1162c3284ad0be268940a098b4d128ccf42ba8145
                                    • Instruction ID: ee39cabb9bff713641385556b5af4f6abdf32a1441cc39f039a4c60983f3bd63
                                    • Opcode Fuzzy Hash: 69859676927e951fef5db1f1162c3284ad0be268940a098b4d128ccf42ba8145
                                    • Instruction Fuzzy Hash: 4B01673491014CAFC700EB54C882ECDF3F8FB4A314FA085B6A810A3651D774AB049554
                                    Function 00867618 Relevance: 9.0, APIs: 6, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0086761C
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 00867638
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 0086763D
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00867649
                                    • @Vcl@Imaging@Gifimg@TGIFApplicationExtension@$bdtr$qqrv.VCLIMG250 ref: 00867654
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0086765F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Free$qqrv.Object@System@@$ApplicationBeforeClassClasses@Destroy$qqrxp14Destruction$qqrxp14Extension@$bdtr$qqrvGet$qqri.Gifimg@Imaging@List@Object.Objectzc.Vcl@
                                    • String ID:
                                    • API String ID: 2778235519-0
                                    • Opcode ID: 8d88d0029828a5ef3c662a0842f754f47ccf6efe0e0cfb45e6897a65b7ca13f2
                                    • Instruction ID: a7b9e1d10373c361288c4396a65ff1425e07a982d3fd88ded2baf6b99c5f37d8
                                    • Opcode Fuzzy Hash: 8d88d0029828a5ef3c662a0842f754f47ccf6efe0e0cfb45e6897a65b7ca13f2
                                    • Instruction Fuzzy Hash: A1F0E561708E08074630BA2E9895F5BB3D9FFA53623451251FD41C3313DF11DC8E82D2
                                    Function 00869920 Relevance: 9.0, APIs: 6, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@GetColorResolution$qqrv.VCLIMG250 ref: 00869929
                                      • Part of subcall function 00860590: @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250(00000000,0086026D), ref: 00860596
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00869933
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 00869947
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetColorResolution$qqrv.VCLIMG250 ref: 0086994C
                                      • Part of subcall function 00863E70: @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250 ref: 00863E76
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086995A
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetColorResolution$qqrv.VCLIMG250 ref: 0086995F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Color$List@$Resolution$qqrv$BitsFrame$qqriFrame@ImageMap@Pixel$qqrv$Count$qqrvHeader@Item$qqri
                                    • String ID:
                                    • API String ID: 1364230800-0
                                    • Opcode ID: be405ce9bb29e7726d1bb891482dc7c071193b279f19233cbe1b09185f53da74
                                    • Instruction ID: 45e06dc83985012c58088e4dcee5926dab550a6f184403f11781d2896c8422ba
                                    • Opcode Fuzzy Hash: be405ce9bb29e7726d1bb891482dc7c071193b279f19233cbe1b09185f53da74
                                    • Instruction Fuzzy Hash: 53F0E5313136191F4310BABD898197ABBD8FF4076170210B9F981C7B12EA22EC1186E2
                                    Function 00869974 Relevance: 9.0, APIs: 6, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@GetBitsPerPixel$qqrv.VCLIMG250(?,?,?,?,00862D75), ref: 0086997D
                                      • Part of subcall function 00860584: @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250(0086027B), ref: 00860587
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,?,00862D75), ref: 00869987
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,00862D75), ref: 0086999B
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitsPerPixel$qqrv.VCLIMG250(?,?,?,?,00862D75), ref: 008699A0
                                      • Part of subcall function 00863E80: @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250(008699A5,?,?,?,?,00862D75), ref: 00863E83
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,?,00862D75), ref: 008699AE
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetBitsPerPixel$qqrv.VCLIMG250(?,?,?,?,00862D75), ref: 008699B3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$BitsPixel$qqrv$List@$ColorFrame$qqriFrame@ImageMap@$Count$qqrvHeader@Item$qqri
                                    • String ID:
                                    • API String ID: 1434094843-0
                                    • Opcode ID: ead0f61a8addb352678467f999a177c59acbc30c0b99020960b6ad87faa7f198
                                    • Instruction ID: ee0014f8fde72034710b1c18b0847ec9b9dd2e4d3d08ec756cbade6df16a8744
                                    • Opcode Fuzzy Hash: ead0f61a8addb352678467f999a177c59acbc30c0b99020960b6ad87faa7f198
                                    • Instruction Fuzzy Hash: F6F0E5217076191B4310B6BD898197BBBC9FF4036134220B9F881C7B06EA32EC118AE2
                                    Function 0087823C Relevance: 9.0, APIs: 6, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0087823E
                                    • DeleteObject.GDI32(?), ref: 0087824F
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00878257
                                    • @Vcl@Graphics@TSharedImage@Release$qqrv.VCL250.BPL ref: 0087825F
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 0087826A
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00878275
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$BeforeClassClasses@DeleteDestroy$qqrxp14Destruction$qqrxp14Free$qqrv.Graphics@Image@ObjectObject.Object@Objectzc.Persistent@$bdtr$qqrv.Release$qqrv.SharedVcl@
                                    • String ID:
                                    • API String ID: 3582946179-0
                                    • Opcode ID: aecb5fa23a6ab974d62206b2d633a0ca350c5dadd18cb4a8bd6cd981251bedac
                                    • Instruction ID: 31bbac31eb8b76c707d38e2ec80d8458eaabf2ce0be8a5e3f8e56b548ee3df81
                                    • Opcode Fuzzy Hash: aecb5fa23a6ab974d62206b2d633a0ca350c5dadd18cb4a8bd6cd981251bedac
                                    • Instruction Fuzzy Hash: 3DE08671790D50474710B67D8996A8E63D9FF0A3933444814F985D7212DF11EC4E4356
                                    Function 00BF40AC Relevance: 9.0, APIs: 6, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF40F8), ref: 00BF40B1
                                    • @Oxrtl@System@Fileutils@FileUtils@CommandLineToFileName$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,00BF40F8), ref: 00BF40C2
                                      • Part of subcall function 00BF3C04: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF3CCA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3C2E
                                      • Part of subcall function 00BF3C04: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF3CCA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3C35
                                      • Part of subcall function 00BF3C04: @Axrtl@System@Ioutils@TPathHelper@CommandLineToArgv$qqrx20System@UnicodeStringr20System@UnicodeStringt2.AXCOMPONENTSRTL.BPL(00000000,00BF3C63,?,00000000,00BF3CCA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3C54
                                      • Part of subcall function 00BF3C04: @Oxrtl@System@Fileutils@FileUtils@CheckDosFileName$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,00BF3CCA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3C8C
                                      • Part of subcall function 00BF3C04: @Axrtl@System@Ioutils@TPathHelper@CheckFileX64$qqrx20System@UnicodeString.AXCOMPONENTSRTL.BPL(00000000,00BF3CCA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3C97
                                      • Part of subcall function 00BF3C04: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF3CCA,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3CA2
                                      • Part of subcall function 00BF3C04: @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00BF3CD1,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3CBC
                                      • Part of subcall function 00BF3C04: @System@@UStrClr$qqrpv.RTL250.BPL(00BF3CD1,?,?,?,00000000,00000000,00000000,00000000), ref: 00BF3CC4
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BF40F8), ref: 00BF40CD
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF40FF), ref: 00BF40E2
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF40FF), ref: 00BF40EA
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF40FF), ref: 00BF40F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$L250System@@$String.$File$Clr$qqrpv.$Asg$qqrr20Stringx20$Axrtl@CheckCommandFileutils@Helper@Ioutils@Len$qqrx20LineName$qqrx20Oxrtl@PathStringUtils@$Argv$qqrx20ArrayClr$qqrpvi.Stringr20Stringt2.X64$qqrx20
                                    • String ID: \%s\shell\%s\command\
                                    • API String ID: 1717503479-2264411561
                                    • Opcode ID: de659a3047520840df57131cc5220e5c828ad001447bdbbe5a41faeffd8bc251
                                    • Instruction ID: 58d590d7cb8f16ec6adefa322f546298ef469e83386d61de757293c82687436f
                                    • Opcode Fuzzy Hash: de659a3047520840df57131cc5220e5c828ad001447bdbbe5a41faeffd8bc251
                                    • Instruction Fuzzy Hash: B7F0A23491410CAF9700EB68D542D9DB3F4EF4534075584E5F610F3212DB34ED098A11
                                    Function 00C49020 Relevance: 9.0, APIs: 6, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C49025
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C49034
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C4903F
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C4904A
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00C49055
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C49060
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$FreeNil$qqrpv.Sysutils@$System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 3512989761-0
                                    • Opcode ID: 2ef26e75cd2768e8f496c4ac7eee0896f3a883189990f8a28eb3bf65632b88e2
                                    • Instruction ID: 8e51037878287edf9eeede8e80d9a8ca506967e91a594a21959ab45f3bdbde9e
                                    • Opcode Fuzzy Hash: 2ef26e75cd2768e8f496c4ac7eee0896f3a883189990f8a28eb3bf65632b88e2
                                    • Instruction Fuzzy Hash: 32E04F313405182AD311B6289C82ECAB3CC9F06752B8888AAE248A3103EE15AF1B4394
                                    Function 00C4B1F0 Relevance: 9.0, APIs: 6, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C4B1F5
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Clear$qqrv.OXCOMPONENTSRTL ref: 00C4B200
                                      • Part of subcall function 00C4B398: @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,00C4B465,?,?,00000000), ref: 00C4B3C2
                                      • Part of subcall function 00C4B398: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000000,00C4B465,?,?,00000000), ref: 00C4B3D5
                                      • Part of subcall function 00C4B398: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@SetCapacity$qqri.OXCOMPONENTSRTL(00000000,00C4B465,?,?,00000000), ref: 00C4B3DE
                                      • Part of subcall function 00C4B398: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C4B46C,?,00000000), ref: 00C4B45F
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00C4B208
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00C4B210
                                    • @System@Generics@Collections@%TEnumerable__1$63System@Generics@Collections@%TPair__2$uj20System@UnicodeString%%@$bdtr$qqrv.OXCOMPONENTSRTL ref: 00C4B21B
                                      • Part of subcall function 00C4A720: @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C4A725
                                      • Part of subcall function 00C4A720: @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00C4A734
                                      • Part of subcall function 00C4A720: @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C4A73F
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C4B226
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Collections@%Generics@$ArrayUnicode$BeforeClassClear$qqrrpvpv.Destroy$qqrxp14Destruction$qqrxp14Dictionary__2$uj20Free$qqrv.Object.Object@Objectzc.String%@$Asg$qqrrpvpvt2.Capacity$qqriClear$qqrvEnumerable__1$63Object@$bdtr$qqrv.Pair__2$uj20String%%@$bdtr$qqrv
                                    • String ID:
                                    • API String ID: 1455306584-0
                                    • Opcode ID: 0f42492f39915b5437622130167c939084d0ad926ab9ab065a32991eb1af2aea
                                    • Instruction ID: 0e3ca63f35a408f52febb81de7e1446385f7ab1461fa7b2867fef31c574a77ff
                                    • Opcode Fuzzy Hash: 0f42492f39915b5437622130167c939084d0ad926ab9ab065a32991eb1af2aea
                                    • Instruction Fuzzy Hash: EBE0C232340A14070210726DAC82B8EB3E9AE072A13444954F348E7313DF06DD0B03CA
                                    Function 00874AF8 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00874AFA
                                    • @Vcl@Imaging@Pngimage@TPngImage@ClearChunks$qqrv.VCLIMG250 ref: 00874B05
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPngImage@InitializeGamma$qqrv.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748B7
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748D5
                                      • Part of subcall function 008748B0: @System@TObject@Free$qqrv.RTL250.BPL(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748DA
                                      • Part of subcall function 008748B0: @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748EB
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00874B10
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00874B1F
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 00874B2A
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00874B35
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Imaging@Pngimage@Vcl@$Free$qqrv.Object@$Image@List@System@@$BeforeChunks$qqrvClassClasses@ClearDestroy$qqrxp14Destruction$qqrxp14Gamma$qqrvInitializeItem$qqruiObject.Objectzc.Persistent@$bdtr$qqrv.PointerSize$qqrxui
                                    • String ID:
                                    • API String ID: 3694650844-0
                                    • Opcode ID: 8bafc22e826752759e2011fe55f7a19726b923adc18278ae508ba5315297919d
                                    • Instruction ID: c33e2f02416c0b4590daa02d35adc6d6ae617243edb078a5e1cc5d5f1149d0d6
                                    • Opcode Fuzzy Hash: 8bafc22e826752759e2011fe55f7a19726b923adc18278ae508ba5315297919d
                                    • Instruction Fuzzy Hash: 6DE08C21B40D10078611B67C48A2BDE13C9FF097A37445420F988C7246DF11DD8E83C7
                                    Function 0085C260 Relevance: 9.0, APIs: 6, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085C262
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C271
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C27C
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085C287
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 0085C292
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085C29D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$FreeMem$qqrpv.System@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 3123731871-0
                                    • Opcode ID: c9069df5583d23c5602289cb37d32ac439e68691e5bf3b1f6cdb3ab77b4d9725
                                    • Instruction ID: fd7af9e3049f2bbd753fc405347f101233eeefa057e991d5cf802620bb02a68c
                                    • Opcode Fuzzy Hash: c9069df5583d23c5602289cb37d32ac439e68691e5bf3b1f6cdb3ab77b4d9725
                                    • Instruction Fuzzy Hash: 62E0B631690D5487CA10B66C8D967CAA3C8FF052D3B048825B9D4C7296DE165D8E57C6
                                    Function 00869840 Relevance: 9.0, APIs: 6, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00869842
                                    • @Vcl@Imaging@Gifimg@TGIFImage@InternalClear$qqrv.VCLIMG250 ref: 0086984D
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 00869899
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A0
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A8
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698B3
                                      • Part of subcall function 00869894: @Vcl@Imaging@Gifimg@TGIFHeader@Prepare$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698C7
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00869855
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 0086985D
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 00869868
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00869873
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@$Clear$qqrvImage@$Free$qqrv.Object@System@@$BeforeBitmap$qqrvClassClasses@ColorDestroy$qqrxp14Destruction$qqrxp14Draw$qqrvFreeHeader@InternalList@Map@Object.Objectzc.Persistent@$bdtr$qqrv.Prepare$qqrvStop
                                    • String ID:
                                    • API String ID: 4209025324-0
                                    • Opcode ID: f4b2744916277eb1e28f3cb1cbe654255e4baf49fcba553a3389af1708723560
                                    • Instruction ID: 91ae1bc7b84b7fa01a3f79376bff3dc4c0b6e749c68b4a53f8508cc51bd728c6
                                    • Opcode Fuzzy Hash: f4b2744916277eb1e28f3cb1cbe654255e4baf49fcba553a3389af1708723560
                                    • Instruction Fuzzy Hash: 0ED01721B51D60074A11B23C8AA679E53C9FF06B933841821FA80CB692DF26AD4D4387
                                    Function 00C490FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@%TDictionary__2$uj44Oxrtl@System@Kerneldump@TKernelDumpRvaModule%@GetEnumerator$qqrv.OXCOMPONENTSRTL ref: 00C49164
                                    • @System@Generics@Collections@%TDictionary__2$uj44Oxrtl@System@Kerneldump@TKernelDumpRvaModule%@TPairEnumerator@MoveNext$qqrv.OXCOMPONENTSRTL(00000000,00C491E4), ref: 00C491BD
                                    • @System@Classes@TStream@GetPosition$qqrv.RTL250.BPL(00000000), ref: 00C4921A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Collections@%Dictionary__2$uj44DumpGenerics@KernelKerneldump@Module%@Oxrtl@$Classes@Enumerator$qqrvEnumerator@L250MoveNext$qqrvPairPosition$qqrv.Stream@
                                    • String ID: PAGE
                                    • API String ID: 2873653113-580869012
                                    • Opcode ID: 56fb60efddd40ad6813e71d9709eda8e7883f506853f8ccda9031d8d310ac956
                                    • Instruction ID: 4b0f893ae3ed39d55eb5d58fec52422c1b9efea0662e8279e1a8d4c95fc1564b
                                    • Opcode Fuzzy Hash: 56fb60efddd40ad6813e71d9709eda8e7883f506853f8ccda9031d8d310ac956
                                    • Instruction Fuzzy Hash: 95413830A0011AEFDF20DF94C988AAEB7F2FB49310F6085A5E814A7364C771AE41DB61
                                    Function 00C2C0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL ref: 00C2C0EE
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL ref: 00C2C133
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@Call$qqrx20Dllroutines@Routines@Stringt1.System@Unicode
                                    • String ID: RmShutdown$rstrtmgr.dll$rstrtmgr.dll
                                    • API String ID: 4267512089-2003974332
                                    • Opcode ID: baf20a2aa59afcfc8da5ddb6ea1508e274329ad1b2aa7262d1d47f5500a63fae
                                    • Instruction ID: f7630b9c24e9ca303d3fd57573df7a15ab87a77ca8f9b05f1f87ccd6d9a824c5
                                    • Opcode Fuzzy Hash: baf20a2aa59afcfc8da5ddb6ea1508e274329ad1b2aa7262d1d47f5500a63fae
                                    • Instruction Fuzzy Hash: 1B2179B220D3E05FD716827868D766FBF71AE5331070D41CFD8818BC63D2548826D35A
                                    Function 0085A500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 0085A520
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 0085A553
                                    • @System@Classes@TStream@SetPosition$qqrxj.RTL250.BPL(00000000,00000000), ref: 0085A59D
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0085A5CA), ref: 0085A5BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$Char$qqrpvic.Classes@FillFree$qqrv.Object@Object@$bctr$qqrv.Position$qqrxj.Stream@System@@
                                    • String ID: BM
                                    • API String ID: 435706269-2348483157
                                    • Opcode ID: ed78a8760ce25ded642c6f1085975748a8c2c9b62cadb337d6f526818faa18d6
                                    • Instruction ID: 815c2d094062ca039f21484cd6b5a0dc49a011174495d4b938dbcbc8005128fd
                                    • Opcode Fuzzy Hash: ed78a8760ce25ded642c6f1085975748a8c2c9b62cadb337d6f526818faa18d6
                                    • Instruction Fuzzy Hash: DE218935A00208DFCB04DFA8D891A6ABBF5FF49311B1145A5EC05EB395DB31EE08DB92
                                    Function 0086A771 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TGraphic@SetModified$qqro.VCL250.BPL ref: 0086A776
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000001,?,0086A7D5), ref: 0086A7A2
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000001,?,0086A7D5), ref: 0086A7B3
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000001,?,0086A7D5), ref: 0086A7C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$CallDynaGraphic@Graphics@Inst$qqrv.LoadModified$qqro.Rec.Rect$qqriiii.StringString$qqrp20System@@Types@Vcl@
                                    • String ID: d
                                    • API String ID: 1058860054-2564639436
                                    • Opcode ID: b42c3ce5dfe9bab25457c4fcb06da9f4291d84668b2732856e363ada0e18e43e
                                    • Instruction ID: d9aedc2e7ca882b21710750106ec70b9caff7f9465a286e8a692cc8de9c71139
                                    • Opcode Fuzzy Hash: b42c3ce5dfe9bab25457c4fcb06da9f4291d84668b2732856e363ada0e18e43e
                                    • Instruction Fuzzy Hash: 5BF03076A04108AFDB04EBA9C841EDEB7FAFB48300F208061F900E7290DA749E048B61
                                    Function 00873DDC Relevance: 7.7, APIs: 5, Instructions: 161COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00873F43
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@FilterToEncode$qqrv.VCLIMG250 ref: 00873FA8
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@IDATZlibWrite$qqrr33Vcl@Imaging@Pngimage@TZStreamRec2pvxui.VCLIMG250(00000001), ref: 00873FBD
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@IDATZlibWrite$qqrr33Vcl@Imaging@Pngimage@TZStreamRec2pvxui.VCLIMG250(00000000,00000001), ref: 00873FD5
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@FinishIDATZlib$qqrr33Vcl@Imaging@Pngimage@TZStreamRec2.VCLIMG250 ref: 00874025
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Chunk$Stream$Rec2pvxuiWrite$qqrr33Zlib$Char$qqrpvic.Encode$qqrvFillFilterFinishL250Rec2System@@Zlib$qqrr33
                                    • String ID:
                                    • API String ID: 1571839251-0
                                    • Opcode ID: 0ad944db76119ea032c5c2bd5c192eb7635fba9354587d0d710aa8421659e62e
                                    • Instruction ID: 10d78c0e06fccb41f2ddb9b4b878a18efbbfa9ae5ebac1816763f1ac34013f4f
                                    • Opcode Fuzzy Hash: 0ad944db76119ea032c5c2bd5c192eb7635fba9354587d0d710aa8421659e62e
                                    • Instruction Fuzzy Hash: 8A610BB15083418FC714CF29C48852ABBE0FB99304F1489ADE9DDCB66AD331DA45EB53
                                    Function 00BED128 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Math@Min$qqrxjxj.RTL250.BPL(?,?,?,?), ref: 00BED173
                                    • @Oxrtl@System@Filemapped@TMappedStream@GetCurrentPageInfo$qqrxjrp44Oxrtl@System@Filemapped@TMappedPageIndexInfo.OXCOMPONENTSRTL(?,?,?,?,?,?), ref: 00BED19D
                                    • @System@Generics@Collections@%TList__1$p35Oxrtl@System@Filemapped@TMappedPage%@GetItem$qqri.OXCOMPONENTSRTL(?,?,?,?), ref: 00BED1AF
                                    • @Oxrtl@System@Filemapped@TMappedStream@SetPageIndex$qqrxi.OXCOMPONENTSRTL(?,?,?,?), ref: 00BED211
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,?,?,?), ref: 00BED22B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Filemapped@MappedOxrtl@$Page$L250Stream@$Collections@%CurrentGenerics@IndexIndex$qqrxiInfoInfo$qqrxjrp44Item$qqriList__1$p35Math@Min$qqrxjxj.Move$qqrpxvpvi.Page%@
                                    • String ID:
                                    • API String ID: 1350975705-0
                                    • Opcode ID: 5ffd70d674576fec1b05d058d79d403ff33ac445cffc4ca3bdf3e771ffadc7b4
                                    • Instruction ID: 7ca6fac6ed3c3161692fbda02672bd39b0088411dd15b10503e675e4da972958
                                    • Opcode Fuzzy Hash: 5ffd70d674576fec1b05d058d79d403ff33ac445cffc4ca3bdf3e771ffadc7b4
                                    • Instruction Fuzzy Hash: E3511774A0064ADFCB10CFA9C580BAEF7F1FF48314F2486AAE515A7211D374E986CB91
                                    Function 00862E58 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@FindExtension$qqrp22System@Classes@TStream.VCLIMG250 ref: 00862EAB
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL ref: 00862EC1
                                    • @Vcl@Imaging@Gifimg@TGIFList@Add$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 00862F07
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00862F9C), ref: 00862F8F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@System@Vcl@$L250$Add$qqrp27ArrayClasses@Clr$qqrpvi.Extension$qqrp22Extension@FindItemList@LoadRec.StreamStringString$qqrp20System@@
                                    • String ID:
                                    • API String ID: 1642846830-0
                                    • Opcode ID: c6a0b63f9a867c0518b849b876184216a8ca2c49b6a9bd9ab3e0d689540e3511
                                    • Instruction ID: d047e0ac1e933c5ce90894a4519d4e8dc48542749557f74632ed541bef3a7bff
                                    • Opcode Fuzzy Hash: c6a0b63f9a867c0518b849b876184216a8ca2c49b6a9bd9ab3e0d689540e3511
                                    • Instruction Fuzzy Hash: 9831E230A04A099FCB10DF68D8949ADBBF5FF89320B1285A5F811DB3A1DB75AD05CB91
                                    Function 0085C151 Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085C16F
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C207
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C21C
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C231
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00000000), ref: 0085C244
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Mem$qqri.$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.System@
                                    • String ID:
                                    • API String ID: 3732308598-0
                                    • Opcode ID: 2d55b64454dd796d2602e8d3a7a56900053cd4f3541fdd6a3797bde19ea2fceb
                                    • Instruction ID: c8c69485167206a5d8144e84e601855bf11bcc0857d6e4084c84675f7dad4c60
                                    • Opcode Fuzzy Hash: 2d55b64454dd796d2602e8d3a7a56900053cd4f3541fdd6a3797bde19ea2fceb
                                    • Instruction Fuzzy Hash: 5931F1B29442504FDB148F7C98C63D83BD0FF15319F044ABAED51CB386EAB9848A8B85
                                    Function 0085C160 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085C16F
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C207
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C21C
                                    • @System@@GetMem$qqri.RTL250.BPL(?,00000000), ref: 0085C231
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00000000), ref: 0085C244
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Mem$qqri.$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.System@
                                    • String ID:
                                    • API String ID: 3732308598-0
                                    • Opcode ID: 3e8dd4e2fa0faea6bd81a2172ed120f9c1fd5969a910eea102c76b9f2aed2504
                                    • Instruction ID: c0b80a2472de4bfdd24b812be3c39563864a84207a16d8cb9515fc4b76220e37
                                    • Opcode Fuzzy Hash: 3e8dd4e2fa0faea6bd81a2172ed120f9c1fd5969a910eea102c76b9f2aed2504
                                    • Instruction Fuzzy Hash: 3121F0B2A406104FDB148F7C98C23D936D4FB0431AF044A7AED11CB386EA7984898B85
                                    Function 0086A69C Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000000,?,00000000,0086A7F0), ref: 0086A6D7
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000,?,00000000,0086A7F0), ref: 0086A6E8
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000000,?,00000000,0086A7F0), ref: 0086A6FD
                                    • @Vcl@Imaging@Gifimg@TGIFItem@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250(?,?,?,?,00000000,00000000,?,00000000,0086A7F0), ref: 0086A734
                                      • Part of subcall function 00859760: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085976A
                                      • Part of subcall function 00859760: @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00859779
                                      • Part of subcall function 00859760: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00859787
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0086A771,?,?,00000000,00000000,?,00000000,0086A7F0), ref: 0086A764
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$Gifimg@Imaging@Vcl@$AfterCallClassConstruction$qqrxp14Create$qqrpvzc.DynaFree$qqrv.ImageInst$qqrv.Item@$bctr$qqrp28LoadObject.Object@Object@$bctr$qqrv.Rec.Rect$qqriiii.StringString$qqrp20Types@
                                    • String ID:
                                    • API String ID: 2541107439-0
                                    • Opcode ID: 674eee13bc3b65a1312a774a3cfa4e404f84d7cce0fe32e966c3dd17096bc860
                                    • Instruction ID: d4079e99415cfc5d04b06ea7b7b1d28c62824daeadf19482a229d9ded61a26c2
                                    • Opcode Fuzzy Hash: 674eee13bc3b65a1312a774a3cfa4e404f84d7cce0fe32e966c3dd17096bc860
                                    • Instruction Fuzzy Hash: 8E213D75A00608AFCB05DFA9C8919AEBBF9FB4D700B5140B9F801E7790DB34AD05CE61
                                    Function 00BD915C Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtGetChannelConfigProperty$qqrui51Oxrtl@Winapi@Wevtapi@EVT_CHANNEL_CONFIG_PROPERTY_IDuiuip32Oxrtl@Winapi@Wevtapi@EVT_VARIANTrui.OXCOMPONENTSRTL(?,?,00000000), ref: 00BD918C
                                      • Part of subcall function 00BD90E4: @Oxrtl@Winapi@Wevtapi@WevtApi@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,?,?), ref: 00BD9104
                                    • GetLastError.KERNEL32 ref: 00BD919A
                                    • @System@GetMemory$qi.RTL250.BPL(?), ref: 00BD91A8
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtGetChannelConfigProperty$qqrui51Oxrtl@Winapi@Wevtapi@EVT_CHANNEL_CONFIG_PROPERTY_IDuiuip32Oxrtl@Winapi@Wevtapi@EVT_VARIANTrui.OXCOMPONENTSRTL(?,?,?,00000000,00BD9202), ref: 00BD91D3
                                    • @System@FreeMemory$qpv.RTL250.BPL(?,00BD9209), ref: 00BD91F4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Oxrtl@Wevtapi@Winapi@$Api@System@Wevt$ChannelConfigDuiuip32L250Property$qqrui51Trui$ErrorFreeLastMemory$qi.Memory$qpv.Proc$qqrx20StringUnicode
                                    • String ID:
                                    • API String ID: 236173852-0
                                    • Opcode ID: b00f11776237a8dc1d0921636799b40c0057c9c943d3c9f905f1b59e28d0ef1a
                                    • Instruction ID: 76a6b53b8c4e46245dee4b34e3ac4d7846110ae3a626992437ea7ca8e277f661
                                    • Opcode Fuzzy Hash: b00f11776237a8dc1d0921636799b40c0057c9c943d3c9f905f1b59e28d0ef1a
                                    • Instruction Fuzzy Hash: F7213075A04248BFDB01CFA9D881D9EFBF9EB8A350B1184F6F818D7351E6319E408761
                                    Function 00BD93C0 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtGetEventMetadataProperty$qqrui51Oxrtl@Winapi@Wevtapi@EVT_EVENT_METADATA_PROPERTY_IDuip32Oxrtl@Winapi@Wevtapi@EVT_VARIANTrui.OXCOMPONENTSRTL(?,?), ref: 00BD93EE
                                      • Part of subcall function 00BD9014: @Oxrtl@Winapi@Wevtapi@WevtApi@Proc$qqrx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,?), ref: 00BD9030
                                    • GetLastError.KERNEL32 ref: 00BD93FC
                                    • @System@GetMemory$qi.RTL250.BPL(?), ref: 00BD940A
                                    • @Oxrtl@Winapi@Wevtapi@WevtApi@EvtGetEventMetadataProperty$qqrui51Oxrtl@Winapi@Wevtapi@EVT_EVENT_METADATA_PROPERTY_IDuip32Oxrtl@Winapi@Wevtapi@EVT_VARIANTrui.OXCOMPONENTSRTL(?,?,00000000,00BD9462), ref: 00BD9433
                                    • @System@FreeMemory$qpv.RTL250.BPL(?,00BD9469), ref: 00BD9454
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Oxrtl@Wevtapi@Winapi@$Api@System@Wevt$Duip32EventL250MetadataProperty$qqrui51Trui$ErrorFreeLastMemory$qi.Memory$qpv.Proc$qqrx20StringUnicode
                                    • String ID:
                                    • API String ID: 1911359031-0
                                    • Opcode ID: 7f90ee6a8ac8f79c9549da4ccc4a1d53ff00a8788b6ea4bd26a77fd856cdb52e
                                    • Instruction ID: 76c75a083abedfed65e73667a3a2ce177f9d0bbfe793894b7692f8e44fe1fed5
                                    • Opcode Fuzzy Hash: 7f90ee6a8ac8f79c9549da4ccc4a1d53ff00a8788b6ea4bd26a77fd856cdb52e
                                    • Instruction Fuzzy Hash: D0216FB1A04248AFCB11CBADD88199EF7FDEF8D310B1284F6E404D3351E6709E018B61
                                    Function 00C36030 Relevance: 7.6, APIs: 5, Instructions: 69networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Network@Traffic@NetworkTraffic@Lock$qqrv.OXCOMPONENTSRTL ref: 00C36043
                                      • Part of subcall function 00C36124: EnterCriticalSection.KERNEL32(?,?,00C35D6E,?,?,?,00C35CF9,?,?,?), ref: 00C3612C
                                    • @System@Generics@Collections@%TDictionary__2$uip44Oxrtl@Network@Traffic@TNetworkTrafficCounter%@GetEnumerator$qqrv.OXCOMPONENTSRTL(00000000,00C36113), ref: 00C36075
                                      • Part of subcall function 00C37084: @System@Generics@Collections@%TDictionary__2$uip44Oxrtl@Network@Traffic@TNetworkTrafficCounter%@TPairEnumerator@$bctr$qqrxp94System@Generics@Collections@%TDictionary__2$uip44Oxrtl@Network@Traffic@TNetworkTrafficCounter%.OXCOMPONENTSRTL(?,00C35C03), ref: 00C37090
                                    • @System@Generics@Collections@%TDictionary__2$uip44Oxrtl@Network@Traffic@TNetworkTrafficCounter%@TPairEnumerator@GetCurrent$qqrv.OXCOMPONENTSRTL(00000000,00C360F6,?,00000000,00C36113), ref: 00C36093
                                    • @Oxrtl@Network@Traffic@TNetworkTrafficCounter@UpdateStatistic$qqrv.OXCOMPONENTSRTL(00000000,00C360F6,?,00000000,00C36113), ref: 00C3609D
                                    • @System@Generics@Collections@%TDictionary__2$uip44Oxrtl@Network@Traffic@TNetworkTrafficCounter%@TPairEnumerator@MoveNext$qqrv.OXCOMPONENTSRTL(00000000,00C360F6,?,00000000,00C36113), ref: 00C360CF
                                      • Part of subcall function 00C3768C: @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,?,00C35C30,00000000,00C35C52), ref: 00C376B4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Traffic@$NetworkNetwork@Oxrtl@$Traffic$Collections@%Dictionary__2$uip44Generics@System@$Counter%@$Pair$Enumerator@$ArrayCounter%Counter@CriticalCurrent$qqrvEnterEnumerator$qqrvEnumerator@$bctr$qqrxp94L250Length$qqrpxv.Lock$qqrvMoveNext$qqrvSectionStatistic$qqrvSystem@@Update
                                    • String ID:
                                    • API String ID: 2735527886-0
                                    • Opcode ID: 7465408fdb532960fb3c56f2088acf434f8ab499a9055503194449e3d9f0f24d
                                    • Instruction ID: 67674b0d4d13fe5c85c575a302d609e8e3678a561784121b5045882cc45bfb9f
                                    • Opcode Fuzzy Hash: 7465408fdb532960fb3c56f2088acf434f8ab499a9055503194449e3d9f0f24d
                                    • Instruction Fuzzy Hash: E42157B0610601EFDB24CF18C992B6AFBF4FF89704F118968E45497751DB75AC20DB90
                                    Function 008702C8 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(00000000,0087037F), ref: 00870313
                                    • @System@@UStrFromArray$qqrr20System@UnicodeStringpci.RTL250.BPL(?), ref: 0087032E
                                    • @System@@UStrEqual$qqrv.RTL250.BPL ref: 00870337
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250 ref: 00870345
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00870386), ref: 00870379
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Imaging@Item$qqruiList@Pngimage@PointerVcl@$ArrayArray$qqrr20Clr$qqrpvi.Equal$qqrv.FromStringpci.System@Unicode
                                    • String ID:
                                    • API String ID: 490086395-0
                                    • Opcode ID: cd2e1f9512c5f06617935fe54dcac6d4886145664fa528cc297548d855852948
                                    • Instruction ID: 2a76262e2c10425be14b79ad5d7c98210dae523ce3d976ba5e12a6900314634a
                                    • Opcode Fuzzy Hash: cd2e1f9512c5f06617935fe54dcac6d4886145664fa528cc297548d855852948
                                    • Instruction Fuzzy Hash: 7721DC30A04608DFDB04CFA8C884AAEB7B5FB48314F1489A5E818E7369CB74ED04CF90
                                    Function 00C0C254 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C0C261
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00C0C270
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C0C2A2
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C0C308
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00C0C346
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$Clear$qqrr44DelphiInterface$17Interface%.IntfSystem@%$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 3327337824-0
                                    • Opcode ID: e15065ad112d92633f1d0906c618af6bfb89d3a6ac698d0f7911ffa01d4e77d2
                                    • Instruction ID: 0ffd9dc88c35b1af9ffc5bc306be2b9a7bfec43ca6bef65420abd63a340e0f7c
                                    • Opcode Fuzzy Hash: e15065ad112d92633f1d0906c618af6bfb89d3a6ac698d0f7911ffa01d4e77d2
                                    • Instruction Fuzzy Hash: CD2116B1701A82AFD388CF38C844B86FAE5BB45304F04876AD12CD7742E775A4648BE1
                                    Function 00C1F360 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C1F372
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,00000000,00C1F417), ref: 00C1F3B0
                                    • @Oxrtl@System@Processes@ProcessUtils@EnumProcessModules$qqrxui59System@%DelphiInterface$32System@Sysutils@%TFunc__3$uipvo%%.OXCOMPONENTSRTL(00000000,00C1F3FA,?,00000410,00000000,00000000,00000000,00C1F417), ref: 00C1F3D8
                                    • CloseHandle.KERNEL32(000000FF,00C1F401,00000410,00000000,00000000,00000000,00C1F417), ref: 00C1F3F4
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C1F41E), ref: 00C1F411
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiProcessSystem@%$Interface$17Interface%.IntfL250System@@$Clear$qqrr44CloseEnumFunc__3$uipvo%%HandleInterface$32Modules$qqrxui59OpenOxrtl@Processes@Ref$qqrx44Sysutils@%Utils@
                                    • String ID:
                                    • API String ID: 201065377-0
                                    • Opcode ID: d8ce1d6dca9be83f5865e9fc95e5e85a060d269583c55148bdf410a531fd0c0f
                                    • Instruction ID: 92021dfef88a2e1be0850d0409629a50a906a0f92d9cdb6ec84d729248f9f8e7
                                    • Opcode Fuzzy Hash: d8ce1d6dca9be83f5865e9fc95e5e85a060d269583c55148bdf410a531fd0c0f
                                    • Instruction Fuzzy Hash: A1216330904708EFEB15DF95D845BDDB7F4EB4A710FA084B9E420A2690D7745EC2EA10
                                    Function 008676A8 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL ref: 008676C9
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 008676CE
                                    • @Vcl@Imaging@Gifimg@TGIFBlock@$bctr$qqri.VCLIMG250 ref: 008676EC
                                    • @Vcl@Imaging@Gifimg@TGIFBlock@LoadFromStream$qqrp22System@Classes@TStream.VCLIMG250(00000000,00867717), ref: 00867708
                                    • @System@Classes@TList@Add$qqrpv.RTL250.BPL ref: 00867734
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Classes@L250$Gifimg@Imaging@List@Vcl@$Add$qqrpv.Block@Block@$bctr$qqriFree$qqrv.FromGet$qqri.LoadObject@StreamStream$qqrp22
                                    • String ID:
                                    • API String ID: 2859276804-0
                                    • Opcode ID: 20ed74d127987f24cf8a024aaabaf16db406692766db05bea0987989c7e41581
                                    • Instruction ID: 904f5eae53f5c93d8876a867e36200684d93a9acc0c585aa3d25f11f1ac3ca6a
                                    • Opcode Fuzzy Hash: 20ed74d127987f24cf8a024aaabaf16db406692766db05bea0987989c7e41581
                                    • Instruction Fuzzy Hash: 3911BF74A086089FCB11DF58D882A5AB7F5FF99328B2281E1EC10D7351DB31AD00CBE1
                                    Function 00862D48 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250 ref: 00862D64
                                    • @Vcl@Imaging@Gifimg@TGIFImage@GetBitsPerPixel$qqrv.VCLIMG250 ref: 00862D70
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00862D87
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetInterlaced$qqrv.VCLIMG250(?,?,00000000,00862DE9), ref: 00862DBA
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00862DF0,?,?,00000000,00862DE9), ref: 00862DE3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$BitsL250Pixel$qqrvSystem@$ColorFrame@Free$qqrv.Image@Interlaced$qqrvMap@Object@Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 2382258382-0
                                    • Opcode ID: 88be637dc780364aac89062f86405561046c4cf2ee195a40d7747d248ee20e7f
                                    • Instruction ID: 5b26b6c5895ae857a21293f6f40a26e21bc29797b31fa3966de9680d03df4448
                                    • Opcode Fuzzy Hash: 88be637dc780364aac89062f86405561046c4cf2ee195a40d7747d248ee20e7f
                                    • Instruction Fuzzy Hash: 0D116A31700A08AFC760DF6DC88196AB7E8FB4C750B1246A9F849C77A2D634ED40DBA0
                                    Function 008713A8 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@LoadFromStream$qqrp22System@Classes@TStreamx27System@%StaticArray$ci$i4$%i.VCLIMG250(?,?), ref: 008713C4
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250(00000000,00870FD7), ref: 00870F40
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870F6A
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F7D
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870F8C
                                      • Part of subcall function 00870F18: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?), ref: 00870FAB
                                      • Part of subcall function 00870F18: @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(?), ref: 00870FBC
                                      • Part of subcall function 00870F18: @System@@UStrClr$qqrpv.RTL250.BPL(00870FDE), ref: 00870FD1
                                    • @System@@LStrFromPChar$qqrr27System@%AnsiStringT$us$i0$%pcus.RTL250.BPL(?,?), ref: 008713E2
                                    • @System@@LStrSetLength$qqrr27System@%AnsiStringT$us$i0$%ius.RTL250.BPL(?,?), ref: 008713FD
                                    • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL250.BPL(?,?), ref: 00871405
                                    • @System@Move$qqrpxvpvi.RTL250.BPL(?,?), ref: 0087142C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@L250StringSystem@System@%Vcl@$Pngimage@System@@$AnsiStatic$Array$uci$i65536$%iChunk@FromLoadPngimage@update_crc$qqruip32$A$qqrr27Array$ci$i4$%iByteChar$qqrr27Class20Classes@Clr$qqrpv.Data$qqrxuiError$qqrp17Image@Length$qqrr27MetaMove$qqrpxvpvi.RaiseRec.ResizeStream$qqrp22Streamx27String$qqrp20Swap$qqrxiT$us$i0$%.T$us$i0$%ius.T$us$i0$%pcus.UnicodeUnique
                                    • String ID:
                                    • API String ID: 1065631934-0
                                    • Opcode ID: 2ec8a13f15c2d97dee782980602282c0baae4632fe5e23dfa17a3ce153b446e2
                                    • Instruction ID: 6ac74f9948fa768a460568f2cad44599a7f079e75afe0e4802d3092c9530cfbb
                                    • Opcode Fuzzy Hash: 2ec8a13f15c2d97dee782980602282c0baae4632fe5e23dfa17a3ce153b446e2
                                    • Instruction Fuzzy Hash: 73116D35B005049BDF04DE6CC98969ABBEAEF49300B0481A5D809EB34ADA30ED54CBD1
                                    Function 00864E70 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 00864E81
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(00000000,00864F33), ref: 00864E9E
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00864E13
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBrush@SetColor$qqr21System@Uitypes@TColor.VCL250.BPL ref: 00864E1D
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00864E24
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBrush@SetStyle$qqr24Vcl@Graphics@TBrushStyle.VCL250.BPL ref: 00864E2E
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL ref: 00864E35
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000), ref: 00864E48
                                      • Part of subcall function 00864DD4: @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00864E5C
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(00000000,00864F16,?,00000000,00864F33), ref: 00864ED2
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?,00000000,00864F16,?,00000000,00864F33), ref: 00864EE5
                                      • Part of subcall function 00864BC4: @Vcl@Imaging@Gifimg@TGIFColorMap@Add$qqr21System@Uitypes@TColor.VCLIMG250 ref: 00864C01
                                      • Part of subcall function 00864BC4: @Vcl@Imaging@Gifimg@TGIFFrame@GetScanline$qqri.VCLIMG250(?,00000003), ref: 00864C5D
                                      • Part of subcall function 00864BC4: @System@TObject@Free$qqrv.RTL250.BPL(00864CAD,00000003), ref: 00864CA0
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00864F1D), ref: 00864F10
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$L250$Graphics@$Bitmap@Canvas$qqrv.$System@$Bitmap@$bctr$qqrv.Brush@ColorFree$qqrv.Gifimg@Imaging@Object@Uitypes@$Add$qqr21BrushColor$qqr21Color.Frame@Map@Scanline$qqriStyle$qqr24Style.
                                    • String ID:
                                    • API String ID: 817753274-0
                                    • Opcode ID: b9244e5e7e577c59b21d985b399360a7134381e25976e98068548821d6d5d2fe
                                    • Instruction ID: d9ead646916fcc45770f4dec3e5e79464f590e34254163b27410c1d5727b873f
                                    • Opcode Fuzzy Hash: b9244e5e7e577c59b21d985b399360a7134381e25976e98068548821d6d5d2fe
                                    • Instruction Fuzzy Hash: 53112531A04608AFC704EF6DDC9284EBBE9FB0A710B5281A0F910D77A1EE35AD04CB11
                                    Function 0086B0C8 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086B0E1
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086B0F5
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?), ref: 0086B104
                                    • @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250 ref: 0086B129
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250 ref: 0086B137
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$List@$Frame$qqriImageImage@$Bitmap$qqrvCount$qqrvDraw$qqrvFreeStop
                                    • String ID:
                                    • API String ID: 4001349346-0
                                    • Opcode ID: a4b82c67bae9d1e5e2a5388eb5ba98d38cd5f356e69264634d184d9ce494d377
                                    • Instruction ID: 8f42296621594f134f3e47f4440b2dbc5d9067d921a14b402f0e6afb158d9149
                                    • Opcode Fuzzy Hash: a4b82c67bae9d1e5e2a5388eb5ba98d38cd5f356e69264634d184d9ce494d377
                                    • Instruction Fuzzy Hash: 2D019A723055688B8B20AF2DC88083AB7D9FF8935536340B5FC14CB212EF34CC828792
                                    Function 0086B14C Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086B165
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086B179
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?), ref: 0086B188
                                    • @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250 ref: 0086B1AD
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250 ref: 0086B1BB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$List@$Frame$qqriImageImage@$Bitmap$qqrvCount$qqrvDraw$qqrvFreeStop
                                    • String ID:
                                    • API String ID: 4001349346-0
                                    • Opcode ID: 4ec223d90e68bdfe9a488c1d14bf15250a4694d3f225d7c8a1e8de6e28d9893a
                                    • Instruction ID: 273b9cfbbade12876e33281067cb0e603ef4740f77c9ebc552bcda1bbf8e9a26
                                    • Opcode Fuzzy Hash: 4ec223d90e68bdfe9a488c1d14bf15250a4694d3f225d7c8a1e8de6e28d9893a
                                    • Instruction Fuzzy Hash: 38015E723011589B8710AB6DC89483A77DAFF8675535751B5FC44CB326EF34CC82C691
                                    Function 00C2A130 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,?,?,00000000), ref: 00C2A156
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(?,00000000,?,?,?,?,00000000), ref: 00C2A169
                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00C2A16F
                                    • @System@@DynArrayLength$qqrpxv.RTL250.BPL(00000000,?,00000000,?,?,?,?,00000000), ref: 00C2A179
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C2A1BE,00000000), ref: 00C2A1B1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: ArrayL250System@@$Length$qqrpxv.$Clear$qqrrpvpv.MultipleObjectsWait
                                    • String ID:
                                    • API String ID: 98028544-0
                                    • Opcode ID: 52e719fd3199c69d7291fa30bc8df04f46740ec4fecdc74be1c1d5534c8c88b7
                                    • Instruction ID: 7e7cefccc30a628b245f27569458425b0dfa63f6ee2f4f046d2573742996ba25
                                    • Opcode Fuzzy Hash: 52e719fd3199c69d7291fa30bc8df04f46740ec4fecdc74be1c1d5534c8c88b7
                                    • Instruction Fuzzy Hash: B9019235700214EFDB14EB69DC81F5DB3E8DB09360F5188B4F804EB662E6709E14DB55
                                    Function 00863028 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00863031
                                    • @Vcl@Imaging@Gifimg@TGIFItem@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 0086303E
                                    • @Vcl@Imaging@Gifimg@TGIFExtensionList@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250 ref: 0086304C
                                    • @Vcl@Imaging@Gifimg@TGIFList@Add$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 008630AA
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 008630B5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@@$Add$qqrp27AfterClassConstruction$qqrxp14Create$qqrpvzc.ExtensionFrameImageItemItem@$bctr$qqrp28List@List@$bctr$qqrp28Object.System@
                                    • String ID:
                                    • API String ID: 769175913-0
                                    • Opcode ID: 5f1d13abdbd5e03f537c6045fd4bfccb4e993271149aec6d386cd480d734ec2f
                                    • Instruction ID: d881c74b41eaeccd88e529e8a42aedb462eb938b0dc290d2b1e630a8c167fe30
                                    • Opcode Fuzzy Hash: 5f1d13abdbd5e03f537c6045fd4bfccb4e993271149aec6d386cd480d734ec2f
                                    • Instruction Fuzzy Hash: BE115A71620B408FD360DF3DC844707BBE1BF08744F049A2DD48ACBB51E776A8088B8A
                                    Function 00BDF1A8 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@JournalExist$qqrx20System@UnicodeString.OXCOMPONENTSRTL(?,?,?,?,?,00BDF1A0,?,?,?), ref: 00BDF1B9
                                      • Part of subcall function 00BDEF9C: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BDF0C2), ref: 00BDEFBE
                                      • Part of subcall function 00BDEF9C: @Oxrtl@Winapi@Wevtapi@WevtApi@IsSupported$qqrv.OXCOMPONENTSRTL(00000000,00BDF0C2), ref: 00BDEFCB
                                      • Part of subcall function 00BDEF9C: @Oxrtl@Winapi@Wevtapi@WevtApi@EvtOpenSession$qqruiui.OXCOMPONENTSRTL(00000000,00BDF0C2), ref: 00BDEFD8
                                      • Part of subcall function 00BDEF9C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BDF041,?,00000000,00BDF0C2), ref: 00BDEFFA
                                      • Part of subcall function 00BDEF9C: @Oxrtl@Winapi@Wevtapi@WevtApi@EvtOpenLog$qqruipbui.OXCOMPONENTSRTL(00000000,00BDF041,?,00000000,00BDF0C2), ref: 00BDF009
                                      • Part of subcall function 00BDEF9C: GetLastError.KERNEL32(00000000,00BDF041,?,00000000,00BDF0C2), ref: 00BDF012
                                      • Part of subcall function 00BDEF9C: @Oxrtl@Winapi@Wevtapi@WevtApi@EvtClose$qqrui.OXCOMPONENTSRTL(00BDF0AC,00000000,00BDF0C2), ref: 00BDF03B
                                    • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(?,?,?,?,?,00BDF1A0,?,?,?), ref: 00BDF1C4
                                    • OpenEventLogW.ADVAPI32(00000000,00000000), ref: 00BDF1CC
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@OldListEvents$qqrxuix20System@UnicodeStringx59System@%DelphiInterface$32Oxrtl@System@Eventlog@ICondition%xjpxv.OXCOMPONENTSRTL(?,?,?,?,00000000,00BDF216,?,00000000,00000000,?,?,?,?,?,00BDF1A0,?), ref: 00BDF1FA
                                      • Part of subcall function 00BDE818: GetNumberOfEventLogRecords.ADVAPI32(?,?), ref: 00BDE844
                                      • Part of subcall function 00BDE818: @Oxrtl@System@Eventlog@TWindowsEventLog@TWindowsEventRecordOld@$bctr$qqrpv.OXCOMPONENTSRTL(00000000,00BDE9EF), ref: 00BDE865
                                      • Part of subcall function 00BDE818: @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL(00BDE9D9), ref: 00BDE9CC
                                    • CloseEventLog.ADVAPI32(00000000), ref: 00BDF210
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Oxrtl@$Event$Unicode$Api@Eventlog@L250WevtWevtapi@Winapi@Windows$Log@OpenString.System@@$Char$qqrx20$CloseClose$qqruiCondition%xjpxvDelphiErrorEvents$qqrxuix20Exist$qqrx20FreeInterface$32JournalLastLen$qqrx20ListLog$qqruipbuiNil$qqrpv.NumberOld@$bctr$qqrpvRecordRecordsSession$qqruiuiStringStringx59Supported$qqrvSystem@%Sysutils@
                                    • String ID:
                                    • API String ID: 459415615-0
                                    • Opcode ID: ab52769062b997d94bcccd557aadcd790a788dbb708fd994b16fcefab66c7d77
                                    • Instruction ID: 615d283f002ebeb2d49bcf60a46217d7a051d5badf99444d56ee5f07d6302b7e
                                    • Opcode Fuzzy Hash: ab52769062b997d94bcccd557aadcd790a788dbb708fd994b16fcefab66c7d77
                                    • Instruction Fuzzy Hash: 8A01DF35B08204BFDB05ABA9AC01E6EBBECDB89710F5044BAF804C3741EA718D109764
                                    Function 008668F0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00866903
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250(00000000,0086697B,?,?), ref: 0086691F
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0086697B,?,?), ref: 00866954
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(00000000,0086697B,?,?), ref: 00866960
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00866982,?), ref: 00866975
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@$StringSystem@@$ClassClr$qqrpv.Create$qqrpvzc.Extension@$bctr$qqrp28FrameItem@LoadRec.Severityx20String$qqrp20UnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 1826196305-0
                                    • Opcode ID: 25162ef7d451d66170c0c7eb3d9454288a5a4fcb737635c5784a83f8bc8d3c4a
                                    • Instruction ID: e68312a2cdb014b7027b93b846e8e7d84d8af310f37f00fed0b4e83ddbb378db
                                    • Opcode Fuzzy Hash: 25162ef7d451d66170c0c7eb3d9454288a5a4fcb737635c5784a83f8bc8d3c4a
                                    • Instruction Fuzzy Hash: DB118B306083848EDB11CF68C8D1B56BFA5FB05310F4A84A8EC40CB386E676C918C6A2
                                    Function 00BF4150 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Sysutils@Trim$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF41D1,?,?,?,?,00000000), ref: 00BF416F
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BF41D1,?,?,?,?,00000000), ref: 00BF4177
                                    • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL250.BPL(00000000,00BF41D1,?,?,?,?,00000000), ref: 00BF4194
                                    • @System@Sysutils@SameText$qqrx20System@UnicodeStringt1.RTL250.BPL(00000000,00BF41D1,?,?,?,?,00000000), ref: 00BF41A8
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BF41D8,?,?,?,00000000), ref: 00BF41CB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$System@@$String.Sysutils@$Cat3$qqrr20Clr$qqrpv.Len$qqrx20SameStringt1.Stringt2.Stringx20Text$qqrx20Trim$qqrx20
                                    • String ID:
                                    • API String ID: 587952080-0
                                    • Opcode ID: 65327d2a0d3caec9e182a21d964d93bdb17655e79f0cffd73ff6fcd7f8cdf534
                                    • Instruction ID: 8621e2df6c1fd0c3b728b4ebbafa949bcc62ad6a6d52fbc3062f300a66ffb5f8
                                    • Opcode Fuzzy Hash: 65327d2a0d3caec9e182a21d964d93bdb17655e79f0cffd73ff6fcd7f8cdf534
                                    • Instruction Fuzzy Hash: 9E01D43560010CAFE721DB95CD81AABBBF9EB55740F6104F4EA00B7751D7709F499590
                                    Function 00C201FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C2020B
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C20287,?,?,00C18FA0,00000001,00000000,?,00C201C2,00000000,00C201D8,?,00C173AC,00000001,00000000), ref: 00C20228
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C20287,?,?,00C18FA0,00000001,00000000,?,00C201C2,00000000,00C201D8,?,00C173AC,00000001,00000000), ref: 00C2024E
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C20287,?,?,00C18FA0,00000001,00000000,?,00C201C2,00000000,00C201D8,?,00C173AC,00000001,00000000), ref: 00C2026C
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C2028E,?,00C18FA0,00000001,00000000,?,00C201C2,00000000,00C201D8,?,00C173AC,00000001,00000000,?,00C1ED8A), ref: 00C20281
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiInterface$17L250System@%$System@@$Interface%.Intf$Copy$qqrr44Interface%x44$ClassClear$qqrr44Create$qqrpvzc.Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 3986830346-0
                                    • Opcode ID: bd2fd1683feb8ce75871362fe030eba1a6ae04b799108233402731bba4ae648f
                                    • Instruction ID: dadc6c3ee3d2b6f8edcc74aecdb332f27333b8d78eb6f943eec6626e40f8b85e
                                    • Opcode Fuzzy Hash: bd2fd1683feb8ce75871362fe030eba1a6ae04b799108233402731bba4ae648f
                                    • Instruction Fuzzy Hash: 8601C071600A18FFC700DF29E842A59F7F9FB8A354B60466BE40093E12DB74AE25DAD4
                                    Function 00C143E4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C143F3
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C1446F,?,?,00C11FAC,00000001,00000000,?,00C143AA,00000000,00C143C0,?,?,?,00000000), ref: 00C14410
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1446F,?,?,00C11FAC,00000001,00000000,?,00C143AA,00000000,00C143C0,?,?,?,00000000), ref: 00C14436
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1446F,?,?,00C11FAC,00000001,00000000,?,00C143AA,00000000,00C143C0,?,?,?,00000000), ref: 00C14454
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C14476,?,00C11FAC,00000001,00000000,?,00C143AA,00000000,00C143C0,?,?,?,00000000,?,00C12EBA,00000000), ref: 00C14469
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiInterface$17L250System@%$System@@$Interface%.Intf$Copy$qqrr44Interface%x44$ClassClear$qqrr44Create$qqrpvzc.Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 3986830346-0
                                    • Opcode ID: cbe08afca26d6365b6ab5d5760c32c0ba162e7b384a34a7d2543fc96a4f767ee
                                    • Instruction ID: b8dade2e502f05e0bcc21957ef0309a1784be8a166251af79bf76185a898dc34
                                    • Opcode Fuzzy Hash: cbe08afca26d6365b6ab5d5760c32c0ba162e7b384a34a7d2543fc96a4f767ee
                                    • Instruction Fuzzy Hash: 73012671600A05EFC304DF29C842B89F7F5FF8B310B908665E41493A11D774AE55EAC0
                                    Function 00869040 Relevance: 7.5, APIs: 5, Instructions: 46timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 0086904A
                                    • @Vcl@Imaging@Gifimg@TCustomGIFRenderer@Draw$qqrp20Vcl@Graphics@TCanvasrx18System@Types@TRect.VCLIMG250 ref: 00869057
                                      • Part of subcall function 00868D28: @System@Types@EqualRect$qqrrx18System@Types@TRectt1.RTL250.BPL ref: 00868D3B
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 00869068
                                    • timeGetTime.WINMM ref: 0086908A
                                    • @Vcl@Imaging@Gifimg@TGIFRenderer@StartAnimationTimer$qqri.VCLIMG250 ref: 008690A6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@System@Types@$Renderer@Timetime$AnimationCanvasrx18Count$qqrvCustomDraw$qqrp20EqualGraphics@L250List@RectRect$qqrrx18Rectt1.StartTimer$qqri
                                    • String ID:
                                    • API String ID: 4156542720-0
                                    • Opcode ID: f981c1d4140cedc01799b31128955356eddb26f5f9f99199ba11be4d65c70c41
                                    • Instruction ID: 3e27296398278387f762cc99298a4c9c01ffe0b576d9452a99900e4e500565da
                                    • Opcode Fuzzy Hash: f981c1d4140cedc01799b31128955356eddb26f5f9f99199ba11be4d65c70c41
                                    • Instruction Fuzzy Hash: 9A0186707005480BDB149A7E89C875A7BDCFF85361F1541B5F844CB29BCA76DC85C792
                                    Function 00879200 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a355b2204f090907678eac9858316d3581a6b9497c31920ee90bc096b74fb385
                                    • Instruction ID: 97217bb7a32890f3c4eb7d3a48af783199fb87e7b1d5ab25fb1449b24d5a75d4
                                    • Opcode Fuzzy Hash: a355b2204f090907678eac9858316d3581a6b9497c31920ee90bc096b74fb385
                                    • Instruction Fuzzy Hash: 38F0A4213502146FE720BA798886F3A3798FB86B62F4041A4FD18DB247EA50CC4483E1
                                    Function 00BE308C Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00BE309B
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00BE3112,?,?,?,?,00000000), ref: 00BE30B8
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BE3112,?,?,?,?,00000000), ref: 00BE30EC
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@InsertRange$qqrixp131System@Generics@Collections@%TEnumerable__1$84System@%DelphiInterface$57Oxrtl@SystewpKpdLGY4MLdepKso9Gamg.OXCOMPONENTSRTL(00000000,00BE3112,?,?,?,?,00000000), ref: 00BE30F7
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BE3119,?,?,?,00000000), ref: 00BE310C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$L250$Interface$17System@@$Collections@%Generics@Interface$57Interface%.IntfOxrtl@$ClassClear$qqrr44ConditionCopy$qqrr44Create$qqrpvzc.Enumerable__1$84EventEventlog@GamgInsertInterface%x44Internal%%@Kso9LdepList__1$84Log@Object@$bctr$qqrv.Range$qqrixp131SystewpWindows
                                    • String ID:
                                    • API String ID: 4249066455-0
                                    • Opcode ID: 72c8b4c5839fa0e7d730f74b3e5f9f04829feaa25032808ffbcc91f9f026f190
                                    • Instruction ID: e08f97bf40d83517841fa5dbe2bcbbbbea2a1bf1c074e15fdb4cdc95025d8a50
                                    • Opcode Fuzzy Hash: 72c8b4c5839fa0e7d730f74b3e5f9f04829feaa25032808ffbcc91f9f026f190
                                    • Instruction Fuzzy Hash: E701F131600688AFD300DF2ADC43A5AF7E9FF85B1075086A9E40093B22DB70AE149BD1
                                    Function 00C202AC Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C202BB
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(00000000,00C20332,?,?,?,?,00000000), ref: 00C202D8
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C20332,?,?,?,?,00000000), ref: 00C2030C
                                    • @System@Generics@Collections@%TList__1$57System@%DelphiInterface$30Oxrtl@System@Processes@IWindow%%@InsertRange$qqrixp104System@Generics@Collections@%TEnumerable__1$57System@%DelphiInterface$30Oxrtl@System@Processes@IWindow%%.OXCOMPONENTSRTL(00000000,00C20332,?,?,?,?,00000000), ref: 00C20317
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C20339,?,?,?,00000000), ref: 00C2032C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiSystem@%$L250$Interface$17System@@$Collections@%Generics@Interface$30Interface%.IntfOxrtl@Processes@$ClassClear$qqrr44Copy$qqrr44Create$qqrpvzc.Enumerable__1$57InsertInterface%x44List__1$57Object@$bctr$qqrv.Range$qqrixp104Window%%Window%%@
                                    • String ID:
                                    • API String ID: 3382415737-0
                                    • Opcode ID: cd72d480dba80d46f46da81ec01bf2d7d302834d62bd38328ff78a4232805fa5
                                    • Instruction ID: ca31c100d2835c7474f906eb270c9f7388cf704ce9a4a0a7a7391e8aa7548703
                                    • Opcode Fuzzy Hash: cd72d480dba80d46f46da81ec01bf2d7d302834d62bd38328ff78a4232805fa5
                                    • Instruction Fuzzy Hash: 2301F171600A08AFC300DF29EC82A5AF7F9FF86300724866BE40083E22DB70AD159AD0
                                    Function 00BCC1C0 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCC238,?,?,?,00000000), ref: 00BCC1DC
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC238,?,?,?,00000000), ref: 00BCC1EA
                                    • @System@Generics@Collections@%TList__1$69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication%%@GetItem$qqri.OXCOMPONENTSRTL(00000000,00BCC238,?,?,?,00000000), ref: 00BCC202
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCC23F,?,?,00000000), ref: 00BCC232
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250System@@Unicode$DelphiString.System@%$Application%%@AppxAppxpackages@Asg$qqrr20Clear$qqrr44Collections@%Generics@Interface$17Interface$42Interface%.IntfItem$qqriLen$qqrx20List__1$69Oxrtl@Stringx20
                                    • String ID:
                                    • API String ID: 2444176310-0
                                    • Opcode ID: 5527ea53544601dd376acb297ff88afe7c17ffccfd50a42702628ffaf0ba322b
                                    • Instruction ID: f06939fb1326001a1eb8185938fa71a9fae30d84fd88d696e52f6fc5ed50c2a3
                                    • Opcode Fuzzy Hash: 5527ea53544601dd376acb297ff88afe7c17ffccfd50a42702628ffaf0ba322b
                                    • Instruction Fuzzy Hash: 24017C343002009FD714DFA9D992F157BE9EB59710B6584E9F908EB266DA70EC00DA40
                                    Function 00BCC13C Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BCC1B4,?,?,?,00000000), ref: 00BCC158
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCC1B4,?,?,?,00000000), ref: 00BCC166
                                    • @System@Generics@Collections@%TList__1$69System@%DelphiInterface$42Oxrtl@System@Appxpackages@IAppxApplication%%@GetItem$qqri.OXCOMPONENTSRTL(00000000,00BCC1B4,?,?,?,00000000), ref: 00BCC17E
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCC1BB,?,?,00000000), ref: 00BCC1AE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250System@@Unicode$DelphiString.System@%$Application%%@AppxAppxpackages@Asg$qqrr20Clear$qqrr44Collections@%Generics@Interface$17Interface$42Interface%.IntfItem$qqriLen$qqrx20List__1$69Oxrtl@Stringx20
                                    • String ID:
                                    • API String ID: 2444176310-0
                                    • Opcode ID: 31604913f0e54d29f73ece0d2d7fb23e5d9561b006067a61c8170a912d25349c
                                    • Instruction ID: 67d97e995ba377f808ecf8d57990660fa032db8c60f004981f8283756d058330
                                    • Opcode Fuzzy Hash: 31604913f0e54d29f73ece0d2d7fb23e5d9561b006067a61c8170a912d25349c
                                    • Instruction Fuzzy Hash: 94017C343142009FD714EF2AC892F1577E9EF49B40B6584E9F904E7667DA70EC01DA40
                                    Function 00C021CF Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Thread@TThread@SleepByAndCheck$qqrui.AXCOMPONENTSRTL.BPL ref: 00C021E7
                                    • @System@Syncobjs@TInterlocked@Decrement$qqrri.RTL250.BPL(00C02261,00000000,00C0229A), ref: 00C0220C
                                    • @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(00C02261,00000000,00C0229A), ref: 00C0221B
                                    • @System@Generics@Collections@%TQueue__1$p44Oxrtl@System@Internet@TInternetPostQueueItem%@Clear$qqrv.OXCOMPONENTSRTL(00000000,00C02252,?,00C02261,00000000,00C0229A), ref: 00C02234
                                    • @System@Syncobjs@TCriticalSection@Leave$qqrv.RTL250.BPL(00C02259,00C02261,00000000,00C0229A), ref: 00C0224C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Syncobjs@$CriticalSection@Thread@$Axrtl@Check$qqrui.Clear$qqrvCollections@%Decrement$qqrri.Enter$qqrv.Generics@Interlocked@InternetInternet@Item%@Leave$qqrv.Oxrtl@PostQueueQueue__1$p44Sleep
                                    • String ID:
                                    • API String ID: 2675232954-0
                                    • Opcode ID: 9cb7440939ed10a094466d6d007c4bd27f801823e514e5db72715184059c17b4
                                    • Instruction ID: 2db7cd1b1cf478df57b88879996c157b2288f8b50045ba07f815dd6996e90030
                                    • Opcode Fuzzy Hash: 9cb7440939ed10a094466d6d007c4bd27f801823e514e5db72715184059c17b4
                                    • Instruction Fuzzy Hash: C0015A30604244EFEB15DB98D94AE5DBBF4EB89710F9284F5E8049B6A2C734EF41DA14
                                    Function 00C262F8 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Lock$qqrv.OXCOMPONENTSRTL ref: 00C2630C
                                      • Part of subcall function 00C266CC: @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(?,00C26311), ref: 00C266D2
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@GetAppProductsLocal$qqrx51Oxrtl@System@Securitycenter@TSecurityAppProductType.OXCOMPONENTSRTL ref: 00C26332
                                      • Part of subcall function 00C2637C: @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Lock$qqrv.OXCOMPONENTSRTL ref: 00C2638B
                                      • Part of subcall function 00C2637C: @Oxrtl@System@Securitycenter@SecurityUtils@TSecurityAppProducts@$bctr$qqrp63Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenterx51Oxrtl@System@Securitycenter@TSecurityAppProductType.OXCOMPONENTSRTL(?,00000000,00C263DF), ref: 00C263B3
                                      • Part of subcall function 00C2637C: @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Unlock$qqrv.OXCOMPONENTSRTL(00C263E6), ref: 00C263D9
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSecurityAppProductsInt@$bctr$qqrp62Oxrtl@System@Securitycenter@SecurityUtils@TSecurityAppProducts.OXCOMPONENTSRTL ref: 00C26340
                                      • Part of subcall function 00C27328: @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C27335
                                      • Part of subcall function 00C27328: @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,?,?,00C26345), ref: 00C27344
                                      • Part of subcall function 00C27328: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,?,?,?,00C26345), ref: 00C27352
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C26351
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Unlock$qqrv.OXCOMPONENTSRTL(00C26373), ref: 00C26366
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Security$System@$Oxrtl@Securitycenter@$Utils@$System$Center@L250$ProductsSystem@@$DelphiInterface$17Lock$qqrvProductSystem@%TypeUnlock$qqrv$AfterCenterx51ClassConstruction$qqrxp14Copy$qqrr44Create$qqrpvzc.CriticalEnter$qqrv.Int@$bctr$qqrp62Interface%.Interface%x44IntfLocal$qqrx51Object.Object@$bctr$qqrv.Products@$bctr$qqrp63Section@Syncobjs@
                                    • String ID:
                                    • API String ID: 1486827607-0
                                    • Opcode ID: 5445fe71117262e8392a2a62abadb8b8b62564989a11fe07915423c329f167de
                                    • Instruction ID: 6be26de32ecb2b6a464a37d824b824b6601232e82604d46fbf59f2ce181e139b
                                    • Opcode Fuzzy Hash: 5445fe71117262e8392a2a62abadb8b8b62564989a11fe07915423c329f167de
                                    • Instruction Fuzzy Hash: 7101AD30B04614EF8715EB6DE84285EB7F9EB8972076041B5F804D3BB1DA31AE00A664
                                    Function 00874EC4 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00870B4C: @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(?,00000000,008708B6), ref: 00870B56
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F0D
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F1D
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Imaging@L250Pngimage@Vcl@$Item$qqruiList@MetaStringSystem@@$Class$qqrxp14Class.Class20Clr$qqrpv.Error$qqrp17Image@LoadObjectp17PointerRaiseRec.String$qqrp20Unicode
                                    • String ID:
                                    • API String ID: 2543536823-0
                                    • Opcode ID: 0ac8e418538a7d1174172648b22969930747689885be44161495572cc74aa2f1
                                    • Instruction ID: 57615d5c49c905851ed11ef286f7709f6ca67df0ed788b24eadc2dc3cdf4b4b0
                                    • Opcode Fuzzy Hash: 0ac8e418538a7d1174172648b22969930747689885be44161495572cc74aa2f1
                                    • Instruction Fuzzy Hash: 20F08C343042049FE701DF68CD82A5AB3E9FB88B00F52A4B0F808C7666DBB4ED04CA51
                                    Function 00C01354 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C01361
                                    • @System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00C0136F
                                    • @Oxrtl@System@Internet@TInternetPostQueueItem@$bctr$qqrx20System@UnicodeString71System@%DelphiInterface$44Axrtl@System@Win@Internet@IHttpRequestParams%.OXCOMPONENTSRTL(?,00000000,00C013BA), ref: 00C0138C
                                    • @Axrtl@System@Win@Internet@THTTPFormDataPost@AddField$qqrx20System@UnicodeStringt1o.AXCOMPONENTSRTL.BPL(?,?,00000000,00C013BA), ref: 00C0139F
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00C013C1,00C013BA), ref: 00C013B4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiInternet@L250System@%System@@$Axrtl@Interface$17Interface%.IntfUnicodeWin@$ClassClear$qqrr44Create$qqrpvzc.DataField$qqrx20FormHttpInterface$44InternetItem@$bctr$qqrx20Oxrtl@Params%PostPost@QueueRef$qqrx44RequestString71Stringt1o.
                                    • String ID:
                                    • API String ID: 1495192667-0
                                    • Opcode ID: 4197f69d1af0e8dee07db355fb3cb10fcd0be34d889635624580d8e024ea360c
                                    • Instruction ID: 2206558c40853a44633e787371ca052c4491a3e4784022abc54efe7727ecf065
                                    • Opcode Fuzzy Hash: 4197f69d1af0e8dee07db355fb3cb10fcd0be34d889635624580d8e024ea360c
                                    • Instruction Fuzzy Hash: 03F0C2712046486FC700EF29CC52C6ABBD9EB8A79075985B4FD08C3791DA35ED11C6A0
                                    Function 0086750C Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0086751A
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 0086752A
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 00867537
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 00867549
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00867556
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$AfterChar$qqrpvic.ClassConstruction$qqrxp14Create$qqrpvzc.FillMem$qqri.Object.Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 3474865921-0
                                    • Opcode ID: 1b87b397e25f4c91ba77cf0ddd3a450cb4f79ca183d40e7f4b7945ffeb0d7af9
                                    • Instruction ID: fa357d34a9027316b0b01ee7ef94a5e6129578020d2a40768e5b2c9b6c32a8f0
                                    • Opcode Fuzzy Hash: 1b87b397e25f4c91ba77cf0ddd3a450cb4f79ca183d40e7f4b7945ffeb0d7af9
                                    • Instruction Fuzzy Hash: D2F02B2260CAD01AC710927E180635ABAC5EF815A2F08406AF858C3382D827884D43A2
                                    Function 00871668 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(?), ref: 00871673
                                    • DeleteDC.GDI32(?), ref: 00871680
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?,0087153E), ref: 0087168F
                                    • DeleteObject.GDI32(?), ref: 0087169C
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(?,0087153E), ref: 008716AB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Delete$FreeL250Mem$qqrpv.ObjectSystem@@
                                    • String ID:
                                    • API String ID: 2673518161-0
                                    • Opcode ID: 746a1ac401d2501a84609aed673e03f44c1bbb5bbe5c29ddef422ebf6bf80fe9
                                    • Instruction ID: 6090c8a15646260cae090ba945555abb52d7a67acd66f9d43506506ff8433b9f
                                    • Opcode Fuzzy Hash: 746a1ac401d2501a84609aed673e03f44c1bbb5bbe5c29ddef422ebf6bf80fe9
                                    • Instruction Fuzzy Hash: 0001B2B07002008BCF90DF7D88C571737E9BB1424570888B9AC08DF64AEA34D8148B66
                                    Function 00C063B8 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Json@TJSONObject@Get$qqrx20System@UnicodeString.RTL250.BPL ref: 00C063CA
                                    • @System@Json@TJSONBool@$bctr$qqro.RTL250.BPL ref: 00C063E0
                                    • @System@Json@TJSONPair@SetJsonValue$qqrxp22System@Json@TJSONValue.RTL250.BPL ref: 00C063E9
                                    • @System@Json@TJSONBool@$bctr$qqro.RTL250.BPL ref: 00C063FB
                                    • @Oxrtl@System@Jsonutils@TJSONObjectHelper@AddPair$qqrx20System@UnicodeStringxp22System@Json@TJSONValue.OXCOMPONENTSRTL ref: 00C06406
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Json@$L250$Bool@$bctr$qqro.Unicode$Get$qqrx20Helper@JsonJsonutils@ObjectObject@Oxrtl@Pair$qqrx20Pair@String.Stringxp22ValueValue$qqrxp22Value.
                                    • String ID:
                                    • API String ID: 3506075873-0
                                    • Opcode ID: 370aed1b804e957aa9a7806743329bcb2480ecae2b65b3d10e706a4992b906a3
                                    • Instruction ID: 1241ac39acc7801efb50728ba92e66dde8d5ba666d92296e8c25e6e34b4f27dd
                                    • Opcode Fuzzy Hash: 370aed1b804e957aa9a7806743329bcb2480ecae2b65b3d10e706a4992b906a3
                                    • Instruction Fuzzy Hash: B3F0276170A9605BC300EB6E5C9126FEBDE8A91224354017AF409D7392D833DC4BEBA0
                                    Function 00C11234 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL(47091705,?,?,00C112CD), ref: 00C11241
                                    • @Oxrtl@System@Powerutils@PowerUtils@TPowerSchemeVista@$bctr$qqrx20System@UnicodeString.OXCOMPONENTSRTL(47091705,?,?,00C112CD), ref: 00C11253
                                      • Part of subcall function 00C13838: @System@@ClassCreate$qqrpvzc.RTL250.BPL(?,?), ref: 00C13848
                                      • Part of subcall function 00C13838: @Oxrtl@System@Powerutils@PowerUtils@TCustomPowerScheme@$bctr$qqrx20System@UnicodeString.OXCOMPONENTSRTL(C702D027,?,?), ref: 00C1385C
                                      • Part of subcall function 00C13838: @System@Sysutils@TGuidHelper@Create$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C138A5,BC10EFE0,C702D027,?,?), ref: 00C1387D
                                      • Part of subcall function 00C13838: @System@GetMemory$qi.RTL250.BPL(00000010,00000000,00C138A5,BC10EFE0,C702D027,?,?), ref: 00C13884
                                      • Part of subcall function 00C13838: @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(C702D027,?,?), ref: 00C138B8
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(47091705,?,?,00C112CD), ref: 00C11263
                                    • @Oxrtl@System@Powerutils@PowerUtils@TPowerSchemeXP@$bctr$qqrx20System@UnicodeStringxui.OXCOMPONENTSRTL(000000FF,47091705,?,?,00C112CD), ref: 00C11275
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(000000FF,47091705,?,?,00C112CD), ref: 00C11285
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Power$DelphiInterface$17System@%System@@Unicode$Oxrtl@Powerutils@Utils@$Axrtl@Copy$qqrr44Interface%.Interface%x44IntfOsinfo@SchemeStringWin@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Create$qqrx20CustomGuidHelper@Info@Memory$qi.Object.P@$bctr$qqrx20Scheme@$bctr$qqrx20String.StringxuiSysutils@Versiont1.Vista@$bctr$qqrx20WindowsWindows$qqr39
                                    • String ID:
                                    • API String ID: 3778083661-0
                                    • Opcode ID: 64f772b3175fbfabdd56429ffbe462ced2bd04c2fb913f402caf840ade19778a
                                    • Instruction ID: 872983ef41d4cafaecf7bb386766a7dc9f5bb581f389632c27f7f8a3f69e437a
                                    • Opcode Fuzzy Hash: 64f772b3175fbfabdd56429ffbe462ced2bd04c2fb913f402caf840ade19778a
                                    • Instruction Fuzzy Hash: B2F027213004410706007A3D5C506DD63C76AC7268368C339FD24EB3DBDD26DD4A6385
                                    Function 0085F710 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250 ref: 0085F71F
                                      • Part of subcall function 0085F404: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,0085F3E2), ref: 0085F410
                                    • @System@@GetMem$qqri.RTL250.BPL ref: 0085F729
                                    • GetDIBColorTable.GDI32(?,00000000,00000100,?,00000000,0085F773), ref: 0085F74B
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@ImportColorTable$qqrpvi.VCLIMG250(?,00000000,00000100,?,00000000,0085F773), ref: 0085F758
                                      • Part of subcall function 0085F6A0: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250 ref: 0085F6B1
                                      • Part of subcall function 0085F6A0: @Vcl@Imaging@Gifimg@TGIFColorMap@SetCapacity$qqri.VCLIMG250 ref: 0085F6C3
                                    • @System@@FreeMem$qqrpv.RTL250.BPL(0085F77A,?,00000000,0085F773), ref: 0085F76D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Color$Gifimg@Imaging@Map@Vcl@$L250System@@$Clear$qqrv$ArrayCapacity$qqriClear$qqrrpvpv.FreeImportMem$qqri.Mem$qqrpv.TableTable$qqrpvi
                                    • String ID:
                                    • API String ID: 3319300276-0
                                    • Opcode ID: ebe2b1c22ec64c857601c16c530c8c5a47cefbf4560ab57eab9140f67a3d2313
                                    • Instruction ID: 7f8c30a9fcdaa3a1ee8a61596a161352a410d3f30460c5896fb016725c46e414
                                    • Opcode Fuzzy Hash: ebe2b1c22ec64c857601c16c530c8c5a47cefbf4560ab57eab9140f67a3d2313
                                    • Instruction Fuzzy Hash: EEF09670614644AFDB00DF6CCC52A5DB7E9FB89711F504075F900E3392DA745D448615
                                    Function 00874A74 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00874A7D
                                    • @Vcl@Graphics@TGraphic@$bctr$qqrv.VCL250.BPL ref: 00874A8A
                                    • @Vcl@Graphics@TCanvas@$bctr$qqrv.VCL250.BPL ref: 00874A96
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250 ref: 00874ACF
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00874AE0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250Vcl@$Graphics@Imaging@Pngimage@System@@$AfterCanvas@$bctr$qqrv.ClassConstruction$qqrxp14Create$qqrpvzc.Graphic@$bctr$qqrv.ImageList@$bctr$qqrp30Object.PointerSystem@
                                    • String ID:
                                    • API String ID: 3421056819-0
                                    • Opcode ID: a9d75c722d4e412c9558037a08b82b60858571b040d7994b8d1ad6759ac4d65a
                                    • Instruction ID: b2a15e79a630f1472e3fa30d704d94484d34a9061808099de92cab26344ae6fa
                                    • Opcode Fuzzy Hash: a9d75c722d4e412c9558037a08b82b60858571b040d7994b8d1ad6759ac4d65a
                                    • Instruction Fuzzy Hash: 03F0FC71601BD18BC320EB7C98813D6BBC1FF16755F045438E8D8C7396DB3669188796
                                    Function 00C132DC Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@Winapi@Powrprof@TPowerSchemeHelper@SchemeName$qqrv.OXCOMPONENTSRTL(00000000,00C1333B), ref: 00C13301
                                      • Part of subcall function 00C10548: @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL ref: 00C10555
                                      • Part of subcall function 00C10548: @Oxrtl@Winapi@Powrprof@PowrProf@GetPowerSchemeGUID$qqrx34Oxrtl@Winapi@Powrprof@TPowerScheme.OXCOMPONENTSRTL ref: 00C10561
                                      • Part of subcall function 00C10548: @System@Sysutils@TGuidHelper@ToString$qqrv.RTL250.BPL ref: 00C10570
                                    • @System@Sysutils@TStringHelper@GetLength$qqrv.RTL250.BPL(00000000,00C1333B), ref: 00C13309
                                    • @Oxrtl@System@Powerutils@PowerUtils@OpenPowerScheme$qqrx20System@UnicodeString.OXCOMPONENTSRTL(00000000,00C1333B), ref: 00C13317
                                      • Part of subcall function 00C11234: @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL(47091705,?,?,00C112CD), ref: 00C11241
                                      • Part of subcall function 00C11234: @Oxrtl@System@Powerutils@PowerUtils@TPowerSchemeVista@$bctr$qqrx20System@UnicodeString.OXCOMPONENTSRTL(47091705,?,?,00C112CD), ref: 00C11253
                                      • Part of subcall function 00C11234: @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(47091705,?,?,00C112CD), ref: 00C11263
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00C1333B), ref: 00C13320
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C13342), ref: 00C13335
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Power$L250Oxrtl@Scheme$Axrtl@Osinfo@Win@$DelphiHelper@Interface$17Powrprof@StringSystem@%System@@Winapi@$Info@Interface%.IntfPowerutils@Sysutils@UnicodeUtils@Versiont1.WindowsWindows$qqr39$Clear$qqrr44Clr$qqrpv.Copy$qqrr44D$qqrx34GuidInterface%x44Length$qqrv.Name$qqrvOpenPowrProf@Scheme$qqrx20String$qqrv.Vista@$bctr$qqrx20
                                    • String ID:
                                    • API String ID: 2026259665-0
                                    • Opcode ID: 798f70438e9e67ae70c7df7fbd7ad8cd0e7aa9200ce4f2619705bc7c3ba84ffc
                                    • Instruction ID: c8fa7b2a72332e7f21eac7b07e626d11de61e6e57c3f0577ffad0e5e03c153e9
                                    • Opcode Fuzzy Hash: 798f70438e9e67ae70c7df7fbd7ad8cd0e7aa9200ce4f2619705bc7c3ba84ffc
                                    • Instruction Fuzzy Hash: ECF0F6306082C8AFC704EB68CD438DDB3F8DB4A7047A184B9A814E2262EB759F05B618
                                    Function 008685C4 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008685CE
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,?,00869BF8), ref: 008685DD
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,?,00869BF8), ref: 008685EC
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,?,00869BF8), ref: 008685FB
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,?,?,00869BF8), ref: 00868609
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$Object@$bctr$qqrv.$System@@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.
                                    • String ID:
                                    • API String ID: 4242748311-0
                                    • Opcode ID: a0bf16c805975171e260fe1c5cd3c2bb3f9a220e0376f8d0c4c5d65442fa8aa5
                                    • Instruction ID: dcca1bd5561c08b7f0c5a387fa4f42632014e1ab6f54b7480ef4bf1a2c7d8da1
                                    • Opcode Fuzzy Hash: a0bf16c805975171e260fe1c5cd3c2bb3f9a220e0376f8d0c4c5d65442fa8aa5
                                    • Instruction Fuzzy Hash: 83F0A77370184157C700EB2D9C8575777D2FB847A27088231F948C7356EB235C5847D2
                                    Function 00C21194 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C21199
                                    • @System@Generics@Collections@%TList__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%@SetCount$qqri.OXCOMPONENTSRTL ref: 00C211AC
                                      • Part of subcall function 00C20ED0: @System@Generics@Collections@TListHelper@InternalSetCountMRef$qqri.RTL250.BPL(?,00C20EB3), ref: 00C20ED6
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000000), ref: 00C211C1
                                    • @System@Generics@Collections@%TEnumerable__1$58System@%DelphiInterface$31Oxrtl@System@Processes@IProcess%%@$bdtr$qqrv.OXCOMPONENTSRTL ref: 00C211CF
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C211DA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Generics@System@@$Collections@%DelphiInterface$31Oxrtl@Processes@System@%$ArrayBeforeClassCollections@CountCount$qqriDestroy$qqrxp14Destruction$qqrxp14Enumerable__1$58Helper@InternalLength$qqrv.ListList__1$58Object.Objectzc.Process%%@Process%%@$bdtr$qqrvRef$qqri.
                                    • String ID:
                                    • API String ID: 1514148347-0
                                    • Opcode ID: 52ee4abb1862e660070e957d10f6495643d84d13afbf4f998d51375479172255
                                    • Instruction ID: 6f22401f95a91636f98477004d477a3d1e7425bf912fa2cf4820f44887263f69
                                    • Opcode Fuzzy Hash: 52ee4abb1862e660070e957d10f6495643d84d13afbf4f998d51375479172255
                                    • Instruction Fuzzy Hash: 97E0923174062817D300B26DBC42B8EB3CA9B46359F184825EA44E7653EA26EE5A42CA
                                    Function 00BE3138 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00BE313D
                                    • @System@Generics@Collections@%TList__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@SetCount$qqri.OXCOMPONENTSRTL ref: 00BE3150
                                      • Part of subcall function 00BE2E74: @System@Generics@Collections@TListHelper@InternalSetCountMRef$qqri.RTL250.BPL(?,00BE2E57), ref: 00BE2E7A
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000000), ref: 00BE3165
                                    • @System@Generics@Collections@%TEnumerable__1$84System@%DelphiInterface$57Oxrtl@System@Eventlog@TWindowsEventLog@IConditionInternal%%@$bdtr$qqrv.OXCOMPONENTSRTL ref: 00BE3173
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00BE317E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Generics@System@@$Collections@%ConditionDelphiEventEventlog@Interface$57Log@Oxrtl@System@%Windows$ArrayBeforeClassCollections@CountCount$qqriDestroy$qqrxp14Destruction$qqrxp14Enumerable__1$84Helper@InternalInternal%%@Internal%%@$bdtr$qqrvLength$qqrv.ListList__1$84Object.Objectzc.Ref$qqri.
                                    • String ID:
                                    • API String ID: 4013726039-0
                                    • Opcode ID: 0bb6908b2827688e96098445e8a12b06d10655c2a1a67f62a196fde57e3c6d1f
                                    • Instruction ID: 22440130df49b9a80e8225441d39fcedaf3d3a73df5870b7412aa7d6c79deb8a
                                    • Opcode Fuzzy Hash: 0bb6908b2827688e96098445e8a12b06d10655c2a1a67f62a196fde57e3c6d1f
                                    • Instruction Fuzzy Hash: 22E09B71B4061827D300B22AAC42B8AB3CA9B45755F044579E645E7353EB65ED0942C6
                                    Function 00C20358 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C2035D
                                    • @System@Generics@Collections@%TList__1$57System@%DelphiInterface$30Oxrtl@System@Processes@IWindow%%@SetCount$qqri.OXCOMPONENTSRTL ref: 00C20370
                                      • Part of subcall function 00C20094: @System@Generics@Collections@TListHelper@InternalSetCountMRef$qqri.RTL250.BPL(?,00C20077), ref: 00C2009A
                                    • @System@@DynArraySetLength$qqrv.RTL250.BPL(00000000), ref: 00C20385
                                    • @System@Generics@Collections@%TEnumerable__1$57System@%DelphiInterface$30Oxrtl@System@Processes@IWindow%%@$bdtr$qqrv.OXCOMPONENTSRTL ref: 00C20393
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C2039E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Generics@System@@$Collections@%DelphiInterface$30Oxrtl@Processes@System@%$ArrayBeforeClassCollections@CountCount$qqriDestroy$qqrxp14Destruction$qqrxp14Enumerable__1$57Helper@InternalLength$qqrv.ListList__1$57Object.Objectzc.Ref$qqri.Window%%@Window%%@$bdtr$qqrv
                                    • String ID:
                                    • API String ID: 1214308714-0
                                    • Opcode ID: e7d57af935f0aefe6687a89ad613d44323c7ccd5aec87bf07f249fca7212718e
                                    • Instruction ID: 99f2377ee1f3940195e41cbad673bc4afa14afba42c42a0a6c44742a9618ec0e
                                    • Opcode Fuzzy Hash: e7d57af935f0aefe6687a89ad613d44323c7ccd5aec87bf07f249fca7212718e
                                    • Instruction Fuzzy Hash: 3AE02B32700A2413D300F128AC83BCAB3C99F46345F144436F648D7613EA65DD0A42C5
                                    Function 0086ACA4 Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250 ref: 0086ACAB
                                      • Part of subcall function 0086ACF8: @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,?,008698A5,?,008698DD,0086981D), ref: 0086ACFE
                                      • Part of subcall function 0086ACF8: @System@TObject@Free$qqrv.RTL250.BPL(?,?,008698A5,?,008698DD,0086981D), ref: 0086AD15
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreePalette$qqrv.VCLIMG250 ref: 0086ACB2
                                      • Part of subcall function 0086ACE0: DeleteObject.GDI32(?), ref: 0086ACEB
                                    • @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250 ref: 0086ACBA
                                    • @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250 ref: 0086ACCE
                                      • Part of subcall function 00867934: @Vcl@Imaging@Gifimg@TGIFList@GetItem$qqri.VCLIMG250(00000000,00000000,008698F6,00000000,?,?,?,008602B0,00000000,0086034B), ref: 0086793E
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Dormant$qqrv.VCLIMG250 ref: 0086ACD3
                                      • Part of subcall function 00863368: @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(00000000,0086315D,00000000,00000000,?,008630EF), ref: 0086336D
                                      • Part of subcall function 00863368: @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(00000000,0086315D,00000000,00000000,?,008630EF), ref: 00863374
                                      • Part of subcall function 00863368: @Vcl@Imaging@Gifimg@TGIFFrame@FreePalette$qqrv.VCLIMG250(00000000,0086315D,00000000,00000000,?,008630EF), ref: 0086337B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Free$Frame@$Image@List@$Bitmap$qqrvPalette$qqrv$Count$qqrvDeleteDormant$qqrvDraw$qqrvFrame$qqriFree$qqrv.ImageItem$qqriL250Mask$qqrvObjectObject@StopSystem@
                                    • String ID:
                                    • API String ID: 3272696812-0
                                    • Opcode ID: b7bb576d5c4d67d1ca6c765762b473e3251720af26dfaf2106a1c2fdf3e4baca
                                    • Instruction ID: fd1ca4f4af469bb541e36e2326415e5e8abc16ac8547333dd803864e775b0921
                                    • Opcode Fuzzy Hash: b7bb576d5c4d67d1ca6c765762b473e3251720af26dfaf2106a1c2fdf3e4baca
                                    • Instruction Fuzzy Hash: 8DE02B61300A114B8220B27E68C193FD3C8FFD536130312A6F591D7712CE40AD028BD3
                                    Function 0085A6EC Relevance: 7.5, APIs: 5, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085A6EE
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085A6FE
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085A70A
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 0085A715
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085A720
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$FreeMem$qqrpv.$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 3895404030-0
                                    • Opcode ID: 4be6eab0d8dd13e73595e9b6e4d4258bda2cbce18d860b1ed8acff18306718ac
                                    • Instruction ID: 7c5a990f3ea37e9f25cb0ad9abf52d7fad463b3bfbbe7243bd2f52bfe69828a5
                                    • Opcode Fuzzy Hash: 4be6eab0d8dd13e73595e9b6e4d4258bda2cbce18d860b1ed8acff18306718ac
                                    • Instruction Fuzzy Hash: 0BE08C21780D510A1B24B66D48C6B8A53D8FE086D33081815FDD0C7282EF15CD8D5297
                                    Function 0085F360 Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0085F362), ref: 0085F31C
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0085F362), ref: 0085F32A
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0085F362), ref: 0085F338
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0085F362), ref: 0085F346
                                    • DeleteObject.GDI32(00000000), ref: 0085F355
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Free$qqrv.L250Object@System@$DeleteObject
                                    • String ID:
                                    • API String ID: 2064208518-0
                                    • Opcode ID: bc05f40b27e09e220b6d13cc0605c9b2f5342a0387c424c0a7d75c8722a561d1
                                    • Instruction ID: 474379ab59c329a71e2045606514c77fbc2c2fcab089fe2cb7c3460aedaa2f02
                                    • Opcode Fuzzy Hash: bc05f40b27e09e220b6d13cc0605c9b2f5342a0387c424c0a7d75c8722a561d1
                                    • Instruction Fuzzy Hash: 3CF092309005098AEF25EAA8C95E7FEB2B5FB04347F540024EA10F62E6C7785DC9CA52
                                    Function 00C013E0 Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C013E5
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C013F1
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C013F9
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00C01404
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C0140F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$FreeNil$qqrpv.System@@Sysutils@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 1088856882-0
                                    • Opcode ID: f78a18e26df691765296d83395620cbe974adfccb2b5a6fcfcd7612ead54d633
                                    • Instruction ID: 3a3fd9d2593e3c217aa94c48398af74f5d83e83a9392a000ac5af534cffc88c9
                                    • Opcode Fuzzy Hash: f78a18e26df691765296d83395620cbe974adfccb2b5a6fcfcd7612ead54d633
                                    • Instruction Fuzzy Hash: 91D01222741519165311B2699C82ECDB3CC9D06B6638C48AAF644B7113EB159E1F42D5
                                    Function 00C0C35C Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00C0C361
                                    • @Oxrtl@System@Math@Animatehelper@TAnimateHelper@Stop$qqrv.OXCOMPONENTSRTL ref: 00C0C36C
                                      • Part of subcall function 00C0C538: @Axrtl@System@Timer@Timer@KillTimer$qqrynpqqrr24Winapi@Messages@TMessage$vi.AXCOMPONENTSRTL.BPL(?,?,?,?,00C0C479,?,?,?,?,?,00C0C1F6), ref: 00C0C54F
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00C0C377
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00C0C382
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00C0C38D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@Timer@$AnimateAnimatehelper@Axrtl@BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeHelper@KillMath@Message$vi.Messages@Nil$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.Oxrtl@Stop$qqrvSysutils@Timer$qqrynpqqrr24Winapi@
                                    • String ID:
                                    • API String ID: 2950226954-0
                                    • Opcode ID: ed1d4e4edb3cfac42aa51aba33963b4409aa5d176eeea12adab639691837e243
                                    • Instruction ID: 1fbded7208a762b45d4f5998f917c5360700d6d7bc349a2a89b55d9e284795a5
                                    • Opcode Fuzzy Hash: ed1d4e4edb3cfac42aa51aba33963b4409aa5d176eeea12adab639691837e243
                                    • Instruction Fuzzy Hash: F7D05B21741918169301726C6C82FCDA3CC9F076567888D56F644F7243E6065E1F43D9
                                    Function 00869894 Relevance: 7.5, APIs: 5, Instructions: 21windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 00869899
                                      • Part of subcall function 0086B1D0: @System@TObject@Free$qqrv.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,0086989E,?,008698DD,0086981D), ref: 0086B1FF
                                    • @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A0
                                      • Part of subcall function 0086ACF8: @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250(?,?,008698A5,?,008698DD,0086981D), ref: 0086ACFE
                                      • Part of subcall function 0086ACF8: @System@TObject@Free$qqrv.RTL250.BPL(?,?,008698A5,?,008698DD,0086981D), ref: 0086AD15
                                    • @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698A8
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698B3
                                      • Part of subcall function 0085F404: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,0085F3E2), ref: 0085F410
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@Prepare$qqrv.VCLIMG250(?,008698DD,0086981D), ref: 008698C7
                                      • Part of subcall function 0086024C: @Vcl@Imaging@Gifimg@TGIFHeader@GetColorResolution$qqrv.VCLIMG250 ref: 00860268
                                      • Part of subcall function 0086024C: @Vcl@Imaging@Gifimg@TGIFHeader@GetBitsPerPixel$qqrv.VCLIMG250 ref: 00860276
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Header@Image@L250$Clear$qqrvColorDraw$qqrvFree$qqrv.Object@StopSystem@$ArrayBitmap$qqrvBitsClear$qqrrpvpv.FreeList@Map@Pixel$qqrvPrepare$qqrvResolution$qqrvSystem@@
                                    • String ID:
                                    • API String ID: 789041847-0
                                    • Opcode ID: 791519420ca2567e922b3ee291b5708debef910f2d0a3f84277345f5ebc23d74
                                    • Instruction ID: fa31d8ecdd85f3f744a1b82e95d9e589bda2d874de2cd3d15e6ca336225e0b22
                                    • Opcode Fuzzy Hash: 791519420ca2567e922b3ee291b5708debef910f2d0a3f84277345f5ebc23d74
                                    • Instruction Fuzzy Hash: D0E092203112008BC784EF2DC8D980AB7E4FF48305791A4A8F809CF367DB74DC498B06
                                    Function 00863128 Relevance: 7.5, APIs: 5, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250(?,008630EF), ref: 0086312E
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,008630EF), ref: 00863136
                                      • Part of subcall function 0085F404: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,0085F3E2), ref: 0085F410
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@FreeImage$qqrv.VCLIMG250(?,008630EF), ref: 0086313D
                                      • Part of subcall function 0086330C: @System@@FreeMem$qqrpv.RTL250.BPL(?,008632E3,?,?,00861D79), ref: 00863316
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@DoSetBounds$qqriiii.VCLIMG250(00000000,00000000,?,008630EF), ref: 0086314C
                                      • Part of subcall function 00863F74: @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FE6
                                      • Part of subcall function 00863F74: @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FED
                                      • Part of subcall function 00863F74: @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FF4
                                      • Part of subcall function 00863F74: @Vcl@Imaging@Gifimg@TGIFFrame@ClearImage$qqrv.VCLIMG250(00000000,00864092,?,?,00000000,00000000), ref: 00863FFB
                                      • Part of subcall function 00863F74: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000000), ref: 0086406B
                                      • Part of subcall function 00863F74: @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(?,?,00000000,00000000), ref: 00864077
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Dormant$qqrv.VCLIMG250(00000000,00000000,?,008630EF), ref: 00863158
                                      • Part of subcall function 00863368: @Vcl@Imaging@Gifimg@TGIFFrame@FreeBitmap$qqrv.VCLIMG250(00000000,0086315D,00000000,00000000,?,008630EF), ref: 0086336D
                                      • Part of subcall function 00863368: @Vcl@Imaging@Gifimg@TGIFFrame@FreeMask$qqrv.VCLIMG250(00000000,0086315D,00000000,00000000,?,008630EF), ref: 00863374
                                      • Part of subcall function 00863368: @Vcl@Imaging@Gifimg@TGIFFrame@FreePalette$qqrv.VCLIMG250(00000000,0086315D,00000000,00000000,?,008630EF), ref: 0086337B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Frame@$Free$Image$qqrvL250System@$Bitmap$qqrvClear$qqrvMask$qqrvStringSystem@@$ArrayBounds$qqriiiiClearClear$qqrrpvpv.ColorDormant$qqrvItem@List@LoadMap@Mem$qqrpv.Palette$qqrvRec.Severityx20String$qqrp20UnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 257355709-0
                                    • Opcode ID: 7d64007e6854bb0ab272d14fc8b7168df56363840936cdf57291f481cf9ca0b3
                                    • Instruction ID: 33f1f930daf0c85390851e084882e19c0625fbda7830a81ec50273d5f1fc75b3
                                    • Opcode Fuzzy Hash: 7d64007e6854bb0ab272d14fc8b7168df56363840936cdf57291f481cf9ca0b3
                                    • Instruction Fuzzy Hash: CBD05E607102004BCB84FF3CDDC3B0A66E8BF08700F416479B909CF367DE20C9048201
                                    Function 008598B0 Relevance: 7.5, APIs: 5, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 008598B2
                                    • @Vcl@Imaging@Gifimg@TGIFList@Clear$qqrv.VCLIMG250 ref: 008598BD
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 008598C5
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 008598D0
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 008598DB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$BeforeClassClasses@Clear$qqrvDestroy$qqrxp14Destruction$qqrxp14Free$qqrv.Gifimg@Imaging@List@Object.Object@Objectzc.Persistent@$bdtr$qqrv.Vcl@
                                    • String ID:
                                    • API String ID: 2194157037-0
                                    • Opcode ID: a25d5931cd40754e02d5050e478888960aea3ee3f98cc489780f046e7afe08ac
                                    • Instruction ID: 57c1366e81d88db7fbc3c53023a5e0e3fb683e523ca129111ea0af05714253e9
                                    • Opcode Fuzzy Hash: a25d5931cd40754e02d5050e478888960aea3ee3f98cc489780f046e7afe08ac
                                    • Instruction Fuzzy Hash: 01D0C962B91D20470A11B67C59A76DE53C9FF0AA933840465FEC4CB242DF169E4E93CB
                                    Function 00868F48 Relevance: 7.5, APIs: 5, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00868F4A
                                    • @Vcl@Imaging@Gifimg@TGIFRenderer@Clear$qqrv.VCLIMG250 ref: 00868F55
                                      • Part of subcall function 00868EC0: @System@TObject@Free$qqrv.RTL250.BPL ref: 00868EDF
                                      • Part of subcall function 00868EC0: @System@TObject@Free$qqrv.RTL250.BPL ref: 00868EF9
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00868F5D
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00868F68
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00868F73
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Free$qqrv.Object@$System@@$BeforeClassClear$qqrvDestroy$qqrxp14Destruction$qqrxp14Gifimg@Imaging@Object.Object@$bdtr$qqrv.Objectzc.Renderer@Vcl@
                                    • String ID:
                                    • API String ID: 2016210152-0
                                    • Opcode ID: 80289714b39ce8bd909120ce2fb8b8c7a7e35ef6184c06ca78c403da0c90b9b3
                                    • Instruction ID: 93b5de2b52706882a07606d6af2dd83b5bb1735c027f8fc92b80c7b534379676
                                    • Opcode Fuzzy Hash: 80289714b39ce8bd909120ce2fb8b8c7a7e35ef6184c06ca78c403da0c90b9b3
                                    • Instruction Fuzzy Hash: CED0A962BA0D20030B11723C18963CE03CAFE066D33480822FA84CB282DF168E8E03CB
                                    Function 00C32048 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL(?), ref: 00C32096
                                    • @Axrtl@Winapi@Iphlpapi@IPHelper@FreeMibTable$qqrrpv.AXCOMPONENTSRTL.BPL ref: 00C32102
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@$Call$qqrx20Dllroutines@FreeHelper@Iphlpapi@Routines@Stringt1.System@Table$qqrrpv.UnicodeWinapi@
                                    • String ID: GetIfTable2$Iphlpapi.dll
                                    • API String ID: 2851457830-63597007
                                    • Opcode ID: e2c50c6601ac10dd869a321a91b60c8075c2a577a7915a656c7f87a7b95b8382
                                    • Instruction ID: 82fc0f44897fe0b9b823622d414a148c9b3c9aa57912b4513b3a07a4151abe8d
                                    • Opcode Fuzzy Hash: e2c50c6601ac10dd869a321a91b60c8075c2a577a7915a656c7f87a7b95b8382
                                    • Instruction Fuzzy Hash: 9621DB7202D7C45FDB1A87B46C2A8A97FB49E03200B2C80DFD0C59F0A3E2159A0AD766
                                    Function 0086A9E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Types@Rect$qqriiii.RTL250.BPL(?,00000000,00000001,?,0086AA6F), ref: 0086AA3C
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00000001,?,0086AA6F), ref: 0086AA4D
                                    • @System@@CallDynaInst$qqrv.RTL250.BPL(?,?,?,00000000,00000001,?,0086AA6F), ref: 0086AA62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$CallDynaInst$qqrv.LoadRec.Rect$qqriiii.StringString$qqrp20System@@Types@
                                    • String ID: d
                                    • API String ID: 2491242270-2564639436
                                    • Opcode ID: a5b654e72ba6c8296472de0183935fba72ea27ec91450fb686be791dd106b7be
                                    • Instruction ID: a9aa807bb2a1b560c1414922abcc7633385f9948395afac69e0c0d9650d560cb
                                    • Opcode Fuzzy Hash: a5b654e72ba6c8296472de0183935fba72ea27ec91450fb686be791dd106b7be
                                    • Instruction Fuzzy Hash: D9013676A041049FDB04DFE9D951ADE73F9FB48710F61C466E500E7280DA749E05CF21
                                    Function 00867018 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00867021
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,008671A5,008671C7), ref: 0086702E
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,?,008671A5,008671C7), ref: 0086705D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.Object@$bctr$qqrv.
                                    • String ID: NETSCAPE2.0ANIMEXTS1.0
                                    • API String ID: 3052202585-2813417109
                                    • Opcode ID: 949fff62c51d8441709b608c34e83f3c9d48f7e2a8989fec216bcd842a021dbb
                                    • Instruction ID: 5098303ee84989b896efa27c9efcdd047793868f14e4f6c20a3ef9c3f4545a68
                                    • Opcode Fuzzy Hash: 949fff62c51d8441709b608c34e83f3c9d48f7e2a8989fec216bcd842a021dbb
                                    • Instruction Fuzzy Hash: 1AE09262705E60838600F36C1C52B17B243FF84FDA7054220FE14CB3A9EA274D1A03E7
                                    Function 00C1320C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25windowregistrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterWindowMessageW.USER32(POWER_SOURCE_CHANGE_{D503CDAE-5EFF-4382-8C93-01CD32596C01}), ref: 00C13214
                                    • @System@Classes@AllocateHWnd$qqrxynpqqrr24Winapi@Messages@TMessage$v.RTL250.BPL(?,00C10F8C,POWER_SOURCE_CHANGE_{D503CDAE-5EFF-4382-8C93-01CD32596C01}), ref: 00C13230
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL(?,00C10F8C,POWER_SOURCE_CHANGE_{D503CDAE-5EFF-4382-8C93-01CD32596C01}), ref: 00C1323E
                                    Strings
                                    • POWER_SOURCE_CHANGE_{D503CDAE-5EFF-4382-8C93-01CD32596C01}, xrefs: 00C1320F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Axrtl@Osinfo@Win@$AllocateClasses@Info@L250MessageMessage$v.Messages@RegisterVersiont1.Winapi@WindowWindowsWindows$qqr39Wnd$qqrxynpqqrr24
                                    • String ID: POWER_SOURCE_CHANGE_{D503CDAE-5EFF-4382-8C93-01CD32596C01}
                                    • API String ID: 2256776821-4084637264
                                    • Opcode ID: 70c7cf4e7422d2c7b6e15dffba8682afccf3bc1e8cc6f6a9d94b34dd23130893
                                    • Instruction ID: 1b64d30a3ced3966cc83a60246c361f3f407e92fce7c307816d5a7a08e591594
                                    • Opcode Fuzzy Hash: 70c7cf4e7422d2c7b6e15dffba8682afccf3bc1e8cc6f6a9d94b34dd23130893
                                    • Instruction Fuzzy Hash: 5FE06D71A00240AED210FFAAAC42F8E37D89B07B24F444098F2498B262CBF165059B60
                                    Function 0086775C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00867765
                                    • @Vcl@Imaging@Gifimg@TGIFApplicationExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFramerx37Vcl@Imaging@Gifimg@TGIFApplicationRec.VCLIMG250(NETSCAPE2.0), ref: 00867777
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00867782
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$ApplicationL250System@@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Extension@$bctr$qqrp28Framerx37Object.System@
                                    • String ID: NETSCAPE2.0
                                    • API String ID: 3135008374-1278374441
                                    • Opcode ID: e1e8f2de3d382f297948ad8857d4f9271515b3b59fc84cb93a61701bcf798d92
                                    • Instruction ID: 949c79cf737eee09d42e09a19f3d0d42e4928d7b432fbbe057fd10df6693e699
                                    • Opcode Fuzzy Hash: e1e8f2de3d382f297948ad8857d4f9271515b3b59fc84cb93a61701bcf798d92
                                    • Instruction Fuzzy Hash: FAD05E52B46A6087C120B2BC1D42B6AB646FF42EE6B194230FD54CB38AF6160C1902E7
                                    Function 00876B14 Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 00876B26
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetScanline$qqrxi.VCLIMG250 ref: 00876B4A
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 00876BE9
                                    • @Vcl@Imaging@Pngimage@TChunkPLTE@GetPaletteItem$qqruc.VCLIMG250 ref: 00876BF1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$System@$Image@L250List@MetaSystem@@$ChunkClassClass$qqrp17Class$qqrxp14Class.Clr$qqrpv.FromHeader$qqrvItemItem$qqrucItem$qqruiObjectp17PaletteScanline$qqrxi
                                    • String ID:
                                    • API String ID: 4228436616-0
                                    • Opcode ID: 06dfcdad0edc1b59865bbfef6053caeb0b8154a6adad239b74aa64c859b38adf
                                    • Instruction ID: f94ede9e23affe88fca76521ec818faf4e2ccf8cf90d6623e2bb04d77d645395
                                    • Opcode Fuzzy Hash: 06dfcdad0edc1b59865bbfef6053caeb0b8154a6adad239b74aa64c859b38adf
                                    • Instruction Fuzzy Hash: A4517365E085CA8EDB45CFBC88216FFBFF2AF89204F1891B5D498D7306D5348A06DB50
                                    Function 00873874 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@FilterToEncode$qqrv.VCLIMG250 ref: 008739C7
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@IDATZlibWrite$qqrr33Vcl@Imaging@Pngimage@TZStreamRec2pvxui.VCLIMG250(00000001), ref: 008739DA
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@IDATZlibWrite$qqrr33Vcl@Imaging@Pngimage@TZStreamRec2pvxui.VCLIMG250(?,00000001), ref: 008739F0
                                    • @Vcl@Imaging@Pngimage@TChunkIDAT@FinishIDATZlib$qqrr33Vcl@Imaging@Pngimage@TZStreamRec2.VCLIMG250 ref: 00873A0F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$Chunk$Stream$Rec2pvxuiWrite$qqrr33Zlib$Encode$qqrvFilterFinishRec2Zlib$qqrr33
                                    • String ID:
                                    • API String ID: 682546293-0
                                    • Opcode ID: 359dba5ac9fc3729e4dd8cb885597b9cc2782cebd0edae1eb771417bb17c7add
                                    • Instruction ID: 9939c58b8c4115824bc2c3e3e804f6d984d759300f07d6876c4b67f73501d8d1
                                    • Opcode Fuzzy Hash: 359dba5ac9fc3729e4dd8cb885597b9cc2782cebd0edae1eb771417bb17c7add
                                    • Instruction Fuzzy Hash: 38410BB01083558FC744CF59C49866ABBE1FB86304F04C86EA69DC725AC7B5CB49AB93
                                    Function 00876CC4 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 00876CD6
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @Vcl@Graphics@ColorToRGB$qqr21System@Uitypes@TColor.VCL250.BPL ref: 00876CE1
                                    • GetNearestPaletteIndex.GDI32(00000000), ref: 00876CF0
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetScanline$qqrxi.VCLIMG250(00000000), ref: 00876D14
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Imaging@L250Pngimage@System@$Image@System@@$B$qqr21Class$qqrxp14Class.Clr$qqrpv.ColorColor.Graphics@Header$qqrvIndexItem$qqruiList@MetaNearestObjectp17PaletteScanline$qqrxiUitypes@
                                    • String ID:
                                    • API String ID: 1176026089-0
                                    • Opcode ID: 18c57e0f8496a1babf2799dd13288540f7292e3da6ae6aa0cb8db1f7c444ee2c
                                    • Instruction ID: 78a7f1c7d8212966d03cbf55f7f6357ad9fa68b1fba7aa20bd2c1bc0dab6716a
                                    • Opcode Fuzzy Hash: 18c57e0f8496a1babf2799dd13288540f7292e3da6ae6aa0cb8db1f7c444ee2c
                                    • Instruction Fuzzy Hash: 5A316376B041499FCB49DEBCC8616EFBFF6AB89100F14C1769498D7341DA30990A9750
                                    Function 0085EC18 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085ED6B), ref: 0085EC5A
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(00000006,00000000,0085ED37,?,?,00000000,0085ED6B), ref: 0085ECBF
                                    • @System@TObject@Free$qqrv.RTL250.BPL(0085ED0B,00000006,00000000,0085ED37,?,?,00000000,0085ED6B), ref: 0085ECFE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Classes@Free$qqrv.Get$qqri.List@LoadObject@Rec.StringString$qqrp20
                                    • String ID:
                                    • API String ID: 3554409768-0
                                    • Opcode ID: 70614b35289c1029be3ca43e03239cecc464801ade1cfa68d9ccbacfc22049ab
                                    • Instruction ID: c7bc876bf06814dacbcea82107247fa06ee98472f5c1ab183e41c10f73c4674d
                                    • Opcode Fuzzy Hash: 70614b35289c1029be3ca43e03239cecc464801ade1cfa68d9ccbacfc22049ab
                                    • Instruction Fuzzy Hash: 4A312570A04608DFDB25DF68CC92AAEBBF5FB48701F5184A4E804E37A0D774AE48CB51
                                    Function 00C4B398 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@DynArrayAsg$qqrrpvpvt2.RTL250.BPL(00000000,00C4B465,?,?,00000000), ref: 00C4B3C2
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000000,00C4B465,?,?,00000000), ref: 00C4B3D5
                                    • @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@SetCapacity$qqri.OXCOMPONENTSRTL(00000000,00C4B465,?,?,00000000), ref: 00C4B3DE
                                      • Part of subcall function 00C4A858: @System@Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL250.BPL(?,00C4AFCD,00000000,00C4AFE3,?,?,00C46B1C,00000001,00000000,?,00C4AEFC,00000000,?,?,?,00C48FD7), ref: 00C4A86D
                                      • Part of subcall function 00C4A858: @System@@RaiseExcept$qqrv.RTL250.BPL(?,00C4AFCD,00000000,00C4AFE3,?,?,00C46B1C,00000001,00000000,?,00C4AEFC,00000000,?,?,?,00C48FD7), ref: 00C4A872
                                      • Part of subcall function 00C4A858: @System@Generics@Collections@%TDictionary__2$uj20System@UnicodeString%@Rehash$qqri.OXCOMPONENTSRTL(?,00C4AFCD,00000000,00C4AFE3,?,?,00C46B1C,00000001,00000000,?,00C4AEFC,00000000,?,?,?,00C48FD7), ref: 00C4A87D
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C4B46C,?,00000000), ref: 00C4B45F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Array$Clear$qqrrpvpv.Collections@%Dictionary__2$uj20Generics@String%@Unicode$Asg$qqrrpvpvt2.Capacity$qqriExcept$qqrv.Exception@$bctr$qqrp20RaiseRec.Rehash$qqriStringSysutils@
                                    • String ID:
                                    • API String ID: 863296917-0
                                    • Opcode ID: 1def962bf68dc9d21b46454eda56fc1e096fe79e64f2522fe59aba5f20683412
                                    • Instruction ID: d19b735e1638740712bc159abe8207c04db5288ebb5994750ebeff05f87284aa
                                    • Opcode Fuzzy Hash: 1def962bf68dc9d21b46454eda56fc1e096fe79e64f2522fe59aba5f20683412
                                    • Instruction Fuzzy Hash: 48211734A00609DFCB11DFADC88499EB7F5FB49310B2085A5E865D7362EB31EE15DB90
                                    Function 00875E18 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 00875E2E
                                    • @System@Classes@Rect$qqriiii.RTL250.BPL ref: 00875E81
                                    • @Vcl@Graphics@TBitmap@GetCanvas$qqrv.VCL250.BPL(?), ref: 00875E8D
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00875ECA), ref: 00875EBD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Graphics@System@Vcl@$Bitmap@Bitmap@$bctr$qqrv.Canvas$qqrv.Classes@Free$qqrv.Object@Rect$qqriiii.
                                    • String ID:
                                    • API String ID: 150211378-0
                                    • Opcode ID: 3a8d98013e91d4d47f0542db9691781c5c4e4a11e814df7dc081976505cda652
                                    • Instruction ID: 98cc0fad741b57ffb6045db39d66be9ed77ea791fc476aef033caecf5c0b00fd
                                    • Opcode Fuzzy Hash: 3a8d98013e91d4d47f0542db9691781c5c4e4a11e814df7dc081976505cda652
                                    • Instruction Fuzzy Hash: DA21E435B00204AFC744DF68C89489EBBF9FF4D311B5081A4E905DB365DA30ED45CB51
                                    Function 00859354 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL250.BPL ref: 0085938D
                                    • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL250.BPL ref: 008593A3
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00859413), ref: 008593FE
                                    • @System@@LStrClr$qqrpv.RTL250.BPL(00859413), ref: 00859406
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$AnsiClr$qqrpv.StringSystem@%$Char$qqrx27FromStr$qqrr27Stringus.System@T$us$i0$%.T$us$i0$%x20Unicode
                                    • String ID:
                                    • API String ID: 3894874711-0
                                    • Opcode ID: 328f1dff849b29ddbd4437de6d12ddd3ada553ee19c50aa6adadcc13f4b0b6ed
                                    • Instruction ID: 7d8413ea8df0859da3c31dd485f38847c5b1ee05d61c16b29135f44f8bb8cf02
                                    • Opcode Fuzzy Hash: 328f1dff849b29ddbd4437de6d12ddd3ada553ee19c50aa6adadcc13f4b0b6ed
                                    • Instruction Fuzzy Hash: 90219A30E00619EFCB14DFA9C8915AEBBF8FB48301B5041B6EC50E7390DB34AE099A91
                                    Function 00865B8C Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(?,?,?), ref: 00865BD9
                                    • MulDiv.KERNEL32(?,?,00000000), ref: 00865BEB
                                    • MulDiv.KERNEL32(?,?,?), ref: 00865C0C
                                    • MulDiv.KERNEL32(?,?,00000000), ref: 00865C25
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e6a9866faed2ba06cae98c3b5a17079461a7209c4fdfeca7f824150de6cb116
                                    • Instruction ID: 8a7729fad6dcecd2b91f1c5d0953566030e061166713e0b08d908e9eb160ba70
                                    • Opcode Fuzzy Hash: 0e6a9866faed2ba06cae98c3b5a17079461a7209c4fdfeca7f824150de6cb116
                                    • Instruction Fuzzy Hash: 532147B6504300AFC740DF69CC8096BBBE8FF8A711B058959FC88CB355E674E840CB62
                                    Function 0085A06C Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A084
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0085A124,?,?,00000000), ref: 0085A0C4
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,00000000,0085A124,?,?,00000000), ref: 0085A0E3
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085A12B,?,?,00000000), ref: 0085A11E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$LoadRec.StringString$qqrp20System@@$ArrayClassClr$qqrpvi.Create$qqrpvzc.
                                    • String ID:
                                    • API String ID: 4288364226-0
                                    • Opcode ID: 0228f8b23fdf872b913aa8b393552ea0c7f91f71460ce7097a3d85acfeefb649
                                    • Instruction ID: 102999b3338732efc2e141e1f092f68795a11b5608225b27a80dab4e7bd37f0e
                                    • Opcode Fuzzy Hash: 0228f8b23fdf872b913aa8b393552ea0c7f91f71460ce7097a3d85acfeefb649
                                    • Instruction Fuzzy Hash: 51218C75A00B049FCB14DF6EC88169AB7F5FF48321F458669EC24D3781E774AA48CB92
                                    Function 0085F804 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085F8AF), ref: 0085F835
                                      • Part of subcall function 00859284: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859290
                                      • Part of subcall function 00859284: @System@@RaiseExcept$qqrv.RTL250.BPL(?,008595F0,00000000,0085963E), ref: 00859295
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@SetCapacity$qqri.VCLIMG250(00000000,0085F8AF), ref: 0085F861
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Color2RGB$qqr21System@Uitypes@TColor.VCLIMG250(00000000,0085F8AF), ref: 0085F86E
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0085F8B6), ref: 0085F8A9
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Color$Gifimg@Imaging@Map@System@@Vcl@$B$qqr21Capacity$qqriClr$qqrpv.Color2Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Uitypes@Unicode
                                    • String ID:
                                    • API String ID: 1995200149-0
                                    • Opcode ID: d405951926c34fa41aa6d5f1edc9486a9511f2c1e9687ce8a253f7b3b0479117
                                    • Instruction ID: 04d0f07d917612e0be2f967ac86e67a37da8d80a8a43946a369a0e6abb123964
                                    • Opcode Fuzzy Hash: d405951926c34fa41aa6d5f1edc9486a9511f2c1e9687ce8a253f7b3b0479117
                                    • Instruction Fuzzy Hash: 23215634A002089FDB00DF68C88199AB7B0FF09301B54C0B4E904DB356D730ED48CBA1
                                    Function 00867454 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@LoadFromStream$qqrp22System@Classes@TStream.VCLIMG250(00000000,008674FC), ref: 00867478
                                      • Part of subcall function 00866888: @Vcl@Imaging@Gifimg@TGIFExtension@DoReadFromStream$qqrp22System@Classes@TStream.VCLIMG250(00000000,008668E2,?,?,?,00000000), ref: 008668A5
                                      • Part of subcall function 00866888: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000), ref: 008668BF
                                      • Part of subcall function 00866888: @System@@UStrClr$qqrpv.RTL250.BPL(008668E9), ref: 008668DC
                                    • @System@@FillChar$qqrpvic.RTL250.BPL(00000000,008674FC), ref: 0086749A
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,008674FC), ref: 008674AF
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00867503), ref: 008674F6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$LoadSystem@@$Classes@Clr$qqrpv.Extension@FromGifimg@Imaging@Rec.StreamStream$qqrp22StringString$qqrp20Vcl@$Char$qqrpvic.FillRead
                                    • String ID:
                                    • API String ID: 1686783561-0
                                    • Opcode ID: 726a643c6a0fa418fb79a8b1e3489e30388196fb65f626c5f5de4b3a38f75f6f
                                    • Instruction ID: 594a97d9b4f7e03fe25067aac03876ac94d23d7d4f8935ef84f1f11ee9ae756f
                                    • Opcode Fuzzy Hash: 726a643c6a0fa418fb79a8b1e3489e30388196fb65f626c5f5de4b3a38f75f6f
                                    • Instruction Fuzzy Hash: F3119430604608EFCB00EB68C88589EBBF5FF48715B5281A9F815D7351DF749E05CB96
                                    Function 00C270B4 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Securitycenter@SecurityUtils@TSystemSecurityCenter@Lock$qqrv.OXCOMPONENTSRTL(?,?,0000001F), ref: 00C270C6
                                      • Part of subcall function 00C266CC: @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL(?,00C26311), ref: 00C266D2
                                    • @System@Generics@Collections@%TList__1$p61Oxrtl@System@Securitycenter@SecurityUtils@TSecurityAppProduct%@GetItem$qqri.OXCOMPONENTSRTL(00000000,00C27125,?,00000000,00C27155,?,00000000,00C27175,?,?,?,0000001F), ref: 00C27111
                                      • Part of subcall function 00C27908: @System@Generics@Collections@TListHelper@CheckItemRange$qqri.RTL250.BPL(?,0000001F,?,00C27116,00000000,00C27125,?,00000000,00C27155,?,00000000,00C27175,?,?,?,0000001F), ref: 00C27916
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00000000,00C27125,?,00000000,00C27155,?,00000000,00C27175,?,?,?,0000001F), ref: 00C27116
                                    • @System@Generics@Collections@%TList__1$p61Oxrtl@System@Securitycenter@SecurityUtils@TSecurityAppProduct%@Clear$qqrv.OXCOMPONENTSRTL(00000000,00C27155,?,00000000,00C27175,?,?,?,0000001F), ref: 00C2713B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Security$Generics@L250Oxrtl@Securitycenter@Utils@$Collections@%List__1$p61Product%@$Center@CheckClear$qqrvCollections@CriticalEnter$qqrv.Free$qqrv.Helper@ItemItem$qqriListLock$qqrvObject@Range$qqri.Section@Syncobjs@System
                                    • String ID:
                                    • API String ID: 3357658326-0
                                    • Opcode ID: 91f63e0ae29cc2f087ec6bd75540b6f2591fa43788a8a3c7f55347f028f77a24
                                    • Instruction ID: 2ebccbb7159f79e5f92a1bd9a622ccc6e4ad65c9c968fc4cb616eba10396cf74
                                    • Opcode Fuzzy Hash: 91f63e0ae29cc2f087ec6bd75540b6f2591fa43788a8a3c7f55347f028f77a24
                                    • Instruction Fuzzy Hash: 37118F30618654EFD712CF69D996D5DBBF8EB0AB10F6206E1F80493FA1D7359E10EA10
                                    Function 00BE32C8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@TListHelper@DoInsertInterface$qqripxv.RTL250.BPL ref: 00BE3318
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00BE332D
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BE3357), ref: 00BE3342
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BE3357), ref: 00BE334A
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Clear$qqrr44DelphiInterface$17Interface%.IntfSystem@%System@@$Collections@Generics@Helper@InsertInterface$qqripxv.List
                                    • String ID:
                                    • API String ID: 3872037783-0
                                    • Opcode ID: 9b48dd10743342a9939ce678b1448b9446a393a9bf6e83b796a48b01d53ae85d
                                    • Instruction ID: 15b8b55c224e150aa9bf42b9d1b199f1b2fc5b1f2f5283b49281cf43268cbe10
                                    • Opcode Fuzzy Hash: 9b48dd10743342a9939ce678b1448b9446a393a9bf6e83b796a48b01d53ae85d
                                    • Instruction Fuzzy Hash: 4B114C34A00248AFCB04DFA9C88589DFBF5FF89710B6045E9E815A3251DB30AF05CA54
                                    Function 00869464 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TCustomGIFRenderer@DoNextFrame$qqrv.VCLIMG250 ref: 00869478
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDisposal$qqrv.VCLIMG250 ref: 00869495
                                    • @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetDelay$qqrv.VCLIMG250 ref: 0086949F
                                    • MulDiv.KERNEL32(0000000A,00000064,?), ref: 008694F3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$ControlExtension@Graphic$CustomDelay$qqrvDisposal$qqrvFrame$qqrvNextRenderer@
                                    • String ID:
                                    • API String ID: 3023205478-0
                                    • Opcode ID: 1d06dc440376f1a2030dad414c134417856464e9194c797108015f31625cb850
                                    • Instruction ID: 6269911b1ceb2c87e69e2de969f02dbfb16f5c0a950dca9cb4778ca5f3720f3c
                                    • Opcode Fuzzy Hash: 1d06dc440376f1a2030dad414c134417856464e9194c797108015f31625cb850
                                    • Instruction Fuzzy Hash: BB112E325026A08BCB219F1C9D806553BA9FB55720B1B00C5DD84EF396DA35EC47DBEA
                                    Function 00BC516C Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@AddRefRecord$qqrpvt1.RTL250.BPL ref: 00BC51A1
                                    • @Oxrtl@System@Strutils@StrUtils@ExplodeFloat$qqrx20System@UnicodeStringt1r23System@%DynamicArray$f%rx31System@Sysutils@TFormatSettingsx65System@%DelphiInterface$38Oxrtl@System@Strutils@TParseFloatEvent%r20System@UnicodeStringxixo.OXCOMPONENTSRTL(?,?,?,?,?,00000000,00BC5200), ref: 00BC51D2
                                      • Part of subcall function 00BC5214: @System@@AddRefRecord$qqrpvt1.RTL250.BPL(?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC5254
                                      • Part of subcall function 00BC5214: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC5273
                                      • Part of subcall function 00BC5214: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC528A
                                      • Part of subcall function 00BC5214: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC5295
                                      • Part of subcall function 00BC5214: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?,00000000,00BC5200), ref: 00BC52B8
                                      • Part of subcall function 00BC5214: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC52EB
                                      • Part of subcall function 00BC5214: @System@Sysutils@CharInSet$qqrbrx25System@%Set$cc$i0$c$i-1$%.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC5329
                                      • Part of subcall function 00BC5214: @System@Math@Max$qqrxixi.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5353
                                      • Part of subcall function 00BC5214: @System@Math@Max$qqrxixi.RTL250.BPL(00000000,?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?), ref: 00BC5365
                                      • Part of subcall function 00BC5214: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5373
                                      • Part of subcall function 00BC5214: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?,?), ref: 00BC5410
                                      • Part of subcall function 00BC5214: @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(?,00000000,00BC559B,?,00000000,00BC55C9,?,?,?,?,?,00BC51D7,?,?,?,?), ref: 00BC5424
                                    • @System@@FinalizeRecord$qqrpvt1.RTL250.BPL(00BC5207,?,?,00000000,00BC5200), ref: 00BC51F2
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BC5207,?,?,00000000,00BC5200), ref: 00BC51FA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Unicode$String.$Len$qqrx20Record$qqrpvt1.System@%$Char$qqrx20Math@Max$qqrxixi.Oxrtl@Strutils@Sysutils@$ArrayArray$f%rx31Asg$qqrr20CharClear$qqrrpvpv.Clr$qqrpv.Copy$qqrx20DelphiDynamicEvent%r20ExplodeFinalizeFloatFloat$qqrx20FormatInterface$38ParseSet$cc$i0$c$i-1$%.Set$qqrbrx25Settingsx65Stringii.Stringt1r23Stringx20StringxixoUtils@
                                    • String ID:
                                    • API String ID: 195980121-0
                                    • Opcode ID: 842612bd63648cf12dafcbd7150adc69b85ad995af8e0a98969dc54dffdbe938
                                    • Instruction ID: 66151ee44801c03652cd65d3bbf934233d1ff2567de91352f8cf755cc679645b
                                    • Opcode Fuzzy Hash: 842612bd63648cf12dafcbd7150adc69b85ad995af8e0a98969dc54dffdbe938
                                    • Instruction Fuzzy Hash: 78018E32600208AFCB10CE99EC80F9BB7EDFB8D310F5544BAB908E7251D670AE118B60
                                    Function 0086676C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 0086677E
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 0086678E
                                    • @System@TObject@Free$qqrv.RTL250.BPL(008667EA), ref: 008667D4
                                    • @System@Classes@TPersistent@Assign$qqrp26System@Classes@TPersistent.RTL250.BPL ref: 008667E5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Classes@$Assign$qqrp26Class$qqrxp14Class.Free$qqrv.MetaObject@Object@$bctr$qqrv.Objectp17Persistent.Persistent@System@@
                                    • String ID:
                                    • API String ID: 3089974811-0
                                    • Opcode ID: 90eb64a0d2b25cb4a41c09a7fc5f249f84026b0c5898bf538ffce9659a31dc7e
                                    • Instruction ID: 88ea61d663f8e3865995035ef58700ccf77ac65999b1b6e84c68553fd45d9df0
                                    • Opcode Fuzzy Hash: 90eb64a0d2b25cb4a41c09a7fc5f249f84026b0c5898bf538ffce9659a31dc7e
                                    • Instruction Fuzzy Hash: 76019A31704200AF9B04DF28E99295AB7E9FB8D71972241BAF805C7761DA31AD09DB80
                                    Function 0085F96C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0085F9FB,?,?,?,00000000,00000000), ref: 0085F996
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,00000000,00000000), ref: 0085F9B5
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@RGB2Color$qqr28Vcl@Imaging@Gifimg@TGIFColor.VCLIMG250(?,?,?,?,00000000,00000000), ref: 0085F9D9
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(0085FA02,00000000,00000000), ref: 0085F9F5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$ColorGifimg@Imaging@LoadRec.StringString$qqrp20Vcl@$ArrayClr$qqrpvi.Color$qqr28Map@System@@
                                    • String ID:
                                    • API String ID: 1896583978-0
                                    • Opcode ID: 3a1db8d8224d768942fe2c121ccbb7013645168a58ab49fd19b5395d85175268
                                    • Instruction ID: 195e894bc501e31627ece37aa35ecb48a038af9800cef8b155848d5adff8106f
                                    • Opcode Fuzzy Hash: 3a1db8d8224d768942fe2c121ccbb7013645168a58ab49fd19b5395d85175268
                                    • Instruction Fuzzy Hash: DE116D34200205AFDB14EF5CC892B5ABBEAFB89701F6584B5ED00CB796D670AD48CB91
                                    Function 00870E84 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870E91
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870ED4
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00870EE7
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00870EEF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Vcl@$Array$uci$i65536$%iBytePngimage@Pngimage@update_crc$qqruip32StaticSwap$qqrxiSystem@%
                                    • String ID:
                                    • API String ID: 411736878-0
                                    • Opcode ID: e67ea292dcce218953d45a0e331f3772c9d468e2efce1e56240c2e8a0c5bc9c8
                                    • Instruction ID: 024e3d7a54539cda5ab10b7808a4593761b547ad698143aab59bc6faa68052a4
                                    • Opcode Fuzzy Hash: e67ea292dcce218953d45a0e331f3772c9d468e2efce1e56240c2e8a0c5bc9c8
                                    • Instruction Fuzzy Hash: CC110975300600CFCB04DF28C88461A77E1FF89720B148A69EA69CF399DB70EC45CBA2
                                    Function 00862FA4 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00862FB6
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00862FC6
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00863022), ref: 0086300C
                                    • @System@Classes@TPersistent@Assign$qqrp26System@Classes@TPersistent.RTL250.BPL ref: 0086301D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Classes@$Assign$qqrp26Class$qqrxp14Class.Free$qqrv.MetaObject@Object@$bctr$qqrv.Objectp17Persistent.Persistent@System@@
                                    • String ID:
                                    • API String ID: 3089974811-0
                                    • Opcode ID: 92f4270e74af49a21c78d3506764f6f972ff9718d6fb37532721597c26b12d75
                                    • Instruction ID: 6227edb81aa6c6a6a32be010ca87ad62abc859de158f81291883294a62ade9c2
                                    • Opcode Fuzzy Hash: 92f4270e74af49a21c78d3506764f6f972ff9718d6fb37532721597c26b12d75
                                    • Instruction Fuzzy Hash: 18019A31714600AF9B04DF68E89192AB7E9FB8D71536240BAF804D7361CA32AD099B81
                                    Function 00C4C050 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@%TDictionary__2$uj44Oxrtl@System@Kerneldump@TKernelDumpRvaModule%@Hash$qqrxuj.OXCOMPONENTSRTL(?,?,?,?), ref: 00C4C06C
                                    • @System@Generics@Collections@%TDictionary__2$uj44Oxrtl@System@Kerneldump@TKernelDumpRvaModule%@GetBucketIndex$qqrxuji.OXCOMPONENTSRTL(?,?,?,?), ref: 00C4C075
                                    • @System@Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,?), ref: 00C4C08B
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(?,?,?,?), ref: 00C4C090
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Collections@%Dictionary__2$uj44DumpGenerics@KernelKerneldump@L250Module%@Oxrtl@$BucketExcept$qqrv.Exception@$bctr$qqrp20Hash$qqrxujIndex$qqrxujiRaiseRec.StringSystem@@Sysutils@
                                    • String ID:
                                    • API String ID: 1852846324-0
                                    • Opcode ID: 6cef328f613c8741ee7a355070aa10ab4781bc2e9ec57acc83473fa34afa99e3
                                    • Instruction ID: 51cdcbaf59c88179f95171b1799053595b59d651045e3ab653c681f62135c9da
                                    • Opcode Fuzzy Hash: 6cef328f613c8741ee7a355070aa10ab4781bc2e9ec57acc83473fa34afa99e3
                                    • Instruction Fuzzy Hash: 7E113C356002099FCF00DFA9DC8099AB7E6FF49314B5084A8FD09AB351DA72AE16DB90
                                    Function 00873544 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00873553
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 00873587
                                    • @Vcl@Imaging@Pngimage@update_crc$qqruip32System@%StaticArray$uci$i65536$%i.VCLIMG250 ref: 008735A3
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 008735AB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Vcl@$Array$uci$i65536$%iBytePngimage@Pngimage@update_crc$qqruip32StaticSwap$qqrxiSystem@%
                                    • String ID:
                                    • API String ID: 411736878-0
                                    • Opcode ID: e7f7f5aae91dd69264188f23f9200bdf0bce3cd84444e8ad70a7a8cafb121cc3
                                    • Instruction ID: 8795112d44d27da4dbbbaf1c2c27af7e985a58efa805c773e226b8a0190b65de
                                    • Opcode Fuzzy Hash: e7f7f5aae91dd69264188f23f9200bdf0bce3cd84444e8ad70a7a8cafb121cc3
                                    • Instruction Fuzzy Hash: C40125B13043408BC704AE2D888425AB7E6FFC9721F108639BA29CB3E5DE70DC098B56
                                    Function 00868434 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Classes@TList@Sort$qqrpqqrpvt1$i.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 00868442
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 00868457
                                    • @System@Classes@TList@Get$qqri.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 00868471
                                    • @System@Classes@TList@SetCount$qqri.RTL250.BPL(?,00000000,00000000,?,00868AED,00000000,00868C14), ref: 0086848A
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Classes@L250List@System@$Get$qqri.$Count$qqri.Sort$qqrpqqrpvt1$i.
                                    • String ID:
                                    • API String ID: 423473777-0
                                    • Opcode ID: 12e421e2d4a01ad7294c6501dadaa9833c38690257e982787e541400182a2e88
                                    • Instruction ID: bb3882542dc495113ff0a96349794f0e72eb8f3220bef93a4d27c2f26d74bb56
                                    • Opcode Fuzzy Hash: 12e421e2d4a01ad7294c6501dadaa9833c38690257e982787e541400182a2e88
                                    • Instruction Fuzzy Hash: 90013171700229CF8F21DE5DC880A16B794FB4A7627264695ED5CDF34ACE30EC46CBA5
                                    Function 00875FA8 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@PrepareImageData$qqrv.VCLIMG250 ref: 00876007
                                    • CreateCompatibleDC.GDI32(00000000), ref: 0087600E
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,?,00000024,00000000), ref: 0087602D
                                    • DeleteDC.GDI32(00000000), ref: 00876033
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: BitsChunkCompatibleCreateData$qqrvDeleteImageImaging@Pngimage@PrepareVcl@
                                    • String ID:
                                    • API String ID: 3961307305-0
                                    • Opcode ID: de44c4fc14c140fa5a7dfe026426098fcf12adcd9c1c9d4a240e6b6e010f0b59
                                    • Instruction ID: 4be150802e3516b23f84af983aeea51665cc6cf65901f0b11c2ce294382ccb3d
                                    • Opcode Fuzzy Hash: de44c4fc14c140fa5a7dfe026426098fcf12adcd9c1c9d4a240e6b6e010f0b59
                                    • Instruction Fuzzy Hash: CD1188A01046945ADB04DF2C88C5B922BE8AF56309F1C80F9FE4CCF18BD7A5D449C77A
                                    Function 00870DE4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@TObject@ClassName$qqrv.RTL250.BPL(00000000,00870E55,?,00000000,00870E77,?,?,?,00000000,00000000), ref: 00870E12
                                    • @System@TObject@ClassName$qqrv.RTL250.BPL(00000000,00870E55,?,00000000,00870E77,?,?,?,00000000,00000000), ref: 00870E1C
                                    • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL250.BPL(?,00000000,00870E55,?,00000000,00870E77,?,?,?,00000000,00000000), ref: 00870E3A
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00870E5C,?,00000000,00870E77,?,?,?,00000000,00000000), ref: 00870E4F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$ClassName$qqrv.Object@System@@$Clr$qqrpv.Copy$qqrx20Stringii.Unicode
                                    • String ID:
                                    • API String ID: 3567393390-0
                                    • Opcode ID: 982c46c8c9dea5fc1ed2b5c8de7551786a6a4bfb531352ef709a84cbf23bcf70
                                    • Instruction ID: 07e5561dd5af6d59bc52a443cebf48625d4775d3c12ed7bf4814deed10dfeaf2
                                    • Opcode Fuzzy Hash: 982c46c8c9dea5fc1ed2b5c8de7551786a6a4bfb531352ef709a84cbf23bcf70
                                    • Instruction Fuzzy Hash: 3C01D131300B44AFEB01DE68CCA2B5AB7A9FB89B00F8088B4F904D3B45D6B5AD088951
                                    Function 008781C4 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008781CE
                                    • @Vcl@Graphics@TGraphic@$bctr$qqrv.VCL250.BPL ref: 008781E0
                                    • @Vcl@Imaging@Jpeg@TJPEGImage@NewImage$qqrv.VCLIMG250 ref: 008781E7
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00878226
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@Vcl@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Graphic@$bctr$qqrv.Graphics@Image$qqrvImage@Imaging@Jpeg@Object.System@
                                    • String ID:
                                    • API String ID: 1336157202-0
                                    • Opcode ID: ac9ecf6b7b48a7256a7655310865ae175c15d23106162cbe69da244c3766cab2
                                    • Instruction ID: 9da35457d816d1e48edd4881fa8c8c3f28cb96c039157d80f139fcd608126c02
                                    • Opcode Fuzzy Hash: ac9ecf6b7b48a7256a7655310865ae175c15d23106162cbe69da244c3766cab2
                                    • Instruction Fuzzy Hash: B501D465604EE18FC331DB7E4440662BFE1BF5A15130C846AE9E8C3B43D316F9188BB2
                                    Function 00864D68 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Graphics@TIcon@GetHandle$qqrv.VCL250.BPL(?), ref: 00864D77
                                    • GetIconInfo.USER32(00000000,?), ref: 00864D7D
                                      • Part of subcall function 00864CD8: @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?), ref: 00864CEC
                                      • Part of subcall function 00864CD8: @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL(?), ref: 00864CFB
                                      • Part of subcall function 00864CD8: @Vcl@Graphics@TBitmap@SetHandle$qqrp9HBITMAP__.VCL250.BPL(00000000,00864D59,?,?), ref: 00864D16
                                      • Part of subcall function 00864CD8: @Vcl@Graphics@TBitmap@ReleaseHandle$qqrv.VCL250.BPL(00864D60), ref: 00864D43
                                      • Part of subcall function 00864CD8: @System@TObject@Free$qqrv.RTL250.BPL(00864D60), ref: 00864D4B
                                      • Part of subcall function 00864CD8: @System@TObject@Free$qqrv.RTL250.BPL(00864D60), ref: 00864D53
                                    • DeleteObject.GDI32(?), ref: 00864DB2
                                    • DeleteObject.GDI32(?), ref: 00864DBF
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Graphics@Vcl@$Bitmap@Bitmap@$bctr$qqrv.DeleteFree$qqrv.Handle$qqrv.ObjectObject@System@$Handle$qqrp9IconIcon@InfoP__.Release
                                    • String ID:
                                    • API String ID: 317975131-0
                                    • Opcode ID: 725b2b6c356ffa50f06a0e0782d81adfebbfcb358ec1a64f191d8e767b180ff0
                                    • Instruction ID: 444bfd5b3acff3127fde3e071cb4a96e3d6bdc14a825f4d9ca3d4307a97aaf0b
                                    • Opcode Fuzzy Hash: 725b2b6c356ffa50f06a0e0782d81adfebbfcb358ec1a64f191d8e767b180ff0
                                    • Instruction Fuzzy Hash: 82F02431B042086BCB14EEACCC42D5EB7ECFB49710B411560BD08E3241EE34D8008675
                                    Function 008601E0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 008601EF
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL ref: 00860223
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@Clear$qqrv.VCLIMG250 ref: 0086022E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Class$qqrxp14Class.L250MetaObjectp17System@@$Clear$qqrvGifimg@Header@Imaging@Vcl@
                                    • String ID:
                                    • API String ID: 1333304451-0
                                    • Opcode ID: 7c96663d0f5973765e03f3cafd8d874a48138999b9f5292494c672b93819e13e
                                    • Instruction ID: 5280c05eec465cb3032815f3a4139182b75e08314e45587bce9adb4467331746
                                    • Opcode Fuzzy Hash: 7c96663d0f5973765e03f3cafd8d874a48138999b9f5292494c672b93819e13e
                                    • Instruction Fuzzy Hash: BD014B34300B009B8311DF6DC48441AF7B1FF493123648569E859CB711CB21EC4ACB95
                                    Function 00874280 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,008742F1,?,00000000), ref: 008742B2
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,008742F1,?,00000000), ref: 008742C3
                                      • Part of subcall function 00874CA4: @System@@UStrAddRef$qqrpv.RTL250.BPL(?,?,?,00870A23), ref: 00874CB1
                                      • Part of subcall function 00874CA4: @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CCB
                                      • Part of subcall function 00874CA4: @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CD0
                                      • Part of subcall function 00874CA4: @System@@UStrClr$qqrpv.RTL250.BPL(00874CF2,?,?,?,00870A23), ref: 00874CE5
                                    • @Vcl@Imaging@Pngimage@TChunk@GetHeader$qqrv.VCLIMG250(00000000,008742F1,?,00000000), ref: 008742CC
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(008742F8,00000000), ref: 008742EB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Clr$qqrpv.Imaging@Pngimage@RaiseStringUnicodeVcl@$Chunk@Class20Error$qqrp17Except$qqrv.Exception@$bctr$qqrx20Header$qqrvImage@LoadMetaRec.Ref$qqrpv.String$qqrp20String.Sysutils@
                                    • String ID:
                                    • API String ID: 1200184921-0
                                    • Opcode ID: afa0f3239061477a5c4f38c05368eb4f1b49d3c53f95ab18e5cfa43a77455f6a
                                    • Instruction ID: 5d9fc2673c40891197484791aad10d76977cc3bd50e752161f4d185cef1b8caa
                                    • Opcode Fuzzy Hash: afa0f3239061477a5c4f38c05368eb4f1b49d3c53f95ab18e5cfa43a77455f6a
                                    • Instruction Fuzzy Hash: F101AD307186089FC714DF68D89186EB7A5FB88310792C566F804D3796DB70ED119A55
                                    Function 00876884 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@GetHeader$qqrv.VCLIMG250 ref: 0087688A
                                      • Part of subcall function 00874EC4: @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EE9
                                      • Part of subcall function 00874EC4: @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,00874F3A,?,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874EF8
                                      • Part of subcall function 00874EC4: @System@@UStrClr$qqrpv.RTL250.BPL(00874F41,?,?,00000000,?,00874B5F,00000000,?,?,00873285,00000000,00873384), ref: 00874F34
                                    • @Vcl@Imaging@Pngimage@TPNGList@ItemFromClass$qqrp17System@TMetaClass.VCLIMG250 ref: 008768B6
                                    • @Vcl@Imaging@Pngimage@TPNGList@RemoveChunk$qqrp27Vcl@Imaging@Pngimage@TChunk.VCLIMG250 ref: 008768C6
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 008768EC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$L250List@System@System@@$Meta$ChunkChunk$qqrp27ClassClass$qqrp17Class$qqrxp14Class.Clr$qqrpv.FreeFromHeader$qqrvImage@ItemItem$qqruiMem$qqrpv.Objectp17Remove
                                    • String ID:
                                    • API String ID: 329120573-0
                                    • Opcode ID: ab2ba9cd50d94e159fe2b439afa7cc5164dc8167d1c39b9b4bcfb48b66a1d483
                                    • Instruction ID: 1c68123d7559c029f9223594445dee7b2afc329e9453050469e5be28e7ef1f87
                                    • Opcode Fuzzy Hash: ab2ba9cd50d94e159fe2b439afa7cc5164dc8167d1c39b9b4bcfb48b66a1d483
                                    • Instruction Fuzzy Hash: 6EF0AF61704A508ADB11D67C98853E22385FB45314F0884B6EE4CCF25FF679DC55E3A7
                                    Function 00871850 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 0087186F
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00871887
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00871894
                                    • @Vcl@Imaging@Pngimage@TChunk@SaveToStream$qqrp22System@Classes@TStream.VCLIMG250 ref: 008718B0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$ByteChunk@Swap$qqrxi$Classes@Data$qqrxuiResizeSaveStreamStream$qqrp22System@
                                    • String ID:
                                    • API String ID: 1431952582-0
                                    • Opcode ID: c8e89da4e2dda8000139046f4738f1b63acfe38614c622cac6c544fd5170ad85
                                    • Instruction ID: c64cef3618abb0ff9b68d924d7e71d672946c58cc093ad749b45725e2c9031b9
                                    • Opcode Fuzzy Hash: c8e89da4e2dda8000139046f4738f1b63acfe38614c622cac6c544fd5170ad85
                                    • Instruction Fuzzy Hash: F2F019A26016948FCB00EE2D8884682BBD5EF46325F18C0B5ED9CDF30BC671EC04CB61
                                    Function 0085AA54 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                    Download Yara Rule
                                    APIs
                                    • MulDiv.KERNEL32(?,0000001D,00000100), ref: 0085AA6D
                                    • MulDiv.KERNEL32(?,00000096,00000100), ref: 0085AA8E
                                    • MulDiv.KERNEL32(00000000,0000004D,00000100), ref: 0085AA9F
                                    • @Vcl@Imaging@Gifimg@TSlowColorLookup@Lookup$qqrucucucruct4t4.VCLIMG250(0000004D,00000100,00000000,?,00000096,00000100,?,?,?,00000000), ref: 0085AAA9
                                      • Part of subcall function 0085A8EC: GetNearestPaletteIndex.GDI32(?), ref: 0085A913
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ColorGifimg@Imaging@IndexLookup$qqrucucucruct4t4Lookup@NearestPaletteSlowVcl@
                                    • String ID:
                                    • API String ID: 3136108044-0
                                    • Opcode ID: 1c5d81ce2f03173962949d94cf7aeadea9782a1cad64c264527e7fd7b53478a7
                                    • Instruction ID: 0df2b87d308588007a74658fd3f6ede3dec76c54ec257c4f81d6112656ac0669
                                    • Opcode Fuzzy Hash: 1c5d81ce2f03173962949d94cf7aeadea9782a1cad64c264527e7fd7b53478a7
                                    • Instruction Fuzzy Hash: 77F05EB27843583EE601E6AC5C42FBB77DCDB09712F104412BA44DB1C2D8A6DD0457B6
                                    Function 00866B98 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@LoadFromStream$qqrp22System@Classes@TStream.VCLIMG250(00000000,00866BFD,?,?,?,00000000), ref: 00866BB5
                                      • Part of subcall function 00866888: @Vcl@Imaging@Gifimg@TGIFExtension@DoReadFromStream$qqrp22System@Classes@TStream.VCLIMG250(00000000,008668E2,?,?,?,00000000), ref: 008668A5
                                      • Part of subcall function 00866888: @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000), ref: 008668BF
                                      • Part of subcall function 00866888: @System@@UStrClr$qqrpv.RTL250.BPL(008668E9), ref: 008668DC
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,?,00000000), ref: 00866BD6
                                    • @Vcl@Imaging@Gifimg@TGIFItem@Warning$qqr31Vcl@Imaging@Gifimg@TGIFSeverityx20System@UnicodeString.VCLIMG250(?,?,?,00000000), ref: 00866BE2
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00866C04,00000000), ref: 00866BF7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Gifimg@Imaging@L250Vcl@$LoadString$Classes@Clr$qqrpv.Extension@FromRec.StreamStream$qqrp22String$qqrp20System@@$Item@ReadSeverityx20UnicodeWarning$qqr31
                                    • String ID:
                                    • API String ID: 3006739372-0
                                    • Opcode ID: 092338f0ca1b544cfaec4f3020e9234d4be2a35e230758ae7c945a9579482cc2
                                    • Instruction ID: 75234d81313aa339db397bcaf72a3ffc254530c25efb576f6495c85d80c55e73
                                    • Opcode Fuzzy Hash: 092338f0ca1b544cfaec4f3020e9234d4be2a35e230758ae7c945a9579482cc2
                                    • Instruction Fuzzy Hash: B6F0F030300304EFD714EF2CCC8195AB3EAFB48710B9288B5F800C7351EAB5AD188680
                                    Function 00BE2294 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00BE22A8
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@JournalTypeToString$qqrx43Oxrtl@System@Eventlog@TWindowsEventsJournal.OXCOMPONENTSRTL(?,00000000,00BE22F2), ref: 00BE22CB
                                    • @Oxrtl@System@Eventlog@TWindowsEventLogHook@$bctr$qqrx20System@UnicodeStringx59System@%DelphiInterface$32Oxrtl@System@Eventlog@ICondition%.OXCOMPONENTSRTL(?,00000000,00BE22F2), ref: 00BE22D7
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BE22F9), ref: 00BE22EC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Eventlog@Oxrtl@$Windows$EventJournalL250System@@$ClassClr$qqrpv.Condition%Create$qqrpvzc.DelphiEventsHook@$bctr$qqrx20Interface$32Log@String$qqrx43Stringx59System@%TypeUnicode
                                    • String ID:
                                    • API String ID: 2983966703-0
                                    • Opcode ID: 3e124f91fd3548a4ca5fc36c245d372960cc1d10f646a0590985f7a941495a6d
                                    • Instruction ID: 382e59b663bd63239deb52f5f83b0462ff0759de172078822a19448e956dd902
                                    • Opcode Fuzzy Hash: 3e124f91fd3548a4ca5fc36c245d372960cc1d10f646a0590985f7a941495a6d
                                    • Instruction Fuzzy Hash: 03F02B716047486F9711DFADCC8289DBBECDB4A320B8585F4F500E3391EB355D058651
                                    Function 00878104 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,?,00000000,00878169), ref: 0087813A
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL250.BPL(00000000,?,00000000,00878169), ref: 00878149
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,?,00000000,00878169), ref: 0087814E
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00878170,00878169), ref: 00878163
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Clr$qqrpv.Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.Recxi.StringString$qqrp20Stringpx14Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 1744094976-0
                                    • Opcode ID: 142a8404f1895daefb30f4831da0d1a4ed833bc1d2f0c25dcd88e87f0a8a5a7e
                                    • Instruction ID: 5eb3599808fa8200f55027353a4a1387917e5726b9a472b3d7c0e3bede1c98b5
                                    • Opcode Fuzzy Hash: 142a8404f1895daefb30f4831da0d1a4ed833bc1d2f0c25dcd88e87f0a8a5a7e
                                    • Instruction Fuzzy Hash: E2F0C834A14604AFDB01DF68CC85E9DB7F9FB49300F8180A1E810D3350EF70A904CB62
                                    Function 00874538 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IsClass$qqrxp14System@TObjectp17System@TMetaClass.RTL250.BPL(00000000,0087459E,?,?,?,00000000), ref: 00874559
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,0087459E,?,?,?,00000000), ref: 00874572
                                    • @Vcl@Imaging@Pngimage@TPngImage@RaiseError$qqrp17System@TMetaClass20System@UnicodeString.VCLIMG250(00000000,0087459E,?,?,?,00000000), ref: 00874583
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(008745A5,?,?,00000000), ref: 00874598
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$MetaStringSystem@@$Class$qqrxp14Class.Class20Clr$qqrpv.Error$qqrp17Image@Imaging@LoadObjectp17Pngimage@RaiseRec.String$qqrp20UnicodeVcl@
                                    • String ID:
                                    • API String ID: 4206986878-0
                                    • Opcode ID: 4a20e74e70938b693d6de008c0cd9ee6e48fcb09e03b82141985cb7de05eeaf0
                                    • Instruction ID: 1e918a8d43d703c8795b1b27555f251d0b27bb5268ce6396474af7b945a5c351
                                    • Opcode Fuzzy Hash: 4a20e74e70938b693d6de008c0cd9ee6e48fcb09e03b82141985cb7de05eeaf0
                                    • Instruction Fuzzy Hash: 76F0CD34200608AFDB10DF28DD82D1A73E9FB89B40B5284A1EC04C7359DBB0ED05DA61
                                    Function 00877468 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TChunk@ResizeData$qqrxui.VCLIMG250 ref: 0087747C
                                      • Part of subcall function 00870BA8: @System@@ReallocMem$qqrrpvi.RTL250.BPL ref: 00870BAF
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 00877487
                                    • @Vcl@Imaging@Pngimage@ByteSwap$qqrxi.VCLIMG250 ref: 0087749A
                                    • @Vcl@Imaging@Pngimage@TChunk@SaveToStream$qqrp22System@Classes@TStream.VCLIMG250 ref: 008774C1
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$ByteChunk@Swap$qqrxi$Classes@Data$qqrxuiL250Mem$qqrrpvi.ReallocResizeSaveStreamStream$qqrp22System@System@@
                                    • String ID:
                                    • API String ID: 2985479759-0
                                    • Opcode ID: 7959fba60120af56635533d82c536635f94c0aa2b6638bd6cace8126d8ebe6ad
                                    • Instruction ID: b77df2d81f388bad895ee0f76cfc8dd268a9b97a6ab8d72eb66c1b0b34813a59
                                    • Opcode Fuzzy Hash: 7959fba60120af56635533d82c536635f94c0aa2b6638bd6cace8126d8ebe6ad
                                    • Instruction Fuzzy Hash: 81018474A04148DFCB01DF98C58198DFBB1EF89314B2482E1E858AB35AD630EF41DB91
                                    Function 00C410C2 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL(00000000,00C41136,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C410C5
                                    • @Oxrtl@Project@Passwords@TPasswordUtils@CharType$qqrb.OXCOMPONENTSRTL(00000000,00C41136,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C410F7
                                    • @System@@UStrArrayClr$qqrpvi.RTL250.BPL(00C4113D,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C41122
                                    • @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(00C4113D,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C41130
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Array$CharClear$qqrrpvpv.Clr$qqrpvi.Len$qqrx20Oxrtl@PasswordPasswords@Project@String.System@Type$qqrbUnicodeUtils@
                                    • String ID:
                                    • API String ID: 3792000305-0
                                    • Opcode ID: ba9c9ed0ffd3c36dd131e6ad8522575e47625e5f2828b9abf3a45bfc34f1c090
                                    • Instruction ID: 15636b82e3c94291833b0948d4985979cac465d4489bf0865fc57b7374ce9749
                                    • Opcode Fuzzy Hash: ba9c9ed0ffd3c36dd131e6ad8522575e47625e5f2828b9abf3a45bfc34f1c090
                                    • Instruction Fuzzy Hash: D1F0F034D000589FDB10EB94C481BBDB7F0FB41351F6844A6EED0A7952D2349ED1D250
                                    Function 00C02141 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Syncobjs@TCriticalSection@Enter$qqrv.RTL250.BPL ref: 00C02147
                                    • ResetEvent.KERNEL32(?,?,00000000,00C021A8), ref: 00C02175
                                    • SetEvent.KERNEL32(00000000,?,?,00000000,00C021A8), ref: 00C0218A
                                    • @System@Syncobjs@TCriticalSection@Leave$qqrv.RTL250.BPL(00C021AF), ref: 00C021A2
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: CriticalEventL250Section@Syncobjs@System@$Enter$qqrv.Leave$qqrv.Reset
                                    • String ID:
                                    • API String ID: 3070901793-0
                                    • Opcode ID: 270e83060cf85dd1c5fd403f9a8aa82207a1cd17ff3abdbca2fdd761fc271ba3
                                    • Instruction ID: d162b920b2a9b5cd6f43028e6c122cde1e455a8080c17298695ae9020e681718
                                    • Opcode Fuzzy Hash: 270e83060cf85dd1c5fd403f9a8aa82207a1cd17ff3abdbca2fdd761fc271ba3
                                    • Instruction Fuzzy Hash: 0C01C935A14244EFDB05DB98CA8AE5DB7F5EB09710F9644E4F90497662C774EE00DB10
                                    Function 00BE223C Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BE2251
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BE2262
                                    • @Oxrtl@System@Eventlog@TWindowsEventLog@UserNameFromSid$qqrpv.OXCOMPONENTSRTL ref: 00BE227C
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BE228A
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$Asg$qqrr20L250String.Stringx20System@@$EventEventlog@FromLog@NameOxrtl@Sid$qqrpvUserWindows
                                    • String ID:
                                    • API String ID: 2538785819-0
                                    • Opcode ID: 35333f63d4a0eb77282a2ce531f14d6a1f16d9958e9753edf5628674c0a6aaa7
                                    • Instruction ID: 8b08a84397646a13fea3873ee6888a57a18c60a3db600dfec14ff26b371fadb9
                                    • Opcode Fuzzy Hash: 35333f63d4a0eb77282a2ce531f14d6a1f16d9958e9753edf5628674c0a6aaa7
                                    • Instruction Fuzzy Hash: 2FF049353001548FD700EF5AD880A16B3DAEF89354B2881E6EA08AB22BC6B4EC52C7D1
                                    Function 00866C0C Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00866C15
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250 ref: 00866C22
                                    • @System@Classes@TStringList@$bctr$qqrv.RTL250.BPL ref: 00866C2E
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00866C68
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Gifimg@Imaging@System@System@@Vcl@$AfterClassClasses@Construction$qqrxp14Create$qqrpvzc.Extension@$bctr$qqrp28FrameList@$bctr$qqrv.Object.String
                                    • String ID:
                                    • API String ID: 1777190659-0
                                    • Opcode ID: 2d3042556934c8825b083b11520ae84964a7248887364e82eeb8d584e8b39d1e
                                    • Instruction ID: 4f2c436a3a41b6f05c4b5b07fcb7942e05f32362269ece4ae2439273a836e1aa
                                    • Opcode Fuzzy Hash: 2d3042556934c8825b083b11520ae84964a7248887364e82eeb8d584e8b39d1e
                                    • Instruction Fuzzy Hash: 30F03111604B8086D330DF2CC415707BBE2AF11759F044A6CD4C18B792E76AAA1C43D6
                                    Function 00BCF064 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@TListHelper@CheckItemRange$qqri.RTL250.BPL(00000000,00BCF0BA,?,?,?,?,00000000), ref: 00BCF087
                                    • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCF0BA,?,?,?,?,00000000), ref: 00BCF095
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCF0BA,?,?,?,?,00000000), ref: 00BCF09F
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BCF0C1,?,?,?,00000000), ref: 00BCF0B4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$System@@$Asg$qqrr20String.Stringx20$CheckClr$qqrpv.Collections@Generics@Helper@ItemListRange$qqri.
                                    • String ID:
                                    • API String ID: 2298564324-0
                                    • Opcode ID: d1a980720ec35e8aacbf896c43b8c3d3fb8ef9419249b75f4f1999bd7f7c1b9d
                                    • Instruction ID: 69e9c6b20a9fb2d789a2190f9eb28847b175c95bcf6d1385965c5c092a9ad8d8
                                    • Opcode Fuzzy Hash: d1a980720ec35e8aacbf896c43b8c3d3fb8ef9419249b75f4f1999bd7f7c1b9d
                                    • Instruction Fuzzy Hash: 0DF0E935200208AFDB01DF15CC92E5AF7EEEB89B507A684F6EC00A7317D634EE01C9A0
                                    Function 00BCE278 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@TListHelper@CheckItemRange$qqri.RTL250.BPL(00000000,00BCE2CE,?,?,?,?,00000000), ref: 00BCE29B
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE2CE,?,?,?,?,00000000), ref: 00BCE2A9
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE2CE,?,?,?,?,00000000), ref: 00BCE2B3
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCE2D5,?,?,?,00000000), ref: 00BCE2C8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiInterface$17System@%$L250$Interface%.IntfSystem@@$Copy$qqrr44Interface%x44$CheckClear$qqrr44Collections@Generics@Helper@ItemListRange$qqri.
                                    • String ID:
                                    • API String ID: 3704632016-0
                                    • Opcode ID: e325b6afa620bb6849720cbb7a2a984480fcd9b5efafc9aa714b401a6e7c864d
                                    • Instruction ID: 8db6edf50f5a51111a30fd05f1ee0fbe3865aeaea82024ed9c3b41351b7cd8dd
                                    • Opcode Fuzzy Hash: e325b6afa620bb6849720cbb7a2a984480fcd9b5efafc9aa714b401a6e7c864d
                                    • Instruction Fuzzy Hash: 21F05435204608AFDB01EF55CC82E5AF7EDEBC97107A144F5EC0497616D674EE05C994
                                    Function 008666E0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008666ED
                                    • @Vcl@Imaging@Gifimg@TGIFItem@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250(?,00855618,?,?,00866924,00000000,0086697B,?,?), ref: 00866700
                                    • @Vcl@Imaging@Gifimg@TGIFList@Add$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250(?,00855618,?,?,00866924,00000000,0086697B,?,?), ref: 0086670F
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,00855618,?,?,00866924,00000000,0086697B,?,?), ref: 0086671C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@@$Add$qqrp27AfterClassConstruction$qqrxp14Create$qqrpvzc.ImageItemItem@$bctr$qqrp28List@Object.System@
                                    • String ID:
                                    • API String ID: 1428157577-0
                                    • Opcode ID: f9ffb3c8c73d7f130d6d2b2222a27146cf9efe743b1719e7c1ef3df216aa1e98
                                    • Instruction ID: 06ffe21e51109fc92f6bde71d9f2353d18f1087fd0ca8f1d5db0371700ccdfd4
                                    • Opcode Fuzzy Hash: f9ffb3c8c73d7f130d6d2b2222a27146cf9efe743b1719e7c1ef3df216aa1e98
                                    • Instruction Fuzzy Hash: 91F08C32B086849FD710EB7C9C82756BB89EB48665F0441B9E848CB382E9669C088396
                                    Function 00BCE18C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE1E6), ref: 00BCE1B4
                                    • @System@Generics@Collections@TListHelper@DoExtractItemFwdInterface$qqrpxvpv.RTL250.BPL(00000000,00BCE1E6), ref: 00BCE1C1
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE1E6), ref: 00BCE1CB
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCE1ED), ref: 00BCE1E0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiInterface$17L250System@%$Interface%.IntfSystem@@$Clear$qqrr44$Collections@Copy$qqrr44ExtractGenerics@Helper@Interface$qqrpxvpv.Interface%x44ItemList
                                    • String ID:
                                    • API String ID: 3029105322-0
                                    • Opcode ID: 57748edbb5643966c93c15ea0f31935a7edbc06cb0905afd8b1d18c7b3203acd
                                    • Instruction ID: 31dca11f60be13f934a5f969074a71153d918b656b98a4c70bcbae6a9fd9cf9d
                                    • Opcode Fuzzy Hash: 57748edbb5643966c93c15ea0f31935a7edbc06cb0905afd8b1d18c7b3203acd
                                    • Instruction Fuzzy Hash: 2CF09631A04208AFC705DFA4D892C8DFBF4EB85714BA085FEE410B3651DA346F108A44
                                    Function 00BCF2CC Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@TListHelper@CheckItemRange$qqri.RTL250.BPL(00000000,00BCF322,?,?,?,?,00000000), ref: 00BCF2EF
                                    • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCF322,?,?,?,?,00000000), ref: 00BCF2FD
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCF322,?,?,?,?,00000000), ref: 00BCF307
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BCF329,?,?,?,00000000), ref: 00BCF31C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$System@@$Asg$qqrr20String.Stringx20$CheckClr$qqrpv.Collections@Generics@Helper@ItemListRange$qqri.
                                    • String ID:
                                    • API String ID: 2298564324-0
                                    • Opcode ID: 464ae1374d63e50674a04c0e517d696c68ed7ed369558e5ec489240cbd404a47
                                    • Instruction ID: ec972b3e6339b0fb5cebff42aa4461e57624f6ff9c1805cbd0274a177bda8e91
                                    • Opcode Fuzzy Hash: 464ae1374d63e50674a04c0e517d696c68ed7ed369558e5ec489240cbd404a47
                                    • Instruction Fuzzy Hash: B1F05434200209AFD701DF15CD92E5AB7EEEBC97507A5C4F5E90467726C635ED01C954
                                    Function 00863238 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@NewImage$qqrv.VCLIMG250(00000000,00863293,?,?,00000000), ref: 00863256
                                      • Part of subcall function 008632D8: @Vcl@Imaging@Gifimg@TGIFFrame@FreeImage$qqrv.VCLIMG250(?,?,00861D79), ref: 008632DE
                                      • Part of subcall function 008632D8: @System@@GetMem$qqri.RTL250.BPL(?,?,00861D79), ref: 008632F4
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@ClearImage$qqrv.VCLIMG250(00000000,00863293,?,?,00000000), ref: 0086325D
                                      • Part of subcall function 008632A0: @Vcl@Imaging@Gifimg@TGIFFrame@GetTransparent$qqrv.VCLIMG250(?,?,?,00861D80), ref: 008632B1
                                      • Part of subcall function 008632A0: @Vcl@Imaging@Gifimg@TGIFGraphicControlExtension@GetTransparentColorIndex$qqrv.VCLIMG250(?,?,?,00861D80), ref: 008632BD
                                      • Part of subcall function 008632A0: @System@@FillChar$qqrpvic.RTL250.BPL(?,?,?,00861D80), ref: 008632CF
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(?,?,00000000,00863293,?,?,00000000), ref: 00863270
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(0086329A,00863293,?,?,00000000), ref: 0086328D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$Frame@L250$Image$qqrvSystem@@$System@$Char$qqrpvic.ClearClr$qqrpv.ColorControlExtension@FillFreeGraphicIndex$qqrvLoadMem$qqri.Rec.StringString$qqrp20TransparentTransparent$qqrv
                                    • String ID:
                                    • API String ID: 2950977349-0
                                    • Opcode ID: bf74553f4b8153d1c4d5603604b1a7af88a50645eef5e1f045e1b37cf2ff0129
                                    • Instruction ID: a00728b8e0362633b3b46caf8c39ee883f7a4f9daaf2f677d3dccf05a29e73cf
                                    • Opcode Fuzzy Hash: bf74553f4b8153d1c4d5603604b1a7af88a50645eef5e1f045e1b37cf2ff0129
                                    • Instruction Fuzzy Hash: F1F08230604708EFDB11EF69CCA2B5973A8FB45702F9254B1F900C6792D6B99F14CA41
                                    Function 00C2A3E4 Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C2A3F1
                                    • @Oxrtl@System@Threadex@TCancelationToken@$bctr$qqrv.OXCOMPONENTSRTL ref: 00C2A400
                                    • @System@Syncobjs@TCriticalSection@$bctr$qqrv.RTL250.BPL ref: 00C2A40F
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00C2A41D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$AfterCancelationClassConstruction$qqrxp14Create$qqrpvzc.CriticalObject.Oxrtl@Section@$bctr$qqrv.Syncobjs@Threadex@Token@$bctr$qqrv
                                    • String ID:
                                    • API String ID: 2329909258-0
                                    • Opcode ID: 41454e88256e1cd679eeab20609a36c36deabba5c0a20a845bcd6f279b5f7907
                                    • Instruction ID: 7bfd5ee5775a73ff0ffd3817564e3bec66c799c834faa9af495319b34b025bda
                                    • Opcode Fuzzy Hash: 41454e88256e1cd679eeab20609a36c36deabba5c0a20a845bcd6f279b5f7907
                                    • Instruction Fuzzy Hash: 60E0E5737005101B8210A72EBC81B5677C6DBC57A0B1C0235F508C7B12D6679D0542A6
                                    Function 00BCF008 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@TListHelper@CheckItemRange$qqri.RTL250.BPL(00000000,00BCF058,?,?,?,00000000), ref: 00BCF026
                                    • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCF058,?,?,?,00000000), ref: 00BCF033
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00BCF058,?,?,?,00000000), ref: 00BCF03D
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00BCF05F,?,?,00000000), ref: 00BCF052
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250Unicode$System@@$Asg$qqrr20String.Stringx20$CheckClr$qqrpv.Collections@Generics@Helper@ItemListRange$qqri.
                                    • String ID:
                                    • API String ID: 2298564324-0
                                    • Opcode ID: 5880e38e8e269f03e075ad1eade846cea9f7dd7d2e4f5ccce114aba5ff343021
                                    • Instruction ID: 46fb1ded911f4a5a6abe54cf48cc2f736af4e67e1d2fdd8deb0d6d7161006498
                                    • Opcode Fuzzy Hash: 5880e38e8e269f03e075ad1eade846cea9f7dd7d2e4f5ccce114aba5ff343021
                                    • Instruction Fuzzy Hash: 81F0A734200208AFD701DF25CC92E5AB3EDEB8EB407A684F5E900E7653D674EE049550
                                    Function 00BCE21C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@Generics@Collections@TListHelper@CheckItemRange$qqri.RTL250.BPL(00000000,00BCE26C,?,?,?,00000000), ref: 00BCE23A
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE26C,?,?,?,00000000), ref: 00BCE247
                                    • @System@@IntfCopy$qqrr44System@%DelphiInterface$17System@IInterface%x44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00000000,00BCE26C,?,?,?,00000000), ref: 00BCE251
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(00BCE273,?,?,00000000), ref: 00BCE266
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$DelphiInterface$17System@%$L250$Interface%.IntfSystem@@$Copy$qqrr44Interface%x44$CheckClear$qqrr44Collections@Generics@Helper@ItemListRange$qqri.
                                    • String ID:
                                    • API String ID: 3704632016-0
                                    • Opcode ID: 3d1dcec90aa3027fddd74dcc340b19e9c40c7f184b4b72603c27215ee67e06dc
                                    • Instruction ID: f2735c86fd393221dfc8723c14e925f64d41fbecfa96c340d0ebd86611c1abe2
                                    • Opcode Fuzzy Hash: 3d1dcec90aa3027fddd74dcc340b19e9c40c7f184b4b72603c27215ee67e06dc
                                    • Instruction Fuzzy Hash: B6F0A730204208AFD701FF64CC82E5AB3EDEBCD7007A184F5E800A7612D674EE048994
                                    Function 00C5E3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00C5E3D1
                                    • @System@@UStrAddRef$qqrpv.RTL250.BPL ref: 00C5E3E0
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL(00000000,00C5E414), ref: 00C5E3F9
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C5E41B), ref: 00C5E40E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$System@Unicode$Asg$qqrr20ClassClr$qqrpv.Create$qqrpvzc.Ref$qqrpv.String.Stringx20
                                    • String ID:
                                    • API String ID: 3671467000-0
                                    • Opcode ID: 4ae407e52ee540a8e789b2db26d746af0f15d37e78fa0b75aea1f0466b901de2
                                    • Instruction ID: e59a953ff04ab0f5bf2c9a4cbfa9619d4378d651fb792afd3f2be6babba1acb2
                                    • Opcode Fuzzy Hash: 4ae407e52ee540a8e789b2db26d746af0f15d37e78fa0b75aea1f0466b901de2
                                    • Instruction Fuzzy Hash: AFF05C35500208EF9718DB58CD43C5AB7ECDB4A79036548B4FC00F3352E735AF049460
                                    Function 008642DC Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@GetEmpty$qqrv.VCLIMG250 ref: 008642EF
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Prepare$qqrv.VCLIMG250 ref: 008642FA
                                      • Part of subcall function 008642A4: @Vcl@Imaging@Gifimg@TGIFFrame@GetColorResolution$qqrv.VCLIMG250 ref: 008642C7
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@SaveToStream$qqrp22System@Classes@TStream.VCLIMG250 ref: 00864313
                                      • Part of subcall function 0085F45C: @System@Classes@TStream@WriteBuffer$qqrpxvi.RTL250.BPL ref: 0085F472
                                      • Part of subcall function 0085F45C: @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250 ref: 0085F479
                                      • Part of subcall function 0085F45C: @System@Classes@TStream@WriteBuffer$qqrpxvi.RTL250.BPL ref: 0085F4A7
                                    • @Vcl@Imaging@Gifimg@TGIFFrame@Compress$qqrp22System@Classes@TStream.VCLIMG250 ref: 0086431C
                                      • Part of subcall function 00862D48: @Vcl@Imaging@Gifimg@TGIFColorMap@GetBitsPerPixel$qqrv.VCLIMG250 ref: 00862D64
                                      • Part of subcall function 00862D48: @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00862D87
                                      • Part of subcall function 00862D48: @Vcl@Imaging@Gifimg@TGIFFrame@GetInterlaced$qqrv.VCLIMG250(?,?,00000000,00862DE9), ref: 00862DBA
                                      • Part of subcall function 00862D48: @System@TObject@Free$qqrv.RTL250.BPL(00862DF0,?,?,00000000,00862DE9), ref: 00862DE3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$System@$Frame@$Classes@ColorL250$Map@$BitsBuffer$qqrpxvi.Pixel$qqrvStreamStream@Write$Compress$qqrp22Empty$qqrvFree$qqrv.Interlaced$qqrvObject@Object@$bctr$qqrv.Prepare$qqrvResolution$qqrvSaveStream$qqrp22
                                    • String ID:
                                    • API String ID: 3455016084-0
                                    • Opcode ID: ef8ee996e7049d8e7a09cd7d56b3a6e7dda9e40be9614eb7f660b15fed141957
                                    • Instruction ID: 3854eb6f38414aed9e616a39d5298bafa787d1114988c5cba3c58f6f26af9d0a
                                    • Opcode Fuzzy Hash: ef8ee996e7049d8e7a09cd7d56b3a6e7dda9e40be9614eb7f660b15fed141957
                                    • Instruction Fuzzy Hash: FBE065743002104BCB00AF2CD88084A37E9FF8A35272250B5FD05CB317CE70DC0A8BA2
                                    Function 00BEE158 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00BEE15D
                                    • CloseHandle.KERNEL32(?), ref: 00BEE17C
                                    • @Oxrtl@System@Filemapped@TCustomMappedMemory@$bdtr$qqrv.OXCOMPONENTSRTL ref: 00BEE187
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00BEE192
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250System@@$BeforeClassCloseCustomDestroy$qqrxp14Destruction$qqrxp14Filemapped@HandleMappedMemory@$bdtr$qqrvObject.Objectzc.Oxrtl@
                                    • String ID:
                                    • API String ID: 2941863568-0
                                    • Opcode ID: b39af031f5f8381022def6e1a429a148b38bda2022a53188f5955ea0d5252538
                                    • Instruction ID: 8023fa14a475e8e2b4ba13798927a6028f629db6f7af1eb940acf807bdb2588f
                                    • Opcode Fuzzy Hash: b39af031f5f8381022def6e1a429a148b38bda2022a53188f5955ea0d5252538
                                    • Instruction Fuzzy Hash: 35E0D832700654170610A67F5C81999B3CD8E063653084695F554E7352DB36DC4B8296
                                    Function 0086013C Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00860145
                                    • @Vcl@Imaging@Gifimg@TGIFItem@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 00860152
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@Clear$qqrv.VCLIMG250 ref: 0086016A
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00860175
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Gifimg@Imaging@Vcl@$L250System@@$AfterClassClear$qqrvConstruction$qqrxp14Create$qqrpvzc.Header@ImageItem@$bctr$qqrp28Object.System@
                                    • String ID:
                                    • API String ID: 887189926-0
                                    • Opcode ID: 0de0e83baaacee098e7d8314acd6a8131bf6850f0524a578f1fbaef4ad45c4aa
                                    • Instruction ID: a68c91c33940eb1c2148d18766da1386b82fc1e7d5d981ae3d92f1c650774a7b
                                    • Opcode Fuzzy Hash: 0de0e83baaacee098e7d8314acd6a8131bf6850f0524a578f1fbaef4ad45c4aa
                                    • Instruction Fuzzy Hash: FCE09A22700A21878210AB6C4C4234A7686FB46B92B090230FD44CF356EB664D0807DA
                                    Function 00C11290 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Oxrtl@System@Powerutils@PowerUtils@ActiveSchemeName$qqrv.OXCOMPONENTSRTL ref: 00C112A9
                                      • Part of subcall function 00C112F0: @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL(?,?,00C112AE), ref: 00C112FA
                                      • Part of subcall function 00C112F0: @Oxrtl@System@Powerutils@PowerUtils@ActiveSchemeNameVista$qqrv.OXCOMPONENTSRTL(?,?,00C112AE), ref: 00C11305
                                    • @System@Sysutils@TStringHelper@GetLength$qqrv.RTL250.BPL(-00000001,00C112E3,?,?,-00000001,?,?), ref: 00C112B1
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL(-00000001,00C112E3,?,?,-00000001,?,?), ref: 00C112BC
                                    • @Oxrtl@System@Powerutils@PowerUtils@OpenPowerScheme$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00C112C8
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00C112EA), ref: 00C112DD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Power$L250Oxrtl@Powerutils@Utils@$ActiveAxrtl@Osinfo@SchemeStringSystem@@Win@$Clear$qqrr44Clr$qqrpv.DelphiHelper@Info@Interface$17Interface%.IntfLength$qqrv.NameName$qqrvOpenScheme$qqrx20System@%Sysutils@UnicodeVersiont1.Vista$qqrvWindowsWindows$qqr39
                                    • String ID:
                                    • API String ID: 3763861563-0
                                    • Opcode ID: 40783253d05f318c70ca7549ce481d8c66245fef67e3fb86e140535a4360252b
                                    • Instruction ID: 9da7a7b2e1336f278dc4b5f2ec6d71a02acac2f821192e58f27e92d7c907166c
                                    • Opcode Fuzzy Hash: 40783253d05f318c70ca7549ce481d8c66245fef67e3fb86e140535a4360252b
                                    • Instruction Fuzzy Hash: A2E06D31608308AFD711EAA5DC52E99B2ECD74AB40BA548B5EE00E2542E67C9F54A468
                                    Function 008748B0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Pngimage@TPngImage@InitializeGamma$qqrv.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748B7
                                    • @Vcl@Imaging@Pngimage@TPNGList@GetItem$qqrui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748D5
                                      • Part of subcall function 00870B4C: @Vcl@Imaging@Pngimage@TPNGPointerList@GetItem$qqrui.VCLIMG250(?,00000000,008708B6), ref: 00870B56
                                    • @System@TObject@Free$qqrv.RTL250.BPL(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748DA
                                    • @Vcl@Imaging@Pngimage@TPNGPointerList@SetSize$qqrxui.VCLIMG250(00000000,?,?,008764A6,00000000,00000018,?,?,?,?,?,008748A1), ref: 008748EB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$List@$Item$qqruiPointer$Free$qqrv.Gamma$qqrvImage@InitializeL250Object@Size$qqrxuiSystem@
                                    • String ID:
                                    • API String ID: 818052858-0
                                    • Opcode ID: c4d802912a4011ac0f2aa20a34d3bfeb747a33f4df054cd1547eaba16d875d74
                                    • Instruction ID: beee5be713c7728d1ef336ebdaae630e065847c8e00dba7a2a0be15c0d8ef363
                                    • Opcode Fuzzy Hash: c4d802912a4011ac0f2aa20a34d3bfeb747a33f4df054cd1547eaba16d875d74
                                    • Instruction Fuzzy Hash: 60E0DF35300B014BC260B77DC4C0A97E3C9FF84360B008621F01DC7219CB20ED428A53
                                    Function 00860A46 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00860A93,?,?,00000000), ref: 00860A64
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00860A93,?,?,00000000), ref: 00860A73
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00860A93,?,?,00000000), ref: 00860A78
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00860A9A,?,00000000), ref: 00860A8D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Clr$qqrpv.Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 1785839807-0
                                    • Opcode ID: 07813f181a44ba4ab3079e38b6e68f8fefb087d2fe0c581c5c0307e4e7e63b1b
                                    • Instruction ID: 46231b5cf3bd09f1b0c55f263939bdee1374bcb5849eec0e35b141666453022d
                                    • Opcode Fuzzy Hash: 07813f181a44ba4ab3079e38b6e68f8fefb087d2fe0c581c5c0307e4e7e63b1b
                                    • Instruction Fuzzy Hash: 02E09B35304708AFDB01EBA8DC52969B3F9F745741F9144B1FC00C2A51DA757E049955
                                    Function 00874CA4 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAddRef$qqrpv.RTL250.BPL(?,?,?,00870A23), ref: 00874CB1
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CCB
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00874CEB,?,?,?,?,00870A23), ref: 00874CD0
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00874CF2,?,?,?,00870A23), ref: 00874CE5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$Clr$qqrpv.Except$qqrv.Exception@$bctr$qqrx20RaiseRef$qqrpv.String.Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 2726130419-0
                                    • Opcode ID: d7cc575b9a12a4cd710b359fef1d3903cd705796e3d539c331224099782d6674
                                    • Instruction ID: 3934eef3e813b164324abf43d8856a07974886d112d462243befdbc89000ba83
                                    • Opcode Fuzzy Hash: d7cc575b9a12a4cd710b359fef1d3903cd705796e3d539c331224099782d6674
                                    • Instruction Fuzzy Hash: C9E09230604608AF9B06EB6DCD5286DB7ECFB897007A158B4FD04C3711EB7AAE089521
                                    Function 008622DC Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008622E5
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL(?,?,00862BD9,00000000,00862D3A,?,?,?,?,00000000,00000000,00000000), ref: 008622F2
                                    • @System@@GetMem$qqri.RTL250.BPL(?,?,00862BD9,00000000,00862D3A,?,?,?,?,00000000,00000000,00000000), ref: 008622FC
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL(?,?,00862BD9,00000000,00862D3A,?,?,?,?,00000000,00000000,00000000), ref: 00862311
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Mem$qqri.Object.Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 3840869940-0
                                    • Opcode ID: 89fad83e1703e5d84de63e50e3ce6451c9eed65bc25470fd61b7daca14b21b1f
                                    • Instruction ID: 1f74ab90887e1d72785551d9048005680e8b209665877f3ec633edb46aae84bc
                                    • Opcode Fuzzy Hash: 89fad83e1703e5d84de63e50e3ce6451c9eed65bc25470fd61b7daca14b21b1f
                                    • Instruction Fuzzy Hash: 16E0DF12B02C90478610A36C095230A6581FF00BD2B084170FC48CB386E61A4C0A02D7
                                    Function 00860AA0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00860AEB,?,?,00000000), ref: 00860ABC
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00860AEB,?,?,00000000), ref: 00860ACB
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00860AEB,?,?,00000000), ref: 00860AD0
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00860AF2,?,00000000), ref: 00860AE5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Clr$qqrpv.Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 1785839807-0
                                    • Opcode ID: 3f43b5bb64283acdcdf5c7984f9f2e37de1e9770cdb17be9a46d388661ac485c
                                    • Instruction ID: dff1fbb5f280f3ab3767daa6bfdcb9df93ae0456dd7e2424a510fa66feaf1846
                                    • Opcode Fuzzy Hash: 3f43b5bb64283acdcdf5c7984f9f2e37de1e9770cdb17be9a46d388661ac485c
                                    • Instruction Fuzzy Hash: 5AE09B35144708AFDB01EF68DC5295FB3F9F745741B9144A0FC00C2751DA757E049A55
                                    Function 00860AF8 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00860B43,?,?,00000000), ref: 00860B14
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00860B43,?,?,00000000), ref: 00860B23
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00860B43,?,?,00000000), ref: 00860B28
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00860B4A,?,00000000), ref: 00860B3D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Clr$qqrpv.Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 1785839807-0
                                    • Opcode ID: a31955fb883bb70f17dc165644519c4bc0f80e774c7ddf600e2e9b1ee7ee8f87
                                    • Instruction ID: aa240989afbe8fa41af31dcfb55cfa1c3a1756e5a33cb0afbb3c826a2bd1ba19
                                    • Opcode Fuzzy Hash: a31955fb883bb70f17dc165644519c4bc0f80e774c7ddf600e2e9b1ee7ee8f87
                                    • Instruction Fuzzy Hash: 7BE09235204608AFDB01EB68EC52E5AB3F9F789710FA244B0FC00C6A51DA797F089A15
                                    Function 00860A48 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@LoadResString$qqrp20System@TResStringRec.RTL250.BPL(00000000,00860A93,?,?,00000000), ref: 00860A64
                                    • @System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL250.BPL(00000000,00860A93,?,?,00000000), ref: 00860A73
                                    • @System@@RaiseExcept$qqrv.RTL250.BPL(00000000,00860A93,?,?,00000000), ref: 00860A78
                                    • @System@@UStrClr$qqrpv.RTL250.BPL(00860A9A,?,00000000), ref: 00860A8D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Clr$qqrpv.Except$qqrv.Exception@$bctr$qqrx20LoadRaiseRec.StringString$qqrp20String.Sysutils@Unicode
                                    • String ID:
                                    • API String ID: 1785839807-0
                                    • Opcode ID: c27ab20e424b7912b48ca8a87e650227fb2e91b3ab8909aef4ba893834553ce1
                                    • Instruction ID: f0917edd499f51dd2da914b791b35570d7794b0dce83af5b0cb26381a85ecde6
                                    • Opcode Fuzzy Hash: c27ab20e424b7912b48ca8a87e650227fb2e91b3ab8909aef4ba893834553ce1
                                    • Instruction Fuzzy Hash: BCE09235204708AFDB01EBA8EC52A5AB3F9F789741FA244B1FC00C2A51DA797E089A55
                                    Function 00867284 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0086728D
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250 ref: 0086729A
                                    • @System@@FillChar$qqrpvic.RTL250.BPL ref: 008672A9
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 008672B4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@@$Gifimg@Imaging@Vcl@$AfterChar$qqrpvic.ClassConstruction$qqrxp14Create$qqrpvzc.Extension@$bctr$qqrp28FillFrameObject.System@
                                    • String ID:
                                    • API String ID: 1898264186-0
                                    • Opcode ID: 33e32e5220158d6182da54591515013805bcdf6ddfe77da24a6c123216c621e2
                                    • Instruction ID: 98c41e37062f6add2390cc80c0a698d57cd46cfce6d28f789740ba032a13b081
                                    • Opcode Fuzzy Hash: 33e32e5220158d6182da54591515013805bcdf6ddfe77da24a6c123216c621e2
                                    • Instruction Fuzzy Hash: ABE08662B45C9047C610E77D58527577286FF55BE2F0A8131FC59CB38AFA268C1902E7
                                    Function 008675D4 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 008675DD
                                    • @Vcl@Imaging@Gifimg@TGIFApplicationExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250 ref: 008675EA
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 008675F6
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00867604
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Gifimg@Imaging@System@System@@Vcl@$AfterApplicationClassConstruction$qqrxp14Create$qqrpvzc.Extension@$bctr$qqrp28FrameObject.Object@$bctr$qqrv.
                                    • String ID:
                                    • API String ID: 567650600-0
                                    • Opcode ID: f9b33d1f2615003cea7002cccd2da9da6e5876fb19a1e9e975eb111b1e037b6a
                                    • Instruction ID: 029b8736b54ac1cabc2bbb60262bacae413c3e530df2c449defd034ce523db83
                                    • Opcode Fuzzy Hash: f9b33d1f2615003cea7002cccd2da9da6e5876fb19a1e9e975eb111b1e037b6a
                                    • Instruction Fuzzy Hash: 0EE08672705D914BC620EBBD5C867467682FF50BDAB190170FD45CB35AE6174C4903D2
                                    Function 008797B0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 008797B4
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008797BE
                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 008797C8
                                    • ReleaseDC.USER32(00000000,00000000), ref: 008797EB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: CapsDevice$Release
                                    • String ID:
                                    • API String ID: 1035833867-0
                                    • Opcode ID: f911d3d925dccf6da78aa657458a3dbc671c839db85bae2836a1de8f8d50a6d8
                                    • Instruction ID: ffb6945b93bfaa78ac61e99bbcfd57a6ded920aecdc778e39f424c9e3d393d8b
                                    • Opcode Fuzzy Hash: f911d3d925dccf6da78aa657458a3dbc671c839db85bae2836a1de8f8d50a6d8
                                    • Instruction Fuzzy Hash: 58E012B264436469F2547BBC5C87FAA16CCF7067A7F505421FD09EA2D3F9A48C844372
                                    Function 0085986C Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00859875
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 00859882
                                    • @System@TObject@$bctr$qqrv.RTL250.BPL ref: 0085988E
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085989C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$Object@$bctr$qqrv.System@@$AfterClassConstruction$qqrxp14Create$qqrpvzc.Object.
                                    • String ID:
                                    • API String ID: 1230796933-0
                                    • Opcode ID: 97174b27707eb78452667286fa8aa183133139f740b7b0991f564f4e443ffe01
                                    • Instruction ID: e73f6f29fdbaf16b76da334cf8d629b4354e5a49d16fa744b202ce1eeb6050d5
                                    • Opcode Fuzzy Hash: 97174b27707eb78452667286fa8aa183133139f740b7b0991f564f4e443ffe01
                                    • Instruction Fuzzy Hash: 45E04672B029A097C610E76C5C827477682FF42AE2B084270FD84CB39AE6234C4C03D2
                                    Function 00866D78 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00866D81
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFFrame.VCLIMG250 ref: 00866D8E
                                    • @System@Classes@TStringList@$bctr$qqrv.RTL250.BPL ref: 00866D9A
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00866DA8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$Gifimg@Imaging@System@System@@Vcl@$AfterClassClasses@Construction$qqrxp14Create$qqrpvzc.Extension@$bctr$qqrp28FrameList@$bctr$qqrv.Object.String
                                    • String ID:
                                    • API String ID: 1777190659-0
                                    • Opcode ID: 2451a930abb16a7afb7a8996a8233a4d24bd1be8bf752733641faa577067f031
                                    • Instruction ID: 4da233379f188edfdcba0783d55fad4afc25b5dcb3023316fdb298c3d33407d4
                                    • Opcode Fuzzy Hash: 2451a930abb16a7afb7a8996a8233a4d24bd1be8bf752733641faa577067f031
                                    • Instruction Fuzzy Hash: 17E04F72B0199087C210E76D9D427867782FB45BF6B098130ED44CB356FA174C2807D3
                                    Function 00868F04 Relevance: 6.0, APIs: 4, Instructions: 25windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00868F0D
                                    • @Vcl@Imaging@Gifimg@TCustomGIFRenderer@$bctr$qqrp28Vcl@Imaging@Gifimg@TGIFImage.VCLIMG250 ref: 00868F1A
                                    • @Vcl@Graphics@TBitmap@$bctr$qqrv.VCL250.BPL ref: 00868F26
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00868F34
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250Vcl@$Gifimg@Imaging@System@@$AfterBitmap@$bctr$qqrv.ClassConstruction$qqrxp14Create$qqrpvzc.CustomGraphics@ImageObject.Renderer@$bctr$qqrp28System@
                                    • String ID:
                                    • API String ID: 2200506845-0
                                    • Opcode ID: 7f3374a01725668d53a8be28089c61f80a998527c6aa7de41c26cc29ed24fa76
                                    • Instruction ID: cf3f050683e1f8f4a9a797aba876951f11c59698aafabb0bced5267bab44f006
                                    • Opcode Fuzzy Hash: 7f3374a01725668d53a8be28089c61f80a998527c6aa7de41c26cc29ed24fa76
                                    • Instruction Fuzzy Hash: 01E0867270195087C210EB7C5C427457782FF55BD6F090230FD48CB356EE274C094396
                                    Function 00BCE144 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00BCE15A
                                    • @System@Generics@Collections@TListHelper@DoExtractItemFwdInterface$qqrpxvpv.RTL250.BPL ref: 00BCE167
                                    • @System@@IntfClear$qqrr44System@%DelphiInterface$17System@IInterface%.RTL250.BPL ref: 00BCE171
                                    • @System@Generics@Collections@TListHelper@DoExtractItemRevInterface$qqrpxvpv.RTL250.BPL ref: 00BCE17E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$Clear$qqrr44Collections@DelphiExtractGenerics@Helper@Interface$17Interface$qqrpxvpv.Interface%.IntfItemListSystem@%System@@
                                    • String ID:
                                    • API String ID: 4171002879-0
                                    • Opcode ID: 8569dfeded9b638734722d904445e1997bf289adfe68ad52a2e8bbbc50a01ed4
                                    • Instruction ID: da9d05a17ac1f37ef011cf331c905e2910c95a4c4547d58e5d850b7ce2b07384
                                    • Opcode Fuzzy Hash: 8569dfeded9b638734722d904445e1997bf289adfe68ad52a2e8bbbc50a01ed4
                                    • Instruction Fuzzy Hash: C2E06531904208EBCB04DB58D841DCD77F19F41310F6482E9E4107B781EB30AF509788
                                    Function 008696C8 Relevance: 6.0, APIs: 4, Instructions: 24timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TCustomGIFRenderer@StartAnimation$qqrv.VCLIMG250 ref: 008696D4
                                    • @Vcl@Extctrls@TTimer@$bctr$qqrp25System@Classes@TComponent.VCL250.BPL ref: 008696E2
                                    • @Vcl@Extctrls@TTimer@SetEnabled$qqro.VCL250.BPL ref: 008696F0
                                    • @Vcl@Extctrls@TTimer@SetOnTimer$qqrynpqqrp14System@TObject$v.VCL250.BPL(?), ref: 008696FE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Extctrls@L250$System@Timer@$Animation$qqrvClasses@Component.CustomEnabled$qqro.Gifimg@Imaging@Object$v.Renderer@StartTimer$qqrynpqqrp14Timer@$bctr$qqrp25
                                    • String ID:
                                    • API String ID: 3389109231-0
                                    • Opcode ID: 94d0643e76dde2cd8cef7adcb9df5390d16c03681a1774fb66180130f6410c27
                                    • Instruction ID: 6b3b3e4d26a6c2fa0fa265d01ce0f1e85520c69b083f97452e5993879a918bfd
                                    • Opcode Fuzzy Hash: 94d0643e76dde2cd8cef7adcb9df5390d16c03681a1774fb66180130f6410c27
                                    • Instruction Fuzzy Hash: B6E046B07102944ADB94EF3C9CC2A5D2788FB16309F0442EAF800CF257CAA99C898B51
                                    Function 00874628 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 00874631
                                    • @Vcl@Imaging@Pngimage@TChunk@$bctr$qqrp30Vcl@Imaging@Pngimage@TPngImage.VCLIMG250 ref: 0087463E
                                    • @Vcl@Imaging@Pngimage@TChunkgAMA@SetValue$qqrxui.VCLIMG250 ref: 0087464A
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 00874655
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Imaging@Pngimage@Vcl@$L250System@@$AfterChunk@$bctr$qqrp30ChunkgClassConstruction$qqrxp14Create$qqrpvzc.ImageObject.System@Value$qqrxui
                                    • String ID:
                                    • API String ID: 1246787535-0
                                    • Opcode ID: ee4a00f66239b6e88d99a8f0987319e28e0c8229c59e812f33edea4311878c6f
                                    • Instruction ID: 1225b9a3ff42e6f00869eff574c147d7582ee08589bcd12d481193f6ec34a9f1
                                    • Opcode Fuzzy Hash: ee4a00f66239b6e88d99a8f0987319e28e0c8229c59e812f33edea4311878c6f
                                    • Instruction Fuzzy Hash: EDE08C12B418A083D120A26C1C427466502EB92BE2F189130BC08CB38EE6268C0502DB
                                    Function 0085A94C Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085A955
                                    • @Vcl@Imaging@Gifimg@TColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085A962
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250 ref: 0085A96E
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085A979
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ColorGifimg@Imaging@L250System@@Vcl@$AfterClassColors$qqriConstruction$qqrxp14Create$qqrpvzc.Lookup@Lookup@$bctr$qqrp10Object.System@
                                    • String ID:
                                    • API String ID: 494656066-0
                                    • Opcode ID: ede5ce0b066502d851bd3f42693ab923e88ac7a9e518f0d2c929f3da29fb6bca
                                    • Instruction ID: 0bc825052d26e35850653b18edbd18f434822fddd45c3b1c70fb4d4473684b18
                                    • Opcode Fuzzy Hash: ede5ce0b066502d851bd3f42693ab923e88ac7a9e518f0d2c929f3da29fb6bca
                                    • Instruction Fuzzy Hash: E3E0EC5274186147C218A2AC188275AAA42FF85AE3F198270BD54DB78AEA168D5E02E7
                                    Function 0085AAB8 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085AAC1
                                    • @Vcl@Imaging@Gifimg@TColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085AACE
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250 ref: 0085AADA
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085AAE5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ColorGifimg@Imaging@L250System@@Vcl@$AfterClassColors$qqriConstruction$qqrxp14Create$qqrpvzc.Lookup@Lookup@$bctr$qqrp10Object.System@
                                    • String ID:
                                    • API String ID: 494656066-0
                                    • Opcode ID: 2da9dc38b2e28d570e3524c8264cda482bbf819dff2a666983e6326b37456f93
                                    • Instruction ID: 23e643f96595c568cdb531d3b8b55f45d052ed9ad4519c6213a8f3fbb54ec3ff
                                    • Opcode Fuzzy Hash: 2da9dc38b2e28d570e3524c8264cda482bbf819dff2a666983e6326b37456f93
                                    • Instruction Fuzzy Hash: A4E0EC5274186047D119A2AC1D8275A6942EB85BE3F184270FD44CB38AEA5A8D9902D7
                                    Function 0085AA10 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085AA19
                                    • @Vcl@Imaging@Gifimg@TSlowColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085AA26
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250 ref: 0085AA32
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085AA3D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ColorGifimg@Imaging@L250System@@Vcl@$AfterClassColors$qqriConstruction$qqrxp14Create$qqrpvzc.Lookup@Lookup@$bctr$qqrp10Object.SlowSystem@
                                    • String ID:
                                    • API String ID: 2211297099-0
                                    • Opcode ID: bb72dec06f423d7960a537f6e04b8f451c2da8bf49ee26ba50905b27ffbcef86
                                    • Instruction ID: 88db322f9daf5086eb39a9ee8b489a48196a080a6790eb11eb8197d8b6b8cb57
                                    • Opcode Fuzzy Hash: bb72dec06f423d7960a537f6e04b8f451c2da8bf49ee26ba50905b27ffbcef86
                                    • Instruction Fuzzy Hash: 4BE0EC92B4296047D515A26C198276A6542EF41AE3F184230FD44CB38AE6264D5A42DB
                                    Function 0085AB34 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@ClassCreate$qqrpvzc.RTL250.BPL ref: 0085AB3D
                                    • @Vcl@Imaging@Gifimg@TColorLookup@$bctr$qqrp10HPALETTE__.VCLIMG250 ref: 0085AB4A
                                    • @Vcl@Imaging@Gifimg@TColorLookup@SetColors$qqri.VCLIMG250 ref: 0085AB56
                                    • @System@@AfterConstruction$qqrxp14System@TObject.RTL250.BPL ref: 0085AB61
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: ColorGifimg@Imaging@L250System@@Vcl@$AfterClassColors$qqriConstruction$qqrxp14Create$qqrpvzc.Lookup@Lookup@$bctr$qqrp10Object.System@
                                    • String ID:
                                    • API String ID: 494656066-0
                                    • Opcode ID: d6836ce77bcedd22a5ba01235fc6ee49ce17567addcab37a717d07a07b761b29
                                    • Instruction ID: eb38d57c0ee1414eb90d215db291d010e6060cd12ca62cdb1e04b382c9779e59
                                    • Opcode Fuzzy Hash: d6836ce77bcedd22a5ba01235fc6ee49ce17567addcab37a717d07a07b761b29
                                    • Instruction Fuzzy Hash: 54E0EC5274186047C514A6AC188275A6542FB51AE3F184270FD44CB38AEA5A8D5D12E7
                                    Function 00BF5134 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL250.BPL ref: 00BF5141
                                    • @Oxrtl@System@Fileutils@FileUtils@FileNameType$qqrx20System@UnicodeString.OXCOMPONENTSRTL ref: 00BF514D
                                      • Part of subcall function 00BF4338: @System@Strutils@StartsStr$qqrx20System@UnicodeStringt1.RTL250.BPL ref: 00BF4355
                                    • @System@@UStrLen$qqrx20System@UnicodeString.RTL250.BPL ref: 00BF515B
                                    • @System@@UStrDelete$qqrr20System@UnicodeStringii.RTL250.BPL ref: 00BF5169
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$Unicode$L250$System@@$FileString.$Asg$qqrr20Delete$qqrr20Fileutils@Len$qqrx20NameOxrtl@StartsStr$qqrx20StringStringii.Stringt1.Stringx20Strutils@Type$qqrx20Utils@
                                    • String ID:
                                    • API String ID: 2411233678-0
                                    • Opcode ID: 32e7675ee9c97f214b78d0bf4e7539250566a17362f8c3b2b3eb9ccfc9215ea5
                                    • Instruction ID: 796d942e4bf4394f9741e46598e0b4c42333c1fdfac33381728b1244cd6e64c9
                                    • Opcode Fuzzy Hash: 32e7675ee9c97f214b78d0bf4e7539250566a17362f8c3b2b3eb9ccfc9215ea5
                                    • Instruction Fuzzy Hash: F1E0C2313001184F9710B75EFCC1BABB3C99B4A3A0B1485B8F608E7327D951DC0643D4
                                    Function 0087079C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0087079E
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 008707B5
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 008707C0
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 008707CB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeMem$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4268648442-0
                                    • Opcode ID: 81aec0f153890d3de2b66fd9a6e8a41f9099bf5493d547e716f64c9c093480d7
                                    • Instruction ID: d2882ba6e4dbb106dcc98b30452775f240d8dff9fc05ce8f80adce80881ee732
                                    • Opcode Fuzzy Hash: 81aec0f153890d3de2b66fd9a6e8a41f9099bf5493d547e716f64c9c093480d7
                                    • Instruction Fuzzy Hash: 39D0C221B81E10474714723C888179E5387FE802D730CC821E984C7746DE2ADC4E07C6
                                    Function 00866734 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00866736
                                    • @Vcl@Imaging@Gifimg@TGIFList@Remove$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 0086674B
                                      • Part of subcall function 008599C0: @System@Classes@TList@RemoveItem$qqrpv23System@Types@TDirection.RTL250.BPL ref: 008599C5
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 00866756
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00866761
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$Classes@Gifimg@Imaging@List@System@@Vcl@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Direction.ItemItem$qqrpv23Object.Objectzc.Persistent@$bdtr$qqrv.RemoveRemove$qqrp27Types@
                                    • String ID:
                                    • API String ID: 2695388686-0
                                    • Opcode ID: f7f2563aa675b90204884bc21790f5fc42f24d5b55bbf5addd669c0af989823b
                                    • Instruction ID: 3a40553e09ceca2bc9518dd0a01b62e03395529fb381043eb7e76563d7251c25
                                    • Opcode Fuzzy Hash: f7f2563aa675b90204884bc21790f5fc42f24d5b55bbf5addd669c0af989823b
                                    • Instruction Fuzzy Hash: 50D05E21B51E21070711B62D8A82A8E13C9FF09A977890095FD84CB302EF15DE4E83C7
                                    Function 00869A10 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@GetBackgroundColor$qqrv.VCLIMG250 ref: 00869A19
                                      • Part of subcall function 008604E8: @Vcl@Imaging@Gifimg@TGIFColorMap@GetColor$qqri.VCLIMG250 ref: 008604EF
                                    • @Vcl@Imaging@Gifimg@TGIFImage@StopDraw$qqrv.VCLIMG250 ref: 00869A24
                                      • Part of subcall function 0086B1D0: @System@TObject@Free$qqrv.RTL250.BPL(?,?,?,?,?,?,?,?,?,?,?,0086989E,?,008698DD,0086981D), ref: 0086B1FF
                                    • @Vcl@Imaging@Gifimg@TGIFHeader@SetBackgroundColor$qqr21System@Uitypes@TColor.VCLIMG250 ref: 00869A2E
                                      • Part of subcall function 008604F8: @Vcl@Imaging@Gifimg@TGIFColorMap@AddUnique$qqr21System@Uitypes@TColor.VCLIMG250 ref: 00860503
                                      • Part of subcall function 008604F8: @Vcl@Imaging@Gifimg@TGIFHeader@SetBackgroundColorIndex$qqruc.VCLIMG250 ref: 0086050C
                                    • @Vcl@Imaging@Gifimg@TGIFImage@Pack$qqrv.VCLIMG250 ref: 00869A35
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFImage@FreeBitmap$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A5D3
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A5E4
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A5F8
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFFrame@SetBitmap$qqrp20Vcl@Graphics@TBitmap.VCLIMG250(?,?,?,008699F6), ref: 0086A5FF
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A609
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFFrame@SetPalette$qqrp10HPALETTE__.VCLIMG250(?,?,?,008699F6), ref: 0086A610
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFList@GetCount$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A628
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A635
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFImageList@GetFrame$qqri.VCLIMG250(?,?,?,008699F6), ref: 0086A64D
                                      • Part of subcall function 0086A5CC: @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250(?,?,?,008699F6), ref: 0086A655
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: Vcl@$Gifimg@Imaging@$ColorList@$Frame$qqriImage$BackgroundHeader@Image@Map@System@$Count$qqrvFrame@Uitypes@$BitmapBitmap$qqrp20Bitmap$qqrvClear$qqrvColor$qqr21Color$qqriColor$qqrvDraw$qqrvFreeFree$qqrv.Graphics@Index$qqrucL250Object@Pack$qqrvPalette$qqrp10StopUnique$qqr21
                                    • String ID:
                                    • API String ID: 4043975677-0
                                    • Opcode ID: a018c1da8163c901f3f639424d13f3dfd8fcb368f4390382c02635757d0e0537
                                    • Instruction ID: c7a2b52ace92c5ad6011875cece499fc8c8cd497cd2b831036c2ce0b91e1b0ef
                                    • Opcode Fuzzy Hash: a018c1da8163c901f3f639424d13f3dfd8fcb368f4390382c02635757d0e0537
                                    • Instruction Fuzzy Hash: BBE017317011204B8B64FE6DD8C588A77D8FF8924935214B9F91ADF317CEB0DC458B9A
                                    Function 00860E10 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00860E12
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 00860E22
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00860E32
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00860E3D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeMem$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4268648442-0
                                    • Opcode ID: 8f48f8feda255219b3d330e8739601245e2ab2fb50b3f12ea6464c291c62f504
                                    • Instruction ID: b5027b2441add4418c2ef3d583bd2d60ef749d0c2a6db8c9b44dd41096254a68
                                    • Opcode Fuzzy Hash: 8f48f8feda255219b3d330e8739601245e2ab2fb50b3f12ea6464c291c62f504
                                    • Instruction Fuzzy Hash: 79D05E61B90E200B0B60B67C488678B63C4FE096D33480D2AFAC8C7242FF16CD4D479E
                                    Function 0085F3D0 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085F3D2
                                    • @Vcl@Imaging@Gifimg@TGIFColorMap@Clear$qqrv.VCLIMG250 ref: 0085F3DD
                                      • Part of subcall function 0085F404: @System@@DynArrayClear$qqrrpvpv.RTL250.BPL(?,0085F3E2), ref: 0085F410
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 0085F3EF
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085F3FA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$ArrayBeforeClassClasses@Clear$qqrrpvpv.Clear$qqrvColorDestroy$qqrxp14Destruction$qqrxp14Gifimg@Imaging@Map@Object.Objectzc.Persistent@$bdtr$qqrv.Vcl@
                                    • String ID:
                                    • API String ID: 421216943-0
                                    • Opcode ID: 26ffc75c2d04849480e02c9fe572a57e14a99d09b80eee6f76c5abd7f10d79e4
                                    • Instruction ID: 5789da9b0ae0a5675b26aed749a6457b0edd5396fdac41e8c0af1e7241fe518c
                                    • Opcode Fuzzy Hash: 26ffc75c2d04849480e02c9fe572a57e14a99d09b80eee6f76c5abd7f10d79e4
                                    • Instruction Fuzzy Hash: 02D09E61B51865071611B66C59865CD5389FE4A6533544162FE40CB313DF258D4E43DB
                                    Function 00BFC00C Relevance: 6.0, APIs: 4, Instructions: 21threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00BFC011
                                    • @System@Generics@Collections@%TQueue__1$p36Oxrtl@System@Thread@TThreadQueueItem%@Clear$qqrv.OXCOMPONENTSRTL ref: 00BFC01C
                                      • Part of subcall function 00BFC0A8: @System@Generics@Collections@TQueueHelper@InternalClear4$qqrv.RTL250.BPL(?,00BFB7F5,00000000,00BFB80E,?,00BFB81D,00000000,00BFB856), ref: 00BFC0AE
                                    • @System@Generics@Collections@%TEnumerable__1$p36Oxrtl@System@Thread@TThreadQueueItem%@$bdtr$qqrv.OXCOMPONENTSRTL ref: 00BFC027
                                      • Part of subcall function 00BFBD40: @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00BFBD45
                                      • Part of subcall function 00BFBD40: @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00BFBD54
                                      • Part of subcall function 00BFBD40: @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00BFBD5F
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00BFC032
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$L250$System@@$Generics@Queue$BeforeClassCollections@%Destroy$qqrxp14Destruction$qqrxp14Object.Objectzc.Oxrtl@ThreadThread@$Clear$qqrvClear4$qqrv.Collections@Enumerable__1$p36Helper@InternalItem%@Item%@$bdtr$qqrvObject@$bdtr$qqrv.Queue__1$p36
                                    • String ID:
                                    • API String ID: 260225408-0
                                    • Opcode ID: 6e87bbfbdef264a6916afcdad8194dab854f62a1c696c201aa3f235af415554a
                                    • Instruction ID: 9596847dc31511868b86853cb983c13a58d3f44762fcf252ffe4e5d008cf926e
                                    • Opcode Fuzzy Hash: 6e87bbfbdef264a6916afcdad8194dab854f62a1c696c201aa3f235af415554a
                                    • Instruction Fuzzy Hash: 31D0C72274152C560201317D6D42DEDA7CD89475A538805D5F748EB203EA1B4D5F03DA
                                    Function 00BCC108 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00BCC10D
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00BCC119
                                    • @Axrtl@Project@Interfacedobject@TInterfacedObject@$bdtr$qqrv.AXCOMPONENTSRTL.BPL ref: 00BCC124
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00BCC12F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Axrtl@BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeInterfacedInterfacedobject@Nil$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.Project@Sysutils@
                                    • String ID:
                                    • API String ID: 3985183873-0
                                    • Opcode ID: 9bb0566f5f8de49162d974326cfeb477dd388d802aa091107d9c3e086b34c9c5
                                    • Instruction ID: 352b5fba4f070b8e49254c4d5f205a3e7f301d0720cd8b6999d018c0463f953d
                                    • Opcode Fuzzy Hash: 9bb0566f5f8de49162d974326cfeb477dd388d802aa091107d9c3e086b34c9c5
                                    • Instruction Fuzzy Hash: A1D0A722341528170311716D6C82ECDB7CC8D0366638C04EAF744B7603EA069E1E03C5
                                    Function 00BE0168 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00BE016D
                                    • @System@Sysutils@FreeAndNil$qqrpv.RTL250.BPL ref: 00BE0179
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00BE0184
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00BE018F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeNil$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.Sysutils@
                                    • String ID:
                                    • API String ID: 3384042408-0
                                    • Opcode ID: c83c825f775103b419a2a77a91060f79eb5f99770dba681e840316c23701ad4a
                                    • Instruction ID: 8928c9381914993018a9150a9af6034b581aed0e9c6d5a725226ac195706062f
                                    • Opcode Fuzzy Hash: c83c825f775103b419a2a77a91060f79eb5f99770dba681e840316c23701ad4a
                                    • Instruction Fuzzy Hash: AED0A722741558171311716D6C83ECDB3CCCD0766738809AAF644B7203EA169E1E03DA
                                    Function 0085A8BC Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0085A8BE
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0085A8CE
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 0085A8D9
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0085A8E4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeMem$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4268648442-0
                                    • Opcode ID: 96c07c4456f01e0ed9cd3fc7f08a7f821ba168b760dc4c85c8855eccd0147d85
                                    • Instruction ID: 9e8b9e4545bc7ecfbf9e4f012fb4f075b0d8e4222f084193fd007e2825339fda
                                    • Opcode Fuzzy Hash: 96c07c4456f01e0ed9cd3fc7f08a7f821ba168b760dc4c85c8855eccd0147d85
                                    • Instruction Fuzzy Hash: 02D0A711B80D11471B1071AD1CC67DE53C4FD056D33080462FD80C7242DF15CD8E6397
                                    Function 00870D98 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00870D9A
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 00870DAA
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00870DB5
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00870DC0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeMem$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4268648442-0
                                    • Opcode ID: f52c4d1d226de08ca56f81b1622c8920ce4a41f4ca9ad503898fc939ea61f26d
                                    • Instruction ID: 317e4fc1a001b02ce6916927d2a062109d261e2c6a0088c1733dc85cf2e17149
                                    • Opcode Fuzzy Hash: f52c4d1d226de08ca56f81b1622c8920ce4a41f4ca9ad503898fc939ea61f26d
                                    • Instruction Fuzzy Hash: 7DD05E61781D10470721B66C998668A93C5EF456D33048811F988C725ADF159D8E0786
                                    Function 0086018C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0086018E
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 0086019A
                                    • @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 008601A5
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 008601B0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$BeforeClassClasses@Destroy$qqrxp14Destruction$qqrxp14Free$qqrv.Object.Object@Objectzc.Persistent@$bdtr$qqrv.
                                    • String ID:
                                    • API String ID: 471985288-0
                                    • Opcode ID: 83d047075e93b52a9e858a4774ba2a883053930d016088450c77f73fd55fff67
                                    • Instruction ID: 8bb90a92744b4d2ed137049adeae7f29b67fcf86a0cade16037ff4ced716f34f
                                    • Opcode Fuzzy Hash: 83d047075e93b52a9e858a4774ba2a883053930d016088450c77f73fd55fff67
                                    • Instruction Fuzzy Hash: 4CD0C962B91E20070721B67C59967DE53CAFE0A6933440461FA80C7242DF169D4D46CA
                                    Function 00878194 Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00878196
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 008781A2
                                    • @Vcl@Graphics@TSharedImage@$bdtr$qqrv.VCL250.BPL ref: 008781AD
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 008781B8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@$System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Free$qqrv.Graphics@Image@$bdtr$qqrv.Object.Object@Objectzc.SharedVcl@
                                    • String ID:
                                    • API String ID: 855525534-0
                                    • Opcode ID: 1f36f539bb12323343a9276e30d305bb796a30fdddde3f01e8ea30a621959b8b
                                    • Instruction ID: 4ac100f774c9108dc823084b98f60ed6750310a9cbac69949d61276372d1b980
                                    • Opcode Fuzzy Hash: 1f36f539bb12323343a9276e30d305bb796a30fdddde3f01e8ea30a621959b8b
                                    • Instruction Fuzzy Hash: 01D0A922B80C210B0610722C489A6CE1389EE0A2933440021FA84C7302EF028D8E02C6
                                    Function 0087152C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 0087152E
                                    • @Vcl@Imaging@Pngimage@TChunkIHDR@FreeImageData$qqrv.VCLIMG250 ref: 00871539
                                      • Part of subcall function 00871668: DeleteObject.GDI32(?), ref: 00871673
                                      • Part of subcall function 00871668: DeleteDC.GDI32(?), ref: 00871680
                                      • Part of subcall function 00871668: @System@@FreeMem$qqrpv.RTL250.BPL(?,0087153E), ref: 0087168F
                                      • Part of subcall function 00871668: DeleteObject.GDI32(?), ref: 0087169C
                                      • Part of subcall function 00871668: @System@@FreeMem$qqrpv.RTL250.BPL(?,0087153E), ref: 008716AB
                                    • @Vcl@Imaging@Pngimage@TChunk@$bdtr$qqrv.VCLIMG250 ref: 00871544
                                      • Part of subcall function 00870D98: @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00870D9A
                                      • Part of subcall function 00870D98: @System@@FreeMem$qqrpv.RTL250.BPL ref: 00870DAA
                                      • Part of subcall function 00870D98: @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00870DB5
                                      • Part of subcall function 00870D98: @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00870DC0
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 0087154F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@@$System@$Free$DeleteMem$qqrpv.$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Imaging@ObjectObject.Objectzc.Pngimage@Vcl@$ChunkChunk@$bdtr$qqrvData$qqrvImageObject@$bdtr$qqrv.
                                    • String ID:
                                    • API String ID: 2441481004-0
                                    • Opcode ID: ab3395e2c1bee009bc6e3385e1eec36326f61fb2103b73e9ca0778ca743f6f07
                                    • Instruction ID: 8015685f7483dada730b1fc44cfec566f1ff04a5f898dbfeae2e25275e02a592
                                    • Opcode Fuzzy Hash: ab3395e2c1bee009bc6e3385e1eec36326f61fb2103b73e9ca0778ca743f6f07
                                    • Instruction Fuzzy Hash: 86D01252B91D20070B1171BC18876CC0249ED56E937484151FA48D7206EF05CE4E43CB
                                    Function 00867570 Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00867572
                                    • @System@@FreeMem$qqrpv.RTL250.BPL ref: 0086757E
                                    • @System@TObject@$bdtr$qqrv.RTL250.BPL ref: 00867589
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00867594
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250$System@System@@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14FreeMem$qqrpv.Object.Object@$bdtr$qqrv.Objectzc.
                                    • String ID:
                                    • API String ID: 4268648442-0
                                    • Opcode ID: 305ada1dccfd7e212d1ef54192a82833e9176313a1ace45a779618817ff69974
                                    • Instruction ID: 507d108e5e88439b4ebff8046f813486f3e2e1a16eb1e6bc691e24811bb5deff
                                    • Opcode Fuzzy Hash: 305ada1dccfd7e212d1ef54192a82833e9176313a1ace45a779618817ff69974
                                    • Instruction Fuzzy Hash: 2FD02262B80C61070B10B26C5C8A3CE43C4FE093D33080862FE80C7242DF068D8E03CB
                                    Function 00866C7C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00866C7E
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00866C8A
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@$bdtr$qqrv.VCLIMG250 ref: 00866C95
                                      • Part of subcall function 00866734: @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00866736
                                      • Part of subcall function 00866734: @Vcl@Imaging@Gifimg@TGIFList@Remove$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 0086674B
                                      • Part of subcall function 00866734: @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 00866756
                                      • Part of subcall function 00866734: @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00866761
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00866CA0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Gifimg@Imaging@Vcl@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Objectzc.$Classes@Extension@$bdtr$qqrvFree$qqrv.ItemList@Object@Persistent@$bdtr$qqrv.Remove$qqrp27
                                    • String ID:
                                    • API String ID: 2316914881-0
                                    • Opcode ID: a28a4daec1853af77d2773461337f76a02ea64336d97a8fa771d073addb13268
                                    • Instruction ID: d07c3732823936b59dc3abbd1c47397d7b99e06266a1045cd6be9e190579870c
                                    • Opcode Fuzzy Hash: a28a4daec1853af77d2773461337f76a02ea64336d97a8fa771d073addb13268
                                    • Instruction Fuzzy Hash: 6BD02262B91CA0074B10723C18967CE03C9FF053A33448021FA80C7203EF028D4D03CB
                                    Function 00866DBC Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00866DBE
                                    • @System@TObject@Free$qqrv.RTL250.BPL ref: 00866DCA
                                    • @Vcl@Imaging@Gifimg@TGIFExtension@$bdtr$qqrv.VCLIMG250 ref: 00866DD5
                                      • Part of subcall function 00866734: @System@@BeforeDestruction$qqrxp14System@TObjectzc.RTL250.BPL ref: 00866736
                                      • Part of subcall function 00866734: @Vcl@Imaging@Gifimg@TGIFList@Remove$qqrp27Vcl@Imaging@Gifimg@TGIFItem.VCLIMG250 ref: 0086674B
                                      • Part of subcall function 00866734: @System@Classes@TPersistent@$bdtr$qqrv.RTL250.BPL ref: 00866756
                                      • Part of subcall function 00866734: @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00866761
                                    • @System@@ClassDestroy$qqrxp14System@TObject.RTL250.BPL ref: 00866DE0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: L250System@$System@@$Gifimg@Imaging@Vcl@$BeforeClassDestroy$qqrxp14Destruction$qqrxp14Object.Objectzc.$Classes@Extension@$bdtr$qqrvFree$qqrv.ItemList@Object@Persistent@$bdtr$qqrv.Remove$qqrp27
                                    • String ID:
                                    • API String ID: 2316914881-0
                                    • Opcode ID: a28a4daec1853af77d2773461337f76a02ea64336d97a8fa771d073addb13268
                                    • Instruction ID: c0647d86a589beadade3b4c1823170ce8f70261da64a38d4ac5ae2d92ee272b9
                                    • Opcode Fuzzy Hash: a28a4daec1853af77d2773461337f76a02ea64336d97a8fa771d073addb13268
                                    • Instruction Fuzzy Hash: C8D0A922B81CA0070710722C28966CE0389EE052A33044021FA80C7202EF038D4D0286
                                    Function 00BDA028 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@System@Win@Osinfo@OSInfo@IsWindows$qqr39Axrtl@System@Win@Osinfo@TWindowsVersiont1.AXCOMPONENTSRTL.BPL ref: 00BDA02F
                                    • @Axrtl@Dllroutines@DllRoutines@LoadLibrary$qqrx20System@UnicodeStringui.AXCOMPONENTSRTL.BPL ref: 00BDA03F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@System@$Osinfo@Win@$Dllroutines@Info@Library$qqrx20LoadRoutines@Stringui.UnicodeVersiont1.WindowsWindows$qqr39
                                    • String ID: Wevtapi.dll
                                    • API String ID: 311479291-2530311887
                                    • Opcode ID: abeb295489a99933c3945f334a9d25439a88a280c5bb88ae5332ba13dac51a2d
                                    • Instruction ID: 18ef067c43d3a8b19cc7b64075bbd27051892c7c4bc247a4f1d6152599bea1fd
                                    • Opcode Fuzzy Hash: abeb295489a99933c3945f334a9d25439a88a280c5bb88ae5332ba13dac51a2d
                                    • Instruction Fuzzy Hash: 32D0223006030A02CA0CAEA924007D0B3DDABC0308F0880FAE40C87302FBAAA50AC023
                                    Function 00C2C194 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL ref: 00C2C1A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@Call$qqrx20Dllroutines@Routines@Stringt1.System@Unicode
                                    • String ID: RmRestart$rstrtmgr.dll
                                    • API String ID: 4267512089-2982821414
                                    • Opcode ID: 2d4fc8a1963189ecb26349623499e58f5d46058cf2d9542e6f67366ca5b11852
                                    • Instruction ID: fe5e4cd27ca3d3e8658ac763296c7683b3e5d05ba7896743e57d7217c8a0ec74
                                    • Opcode Fuzzy Hash: 2d4fc8a1963189ecb26349623499e58f5d46058cf2d9542e6f67366ca5b11852
                                    • Instruction Fuzzy Hash: 6FD012B32052283B2600A1DE7CC1C9FB6ADCECA3E03108136B608D7602C5619E1043F5
                                    Function 00C2C120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL ref: 00C2C133
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@Call$qqrx20Dllroutines@Routines@Stringt1.System@Unicode
                                    • String ID: RmShutdown$rstrtmgr.dll
                                    • API String ID: 4267512089-2683191685
                                    • Opcode ID: b3857087c2046f4ab1c001399ebb4d62017f0d8868864b4608a21db5ed056fb3
                                    • Instruction ID: a962046a3ba1a3c10a873b2662815e44222bc872363cca37cc06f2d2215a7d3b
                                    • Opcode Fuzzy Hash: b3857087c2046f4ab1c001399ebb4d62017f0d8868864b4608a21db5ed056fb3
                                    • Instruction Fuzzy Hash: C3D012B22051283B6600A1DDBCC2CAFB6ADCECA3E03108136B60897702C5719D2042F4
                                    Function 00C32084 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • @Axrtl@Dllroutines@DllRoutines@Call$qqrx20System@UnicodeStringt1.AXCOMPONENTSRTL.BPL(?), ref: 00C32096
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3261069876.0000000000BC1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00BC0000, based on PE: true
                                    • Associated: 00000002.00000002.3260987541.0000000000BC0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261852188.0000000000C6C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261936470.0000000000C6E000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261961369.0000000000C6F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3261989189.0000000000C71000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262086427.0000000000C7E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000002.00000002.3262110283.0000000000C7F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_bc0000_Installer.jbxd
                                    Similarity
                                    • API ID: Axrtl@Call$qqrx20Dllroutines@Routines@Stringt1.System@Unicode
                                    • String ID: GetIfTable2$Iphlpapi.dll
                                    • API String ID: 4267512089-63597007
                                    • Opcode ID: c32167f19ff9050598746f65ef7fee7519e344b72f3a4f5d3a81feb0bfe542c7
                                    • Instruction ID: 4851e71f77edce0036616427532a81c8d79fbfcad5a967dbf6916d98317dc47e
                                    • Opcode Fuzzy Hash: c32167f19ff9050598746f65ef7fee7519e344b72f3a4f5d3a81feb0bfe542c7
                                    • Instruction Fuzzy Hash: B8C01271124149EB0F08D2D9A941D8E73FCCB84214B500066E014D2600EA32EF088765
                                    Function 0088C48C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870265
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 0087026F
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870279
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870283
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 0087028D
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 00870297
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702A1
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702AB
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702B5
                                      • Part of subcall function 00870260: @Vcl@Imaging@Pngimage@RegisterChunk$qqrp17System@TMetaClass.VCLIMG250(0088C4A8), ref: 008702BF
                                    • @Vcl@Graphics@TPicture@RegisterFileFormat$qqrx20System@UnicodeStringt1p17System@TMetaClass.VCL250.BPL(0086D5DC), ref: 0088C4BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3258310635.0000000000851000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00850000, based on PE: true
                                    • Associated: 00000002.00000002.3258278224.0000000000850000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258644396.000000000088D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258724570.0000000000891000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                    • Associated: 00000002.00000002.3258803118.0000000000895000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_850000_Installer.jbxd
                                    Similarity
                                    • API ID: System@$MetaRegisterVcl@$Chunk$qqrp17ClassImaging@Pngimage@$Class.FileFormat$qqrx20Graphics@L250Picture@Stringt1p17Unicode
                                    • String ID: PNG$Portable Network Graphics
                                    • API String ID: 627039187-806560436
                                    • Opcode ID: cb1acf612c570fed33dab59e231c9f46e2e989758eea3c6add972bf1b5dc5182
                                    • Instruction ID: cebe1e43c3df3ac7922b139d28a20bf09b9d4ad9322d06358d3ec8b9ec548ebc
                                    • Opcode Fuzzy Hash: cb1acf612c570fed33dab59e231c9f46e2e989758eea3c6add972bf1b5dc5182
                                    • Instruction Fuzzy Hash: 6BD052306401008EC790FBACEA48A1237D5F79930CF084864E20CCBA2BC6B488488B67