Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INSTALL (1).EXE

Overview

General Information

Sample name:INSTALL (1).EXE
Analysis ID:1466646
MD5:9ef163303a7fc06b98beb90ae14217ba
SHA1:a8a44b4553aeedbfcc240d5ee47539119b1a4287
SHA256:49f9aeee62ddd572dacba21f5e7298cd33856818ee3cc9d691d4788a79fbad68
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • INSTALL (1).EXE (PID: 7436 cmdline: "C:\Users\user\Desktop\INSTALL (1).EXE" MD5: 9EF163303A7FC06B98BEB90AE14217BA)
    • INSTALL.EXE (PID: 7484 cmdline: "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE" MD5: 8D493C3586E91D6AC600C55EA6EA2B5F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: INSTALL (1).EXEStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: INSTALL (1).EXEStatic PE information: certificate valid
Source: unknownHTTPS traffic detected: 109.69.187.83:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: INSTALL (1).EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb< source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb` source: INSTALL.EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb source: INSTALL.EXE
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC4C26 SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,0_2_00BC4C26
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00927C7C __EH_prolog,SetErrorMode,SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,SetErrorMode,SetLastError,GetLastError,GetLastError,GetLastError,1_2_00927C7C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0094CA59 FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,1_2_0094CA59
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00923EF6 FtpFindFirstFileW,1_2_00923EF6
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW,0_2_00BC331F
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00924713 HttpQueryInfoW,HttpQueryInfoW,InternetReadFile,1_2_00924713
Source: global trafficHTTP traffic detected: GET /OptairCTA2019/INSTALL/INSTALL.ZIP HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: PC SOFTHost: logiciels.vim.fr
Source: global trafficDNS traffic detected: DNS query: logiciels.vim.fr
Source: INSTALL.EXEString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: INSTALL.EXEString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: INSTALL.EXEString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: INSTALL.EXEString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: INSTALL.EXEString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: INSTALL.EXEString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: INSTALL.EXEString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: INSTALL.EXEString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: INSTALL.EXEString found in binary or memory: http://ocsp.comodoca.com0
Source: INSTALL.EXEString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: INSTALL.EXEString found in binary or memory: http://ocsp.sectigo.com0
Source: INSTALL.EXEString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: INSTALL.EXEString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: INSTALL.EXE, 00000001.00000003.1770628243.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logiciels.vim.fr/
Source: INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP
Source: INSTALL.EXE, 00000001.00000003.1770628243.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP=
Source: INSTALL.EXE, 00000001.00000003.1770628243.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000DCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIPsRS
Source: INSTALL.EXEString found in binary or memory: https://sectigo.com/CPS0
Source: INSTALL.EXEString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 109.69.187.83:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDA1790_2_00BDA179
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE03A00_2_00BE03A0
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDD3980_2_00BDD398
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC74AD0_2_00BC74AD
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDA4230_2_00BDA423
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDD5C70_2_00BDD5C7
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD254D0_2_00BD254D
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDA6EA0_2_00BDA6EA
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD47260_2_00BD4726
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDB7700_2_00BDB770
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC28AF0_2_00BC28AF
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BDA9A50_2_00BDA9A5
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE593B0_2_00BE593B
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BEA9110_2_00BEA911
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC2A260_2_00BC2A26
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE6CF90_2_00BE6CF9
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD3D960_2_00BD3D96
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BCADF00_2_00BCADF0
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD9E070_2_00BD9E07
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_009411D51_2_009411D5
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_009372FD1_2_009372FD
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_009345D41_2_009345D4
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0095066C1_2_0095066C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0095078C1_2_0095078C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0094F8381_2_0094F838
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_009449601_2_00944960
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0094BA591_2_0094BA59
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00929DAA1_2_00929DAA
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00935E011_2_00935E01
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00940FA31_2_00940FA3
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: String function: 00BC6F10 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: String function: 0093D1D0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: String function: 009296EC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: String function: 00953014 appears 70 times
Source: INSTALL (1).EXE, 00000000.00000000.1660108092.0000000000C06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWDAutoEx.EXE2 vs INSTALL (1).EXE
Source: INSTALL (1).EXEBinary or memory string: OriginalFilenameWDAutoEx.EXE2 vs INSTALL (1).EXE
Source: INSTALL (1).EXEStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: INSTALL (1).EXEBinary string: CNTDLL.dllNtQueryInformationFile :\##(IXStream)-Handle=<%p>####(IXStream)-Access=<%x>####(IXStream)-bExact=<%d>####(IXStream)-A lire=<%u>, lu=<%u>####(IXStream)-Offset=<%I64u>##\...*.*\Device\LanmanRedirector\;d
Source: classification engineClassification label: clean5.winEXE@3/4@1/1
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD7073 IsDlgButtonChecked,GetDlgItemTextW,GetLastError,FormatMessageW,MessageBoxW,LocalFree,EndDialog,0_2_00BD7073
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD85A7 FindResourceW,LoadResource,LockResource,0_2_00BD85A7
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\INSTALL[1].htmJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEFile created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmpJump to behavior
Source: INSTALL (1).EXEStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INSTALL (1).EXEFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: INSTALL.EXEString found in binary or memory: /%s/INSTALL.ZIP
Source: INSTALL.EXEString found in binary or memory: Message : <%s>%s[]WDWDUpdate.netWDUpdate32.netWDUpdate64.netINSTALL%s%s /REP="%s%s\" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" /REP="%s" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" INSTALL.ZIPINSTALL.INIAPPLI0InstallCompositeHTTPSHTTP/%s/INSTALL.ZIPapplication/x-www-form-urlencoded407200<>INST%s.WXFINST__DISKINSTPRGCLIENT%sPARAMINSTALLEUR_PROG_INSTALLCLIENTPARAMINSTALLEUR&WDSetup.EXEINSTPRGWDFGARDETEMPPREINSTALL%s%s.WDZ.WDZftp.pcsoft.frSERVEURPORT1PASSIFANONYMELOGINPWDPRODVIVI_DETAIL-1NBFICFTPFIC%05d:NATIONDEFAUTGENERALframework.pcsoft.frDLLInst%s%s.DLL%s.DLL/DLL/%s/P
Source: INSTALL.EXEString found in binary or memory: -Installateur) - Win326
Source: INSTALL.EXEString found in binary or memory: FileDescriptionUSPreInstall.exe (Pre-installer) - Win32.
Source: C:\Users\user\Desktop\INSTALL (1).EXEFile read: C:\Users\user\Desktop\INSTALL (1).EXEJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\INSTALL (1).EXE "C:\Users\user\Desktop\INSTALL (1).EXE"
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE"
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXESection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXESection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEFile written: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.INIJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: INSTALL (1).EXEStatic PE information: certificate valid
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: INSTALL (1).EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: INSTALL (1).EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb< source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb` source: INSTALL.EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb source: INSTALL.EXE
Source: INSTALL (1).EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INSTALL (1).EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INSTALL (1).EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INSTALL (1).EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INSTALL (1).EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW,0_2_00BC331F
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD9146 push ecx; ret 0_2_00BD9159
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00953014 push eax; ret 1_2_00953032
Source: C:\Users\user\Desktop\INSTALL (1).EXEFile created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEJump to dropped file
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD8339 GetPrivateProfileIntW,0_2_00BD8339
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093A95B GetPrivateProfileIntW,1_2_0093A95B
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00939AED __EH_prolog,MessageBoxW,GetPrivateProfileStringW,SetWindowTextW,RedrawWindow,GetPrivateProfileStringW,1_2_00939AED
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093BC77 __EH_prolog,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,1_2_0093BC77
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093A236 GetPrivateProfileStringW,SetWindowTextW,1_2_0093A236
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00924E5C __EH_prolog,Sleep,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00924E5C
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC4C26 SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,0_2_00BC4C26
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00927C7C __EH_prolog,SetErrorMode,SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,SetErrorMode,SetLastError,GetLastError,GetLastError,GetLastError,1_2_00927C7C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0094CA59 FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,1_2_0094CA59
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00923EF6 FtpFindFirstFileW,1_2_00923EF6
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW,0_2_00BC331F
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093C202 VirtualQuery,GetSystemInfo,1_2_0093C202
Source: INSTALL (1).EXE, 00000000.00000003.1664703900.00000000011DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: INSTALL.EXE, 00000001.00000002.1771300204.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1770628243.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1770628243.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000DCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE207E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BE207E
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW,0_2_00BC331F
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE103D mov eax, dword ptr fs:[00000030h]0_2_00BE103D
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0094C65D mov eax, dword ptr fs:[00000030h]1_2_0094C65D
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0094C6A1 mov eax, dword ptr fs:[00000030h]1_2_0094C6A1
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_00945730 mov eax, dword ptr fs:[00000030h]1_2_00945730
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE91BE GetProcessHeap,0_2_00BE91BE
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD90A3 SetUnhandledExceptionFilter,0_2_00BD90A3
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BE207E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BE207E
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD92CD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BD92CD
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD8F10 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD8F10
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093D15A SetUnhandledExceptionFilter,1_2_0093D15A
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093D384 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0093D384
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_009467DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_009467DB
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_0093CFC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0093CFC6
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BCAA27 ShellExecuteExW,0_2_00BCAA27
Source: C:\Users\user\Desktop\INSTALL (1).EXEProcess created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXECode function: 1_2_009214A0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,1_2_009214A0
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD8D6D cpuid 0_2_00BD8D6D
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BD915B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00BD915B
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BC941A GetTimeZoneInformation,SystemTimeToFileTime,FileTimeToSystemTime,0_2_00BC941A
Source: C:\Users\user\Desktop\INSTALL (1).EXECode function: 0_2_00BCD9E2 GetVersionExW,0_2_00BCD9E2

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts11
Process Injection		11
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS14
System Information Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
INSTALL (1).EXE0%ReversingLabs
INSTALL (1).EXE0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE0%ReversingLabs
C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
logiciels.vim.fr0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://sectigo.com/CPS00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%Avira URL Cloudsafe
https://logiciels.vim.fr/0%Avira URL Cloudsafe
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIPsRS0%Avira URL Cloudsafe
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP=0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%VirustotalBrowse
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP0%Avira URL Cloudsafe
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP0%VirustotalBrowse
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
logiciels.vim.fr
109.69.187.83
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIPfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#INSTALL.EXEfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://sectigo.com/CPS0INSTALL.EXEfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#INSTALL.EXEfalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yINSTALL.EXEfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0INSTALL.EXEfalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0INSTALL.EXEfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIPsRSINSTALL.EXE, 00000001.00000003.1770628243.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000DCA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP=INSTALL.EXE, 00000001.00000003.1770628243.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://logiciels.vim.fr/INSTALL.EXE, 00000001.00000003.1770628243.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.69.187.83
logiciels.vim.frFrance
50446DATACAMPUSFRfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466646
Start date and time:2024-07-03 08:25:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:INSTALL (1).EXE
Detection:CLEAN
Classification:clean5.winEXE@3/4@1/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 88
  • Number of non-executed functions: 152
Cookbook Comments:
  • Found application associated with file extension: .EXE
  • Stop behavior analysis, all processes terminated

Warnings

  • Excluded IPs from analysis (whitelisted): 20.114.59.183, 93.184.221.240
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, glb.sls.prod.dcat.dsp.trafficmanager.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
DATACAMPUSFRTL6bE5Uq4y.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
  • 109.69.189.31
Tcq0c0oFtb.elfGet hashmaliciousMiraiBrowse
  • 109.69.185.121
RVs7Yo67uw.elfGet hashmaliciousMiraiBrowse
  • 109.69.185.164
All.arm7.elfGet hashmaliciousMiraiBrowse
  • 109.69.185.158

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
37f463bf4616ecd445d4a1937da06e19birectangular.vbsGet hashmaliciousFormBook, GuLoaderBrowse
  • 109.69.187.83
SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
  • 109.69.187.83
SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
  • 109.69.187.83
file.exeGet hashmaliciousVidarBrowse
  • 109.69.187.83
FmQx1Fw3VA.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
  • 109.69.187.83
config.lnk.mal.lnkGet hashmaliciousCredGrabber, Meduza StealerBrowse
  • 109.69.187.83
invoicepast.pdf.lnk.mal.lnkGet hashmaliciousScreenConnect ToolBrowse
  • 109.69.187.83
Invoice-UPS-218931.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
  • 109.69.187.83
IF10339.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
  • 109.69.187.83
Video%20HD%20%281080p%29.lnk.mal.lnkGet hashmaliciousUnknownBrowse
  • 109.69.187.83

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\INSTALL[1].htm

Download File
Process:C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
File Type:HTML document, ASCII text
Category:dropped
Size (bytes):1527
Entropy (8bit):4.775681572027714
Encrypted:false
SSDEEP:24:YBjbUMLmpnZogSA5JeMDt8Nzs7fxzDs5XkGII6LGyflyEwL9n5iNiQGxRfSxXa:WHUMLkka8dKGII6LGyoEwL9nUoQGuxK
MD5:1893F01D91313EFD0097F78B42C99ADB
SHA1:D743F09BB14292655398FCBC63696A302AFD7F07
SHA-256:81A36AA46B372BD21EAF4CCD714B908A97240BBB3AA046AAC7BDD5E98C53BEC9
SHA-512:1AA38CB550DC4099E97387E69CE014B8C40AF3A7386F5121514CA527D51FAD61BCBC4D8DBA214F548B4C857BAFBBE5EF66BD447783DACC3803213AF5851DB659
Malicious:false
Reputation:low
Preview:<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">.<head>. <title>Connection denied by Geolocation</title>. <style type="text/css">. body {. font-family: Arial, Helvetica, Verdana, Sans-Serif;. font-size: small;. font-weight: normal;. color: #000000;. }. div {. margin-left: auto;. margin-right: auto;. text-align: center;. }. .box {. width: 601px;. background-color: #F2F2F2;. border-left: solid 1px #C2C2C2;. border-right: solid 1px #C2C2C2;. vertical-align: middle;. padding: 20px 10px 20px 10px;. }. p {. text-align: left;. }. .red {. font-weight: bold;. color: Red;. text-align: center;. }. .band {. height: 20px;. color: White;. background: #333333;. width: 600px;. border-left: solid 1px #333333;. border-right: solid 1px #333333;. padding: 3px 10px 0px 10px;. }. div#wrap {. margin-top: 50px;. }. </style>.</head>. <bo

C:\Users\user\AppData\Local\Temp\WD200D.tmp\INSTALL.ZIP

Download File
Process:C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
File Type:HTML document, ASCII text
Category:dropped
Size (bytes):1527
Entropy (8bit):4.775681572027714
Encrypted:false
SSDEEP:24:YBjbUMLmpnZogSA5JeMDt8Nzs7fxzDs5XkGII6LGyflyEwL9n5iNiQGxRfSxXa:WHUMLkka8dKGII6LGyoEwL9nUoQGuxK
MD5:1893F01D91313EFD0097F78B42C99ADB
SHA1:D743F09BB14292655398FCBC63696A302AFD7F07
SHA-256:81A36AA46B372BD21EAF4CCD714B908A97240BBB3AA046AAC7BDD5E98C53BEC9
SHA-512:1AA38CB550DC4099E97387E69CE014B8C40AF3A7386F5121514CA527D51FAD61BCBC4D8DBA214F548B4C857BAFBBE5EF66BD447783DACC3803213AF5851DB659
Malicious:false
Reputation:low
Preview:<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">.<head>. <title>Connection denied by Geolocation</title>. <style type="text/css">. body {. font-family: Arial, Helvetica, Verdana, Sans-Serif;. font-size: small;. font-weight: normal;. color: #000000;. }. div {. margin-left: auto;. margin-right: auto;. text-align: center;. }. .box {. width: 601px;. background-color: #F2F2F2;. border-left: solid 1px #C2C2C2;. border-right: solid 1px #C2C2C2;. vertical-align: middle;. padding: 20px 10px 20px 10px;. }. p {. text-align: left;. }. .red {. font-weight: bold;. color: Red;. text-align: center;. }. .band {. height: 20px;. color: White;. background: #333333;. width: 600px;. border-left: solid 1px #333333;. border-right: solid 1px #333333;. padding: 3px 10px 0px 10px;. }. div#wrap {. margin-top: 50px;. }. </style>.</head>. <bo

C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE

Download File
Process:C:\Users\user\Desktop\INSTALL (1).EXE
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):482696
Entropy (8bit):6.624794863265175
Encrypted:false
SSDEEP:12288:7GE4JYN6g3oXlWnwgcFRrEv4qWna9nYw/EwqW87uxRvmx:WqN6g2AGrEvFW6/xLxxmx
MD5:8D493C3586E91D6AC600C55EA6EA2B5F
SHA1:DBBDD2C746416EBE6B066AB70B0F33F78A5E17FC
SHA-256:5B61AFEA87B4DFA381CBDC4C0609C49064D18E89D2AF62783B476A23E5AFE931
SHA-512:4A5F1075F66DC55CB297608754369E462CCE8A7B81BC08AE63E845609A316A33C9783A847002EF19CF83311A097C542A220505AE481ABBADF96131D2730A518C
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._..._..._...4..._...4..|_...4..._...*..._...*..._...*..._...4..._..._..)_...*..._...*..._...*..._..._j.._...*..._..Rich._..........................PE..L...C..d.................*..........m........@....@..........................p............@.........................0...T.......d.......h".............../...@.../..8...T...........................8D..@............@..t.......@....................text..._).......*.................. ..`.rdata.......@......................@..@.data...............................@....rsrc...h".......$..................@..@.reloc.../...@...0..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.INI

Download File
Process:C:\Users\user\Desktop\INSTALL (1).EXE
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):286
Entropy (8bit):3.5605628328541394
Encrypted:false
SSDEEP:6:Q+2lsYL4UXKaLail9q2lMFO8X2lxSlslsYLo8ivURYrMlxn:Q+C/4UaaLai3q2ln8mlxpo/vUGMlxn
MD5:9CF6683A85C648B48E6817504406E84B
SHA1:0518D1A532FF042E4A045E40891F1E3749CF22E4
SHA-256:8342EA95ED603ADECFF5A9F5C9877409E466E9A57B22CA36B26B882020E8179B
SHA-512:F9865305F538C7784AC3A901E11A6CC76BD899EB12772F7E79948E3DB720E54C84DB46914C5F17F4913E576E44110B3CE71FA07259CAE7817F9D7992AD574FF4
Malicious:false
Reputation:low
Preview:..[.I.N.S.T.A.L.L.].....A.P.P.L.I.=.O.P.T.A.I.R. .C.T.A.....P.R.O.T.O.C.O.L.E.=.H.T.T.P.S.....S.E.R.V.E.U.R.=.l.o.g.i.c.i.e.l.s...v.i.m...f.r.....C.H.E.M.I.N.=.O.p.t.a.i.r.C.T.A.2.0.1.9./.I.N.S.T.A.L.L.....A.U.T.H.E.N.T.I.F.I.C.A.T.I.O.N.=.0.....I.n.s.t.a.l.l.C.o.m.p.o.s.i.t.e.=.0.....

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.316581949387796
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:INSTALL (1).EXE
File size:632'784 bytes
MD5:9ef163303a7fc06b98beb90ae14217ba
SHA1:a8a44b4553aeedbfcc240d5ee47539119b1a4287
SHA256:49f9aeee62ddd572dacba21f5e7298cd33856818ee3cc9d691d4788a79fbad68
SHA512:73fca97e6c8a4299404264b07df6916646c542843a69a97584da8de516adf6cb5b71c03205bcf140804e2993d987956e991dc1596afab9c02ada07607bfe3819
SSDEEP:12288:FBo9oKbH9+TYDbqiYHX6Ofc4YLWKMUvVbm2HnhT7ZFTjHCSpNIlUPciRd:FBozz9+TYDbuHqOfEWhUvVbm2Hh33Hr1
TLSH:D0D4E10272C140F2E971093114F69A2A5A6EBD358A7149EF63DC332E9EB03519736BF7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.S...=...=...=.......=.......=.......=._.9...=._.>...=._.8.'.=.......=...<...=...4.K.=...=...=.......=.......=...?...=.Rich..=

File Icon

Icon Hash:4b033d3d2c2d3d38

Static PE Info

General

Entrypoint:0x418cf1
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x648C6527 [Fri Jun 16 13:35:35 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:7c7b72fdd5b7fbcb1ab044da94dc98a5

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 21/07/2022 01:00:00 21/07/2025 00:59:59
Subject Chain
  • CN=VIM, O=VIM, S=Nouvelle-Aquitaine, C=FR
Version:3
Thumbprint MD5:A0859CEE23F2652EC2A571070918ED88
Thumbprint SHA-1:92179F9992D3F3BCD6FCD0CB10D2ECFF51AF590F
Thumbprint SHA-256:49E805BF8A6C1FFDA5A4489AC42041A153C92CB1F74A6498A22FF1F5821BFB3E
Serial:6761171B3FB63655ACAC7F9C0666A930

Entrypoint Preview

Instruction
call 00007F2EC4F0DB97h
jmp 00007F2EC4F0D55Fh
jmp 00007F2EC4F12DDBh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2EC4F0D0F9h
mov dword ptr [esi], 0042F438h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0042F440h
mov dword ptr [ecx], 0042F438h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2EC4F0D0AEh
push 00440AD0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2EC4F10266h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2EC4F0D6A2h
push 00440B64h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2EC4F10249h
int3
push ebp
mov ebp, esp
and dword ptr [00444164h], 00000000h
sub esp, 24h
push ebx
xor ebx, ebx
inc ebx
or dword ptr [00443004h], ebx
push 0000000Ah
call 00007F2EC4F21FD5h
test eax, eax
je 00007F2EC4F0D852h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
or dword ptr [00443004h], 02h
xor ecx, ecx
push esi
push edi
mov dword ptr [00444164h], ebx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x40f500x54.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x40fa40xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x16d30.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x977a80x3028
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x235c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3f5b00x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3f6200x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x2e8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2d1920x2d2002b83ee2e6f54660332256f733f69107fFalse0.590173779432133data6.703827470047728IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2f0000x1301a0x13200c1e8ca856f986c19704cf33334468cccFalse0.5599468954248366data6.031368321011895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x430000x25440x12002634537ff69bb332592b827b86de05bdFalse0.21614583333333334DOS executable (block device driver @\273\)3.8382379014632746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x460000x16d300x16e00743ede69efa2eb73a767816ecba3a30bFalse0.3147946550546448data5.038140406005554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x5d0000x235c0x2400edaca814a4201edbde709c9f250b5e45False0.7473958333333334data6.5384960683409155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
INFOWDZ0x465500x121dataFrenchFrance0.71280276816609
INFOWDZ0x466780x226dataFrenchFrance0.56
RT_ICON0x46b380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584FrenchFrance0.2747988879687685
RT_ICON0x573600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600FrenchFrance0.4720954356846473
RT_ICON0x599080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224FrenchFrance0.5236866791744841
RT_ICON0x5a9b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088FrenchFrance0.62322695035461
RT_DIALOG0x468a00x298dataFrenchFrance0.516566265060241
RT_STRING0x5b2e80xcadataFrenchFrance0.594059405940594
RT_STRING0x5b3b80x6cdataFrenchFrance0.6388888888888888
RT_STRING0x5b4900x6edataFrenchFrance0.7
RT_STRING0x5b4280x64Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0FrenchFrance0.69
RT_STRING0x5c5600x262dataFrenchFrance0.2934426229508197
RT_STRING0x5c3600x1fadataFrenchFrance0.2766798418972332
RT_STRING0x5bb180x65adataFrenchFrance0.25891758917589175
RT_STRING0x5c2000x160dataFrenchFrance0.34375
RT_STRING0x5c1780x84dataFrenchFrance0.6363636363636364
RT_STRING0x5c7c80x9aMatlab v4 mat-file (little endian) m, numeric, rows 0, columns 0FrenchFrance0.6103896103896104
RT_STRING0x5c8680x80dataFrenchFrance0.6328125
RT_STRING0x5b5000x198Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0FrenchFrance0.5
RT_STRING0x5b6980x3d0dataFrenchFrance0.32479508196721313
RT_STRING0x5ba680xaedataFrenchFrance0.6264367816091954
RT_GROUP_ICON0x5ae180x3edataFrenchFrance0.8387096774193549
RT_VERSION0x5ae580x490dataFrenchFrance0.4186643835616438
RT_MANIFEST0x5c8e80x448XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1036), with CRLF line terminatorsEnglishUnited States0.45894160583941607

Imports

DLLImport
COMCTL32.dll
MPR.dllWNetOpenEnumW, WNetCloseEnum, WNetEnumResourceW, WNetGetUniversalNameW
UxTheme.dllSetWindowTheme
KERNEL32.dllWideCharToMultiByte, MultiByteToWideChar, InterlockedExchangeAdd, InterlockedIncrement, GetLastError, LoadLibraryW, GetFileInformationByHandle, GetLogicalDriveStringsW, GetVolumeInformationW, WriteFile, ReadFile, SetFilePointer, LockFile, LockFileEx, UnlockFile, UnlockFileEx, FlushFileBuffers, SetEndOfFile, SetFileValidData, SetErrorMode, SetFileTime, SetLastError, GetFileTime, SystemTimeToFileTime, FileTimeToSystemTime, CreateFileW, Sleep, DeleteFileW, GetFileAttributesW, CreateDirectoryW, RemoveDirectoryW, FindFirstFileW, FindClose, SetFileAttributesW, FindFirstFileExW, FindNextFileW, GetTempPathW, GetCurrentDirectoryW, GetTempFileNameW, GetFullPathNameW, GetDriveTypeW, QueryDosDeviceW, FreeLibrary, OpenProcess, TerminateProcess, GetModuleFileNameW, CompareStringW, CompareStringA, GetPrivateProfileStringW, GetTimeZoneInformation, HeapSize, InterlockedDecrement, GetVersionExW, GetCurrentProcess, CreateProcessW, InitializeCriticalSection, DeleteCriticalSection, LCMapStringW, EnterCriticalSection, LeaveCriticalSection, TlsAlloc, TlsFree, GetCurrentThreadId, TlsGetValue, TlsSetValue, GetPrivateProfileIntW, SetEnvironmentVariableW, GetExitCodeProcess, GetProcessHeap, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, WriteConsoleW, HeapReAlloc, SetStdHandle, DecodePointer, GetStringTypeW, HeapAlloc, HeapFree, GetACP, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetFileType, RtlUnwind, LoadLibraryExW, InitializeCriticalSectionAndSpinCount, RaiseException, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, LocalFree, LockResource, LoadResource, FindResourceW, FormatMessageW, GetProcAddress, MulDiv, GetModuleHandleW, CloseHandle, GetConsoleCP, GetConsoleMode, SetFilePointerEx, QueryPerformanceCounter, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent
USER32.dllGetDlgItemTextW, IsDlgButtonChecked, CheckDlgButton, GetDlgItem, SetDlgItemTextW, SetWindowPos, GetParent, DialogBoxParamW, EndDialog, IsWindow, CharUpperBuffW, MessageBoxW, LoadStringW, FillRect, DestroyWindow, DrawTextW, UpdateWindow, ShowWindow, SendMessageW, GetClientRect, GetSystemMetrics, CreateWindowExW, ReleaseDC, GetWindowDC, GetDesktopWindow, RegisterClassW, LoadIconW, DefWindowProcW, SendDlgItemMessageW, SetWindowTextW, CharUpperW, GetDC
GDI32.dllGetStockObject, SetROP2, LineTo, MoveToEx, CreatePen, DeleteObject, SelectObject, CreateFontIndirectW, SetTextColor, SetBkMode, GetDeviceCaps, CreateSolidBrush
ADVAPI32.dllRegCloseKey, RegQueryValueExW, RegOpenKeyExW
SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteW, ShellExecuteExW
ole32.dllOleInitialize

Exports

NameOrdinalAddress
CommandeComposante10x401d23

Possible Origin

Language of compilation systemCountry where language is spokenMap
FrenchFrance
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 3, 2024 08:25:58.627774954 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:25:58.627835035 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:25:58.627969980 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:25:58.999346018 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:25:58.999382019 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:25:59.912352085 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:25:59.912619114 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:25:59.993462086 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:25:59.993493080 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:25:59.993823051 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:25:59.993891954 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:26:00.020670891 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:26:00.064507961 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:26:00.200392008 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:26:00.200417995 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:26:00.200478077 CEST44349734109.69.187.83192.168.2.4
Jul 3, 2024 08:26:00.200495005 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:26:00.200525045 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:26:00.200557947 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:26:00.218592882 CEST49734443192.168.2.4109.69.187.83
Jul 3, 2024 08:26:00.218631029 CEST44349734109.69.187.83192.168.2.4

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 3, 2024 08:25:58.553491116 CEST5596753192.168.2.41.1.1.1
Jul 3, 2024 08:25:58.602725983 CEST53559671.1.1.1192.168.2.4

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Jul 3, 2024 08:25:58.553491116 CEST192.168.2.41.1.1.10x9c36Standard query (0)logiciels.vim.frA (IP address)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Jul 3, 2024 08:25:58.602725983 CEST1.1.1.1192.168.2.40x9c36No error (0)logiciels.vim.fr109.69.187.83A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • logiciels.vim.fr

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.449734109.69.187.834437484C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
TimestampBytes transferredDirectionData
2024-07-03 06:26:00 UTC145OUTGET /OptairCTA2019/INSTALL/INSTALL.ZIP HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: PC SOFT
Host: logiciels.vim.fr
2024-07-03 06:26:00 UTC985INHTTP/1.1 200 OK
Date: Wed, 03 Jul 2024 06:26:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self'
X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self'
X-Webkit-CSP: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self'; child-src 'self'
2024-07-03 06:26:00 UTC1539INData Raw: 35 66 37 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 3c 74 69 74 6c 65 3e 43 6f 6e 6e 65 63 74 69 6f 6e 20 64 65 6e 69 65 64 20 62 79 20 47 65 6f 6c 6f 63 61 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 56 65 72 64 61 6e 61 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 3b 0a 20 20 20
Data Ascii: 5f7<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Connection denied by Geolocation</title> <style type="text/css"> body { font-family: Arial, Helvetica, Verdana, Sans-Serif; font-size: small;


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:02:25:56
Start date:03/07/2024
Path:C:\Users\user\Desktop\INSTALL (1).EXE
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\INSTALL (1).EXE"
Imagebase:0xbc0000
File size:632'784 bytes
MD5 hash:9EF163303A7FC06B98BEB90AE14217BA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:02:25:56
Start date:03/07/2024
Path:C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
Wow64 process (32bit):true
Commandline:"C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE"
Imagebase:0x920000
File size:482'696 bytes
MD5 hash:8D493C3586E91D6AC600C55EA6EA2B5F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 0%, ReversingLabs
  • Detection: 0%, Virustotal, Browse
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6.9%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:3.7%
    Total number of Nodes:348
    Total number of Limit Nodes:16
    execution_graph 21751 be91be GetProcessHeap 21752 bccdbe 11 API calls 21753 be11bd 52 API calls 2 library calls 21754 bc39ba UnlockFile 21720 be14b6 57 API calls 21790 bcceb7 25 API calls 21791 bd8ab0 46 API calls 4 library calls 21721 bcbcb2 CompareStringW 21755 bd6db2 178 API calls 21723 bd90af 38 API calls 21792 bc32ae InterlockedDecrement FindCloseChangeNotification 21500 bd8caa 21509 bd9060 GetModuleHandleW 21500->21509 21502 bd8cb2 21503 bd8ce8 21502->21503 21504 bd8cb6 21502->21504 21511 be1159 28 API calls _abort 21503->21511 21506 bd8cc1 21504->21506 21510 be113b 28 API calls _abort 21504->21510 21507 bd8cf0 21509->21502 21510->21506 21511->21507 21724 bce4a4 124 API calls 21756 be2da2 22 API calls __dosmaperr 21725 bdf0a3 42 API calls 21817 bccf9a TlsGetValue EnterCriticalSection LeaveCriticalSection LeaveCriticalSection ___scrt_fastfail 21726 bd8c96 20 API calls 21818 be3b90 21 API calls 21757 bc518d 105 API calls 21727 bc2489 7 API calls 3 library calls 21794 bc3a84 63 API calls 21653 bce585 21665 bce59d _wcschr 21653->21665 21654 bce5aa 21656 bce7fb 21657 bc2820 InterlockedDecrement 21656->21657 21659 bce820 21657->21659 21660 bc2820 InterlockedDecrement 21659->21660 21661 bce82c 21660->21661 21662 bc2820 InterlockedDecrement 21661->21662 21662->21654 21665->21654 21665->21656 21667 bd1e98 22 API calls 21665->21667 21668 bc673d 21665->21668 21680 bcdf77 21665->21680 21693 bc67cd InterlockedDecrement InterlockedIncrement 21665->21693 21694 bc6a1a InterlockedExchangeAdd InterlockedDecrement InterlockedExchangeAdd 21665->21694 21669 bc676d 21668->21669 21670 bc675b 21668->21670 21671 bc67c1 21669->21671 21673 bc6778 _wcslen 21669->21673 21679 bc676b 21670->21679 21695 bc6b2e InterlockedExchangeAdd InterlockedDecrement 21670->21695 21697 bc67f9 21671->21697 21675 bc67a2 21673->21675 21676 bc6792 21673->21676 21678 bc2820 InterlockedDecrement 21675->21678 21696 bc304f InterlockedDecrement InterlockedExchangeAdd _wcslen 21676->21696 21678->21679 21679->21665 21681 bd87d8 8 API calls 21680->21681 21682 bcdf85 21681->21682 21683 bcdfe5 21682->21683 21689 bcdf93 21682->21689 21700 bdfd7f 40 API calls 2 library calls 21682->21700 21702 bcd775 InterlockedDecrement InterlockedExchangeAdd 21683->21702 21685 bce034 21703 bcdb59 7 API calls 4 library calls 21685->21703 21688 bcdfbb 21688->21683 21690 bcdfc1 21688->21690 21689->21665 21701 bcd9e2 108 API calls ___scrt_fastfail 21690->21701 21692 bcdfd7 21692->21689 21693->21665 21694->21665 21695->21679 21696->21679 21698 bc2820 InterlockedDecrement 21697->21698 21699 bc680c 21698->21699 21699->21679 21700->21688 21701->21692 21702->21685 21703->21689 21819 be4787 21 API calls 3 library calls 21822 bc3bfc 62 API calls 21758 be8dfb 42 API calls 6 library calls 21729 bc38f0 LockFile 21730 bd8cf1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 21798 bc72f0 InterlockedIncrement InterlockedExchangeAdd 21823 bcf7f2 137 API calls 21759 bde1ed 40 API calls __fassign 21760 bc65ed 62 API calls 21799 bd86ef 26 API calls std::exception::exception 21824 bc2bef 22 API calls 3 library calls 21731 bcece7 InterlockedDecrement InterlockedExchangeAdd 21825 bce3e0 123 API calls 21826 be7fde 12 API calls 21827 bcf3db 85 API calls 21763 bdb9d0 6 API calls 3 library calls 21829 be1bcc 8 API calls ___vcrt_uninitialize 21765 bcf9c9 95 API calls 21766 bca9c4 GetVersionExW 21831 be3b3a 31 API calls 3 library calls 21767 bc3135 51 API calls 21832 bc8b37 22 API calls 21801 be3e33 IsProcessorFeaturePresent 21734 bcc432 7 API calls 2 library calls 21347 bc622d 21350 bc359a 21347->21350 21349 bc6257 21351 bc35a8 21350->21351 21352 bc35c2 WriteFile 21351->21352 21354 bc35af 21351->21354 21353 bc35f9 21352->21353 21353->21354 21355 bc3603 GetLastError 21353->21355 21354->21349 21356 bc3617 21355->21356 21366 bca285 FormatMessageW LocalFree 21356->21366 21358 bc3631 21367 bc9f61 52 API calls 21358->21367 21360 bc3644 21368 bc9f61 52 API calls 21360->21368 21362 bc3657 21369 bc9dd2 56 API calls 21362->21369 21364 bc3670 21370 bc9fe7 InterlockedIncrement InterlockedIncrement 21364->21370 21366->21358 21367->21360 21368->21362 21369->21364 21370->21354 21771 be8d28 GetCommandLineA GetCommandLineW 21772 bcf524 InterlockedDecrement FindCloseChangeNotification DeleteCriticalSection 21803 bcea25 83 API calls 21834 bdbf20 5 API calls 2 library calls 21773 bc1ce7 LoadStringW 21774 bc311d 50 API calls 21835 bc331f 11 API calls ___scrt_fastfail 21805 be461a 41 API calls _free 21704 be2317 21705 be234b _free 21704->21705 21706 be2322 RtlFreeHeap 21704->21706 21706->21705 21707 be2337 21706->21707 21710 be2304 20 API calls __dosmaperr 21707->21710 21709 be233d GetLastError 21709->21705 21710->21709 21806 bcce10 TlsGetValue EnterCriticalSection LeaveCriticalSection std::exception::exception 21775 bc390f 61 API calls 21808 bc620f FindCloseChangeNotification 21776 be7d0b 21 API calls 21740 bc1005 29 API calls pre_c_initialization 21777 bcd105 TlsGetValue 21741 bc3006 InterlockedDecrement 21778 bc5100 81 API calls 21744 be838c 27 API calls _ValidateLocalCookies 21809 bec200 51 API calls 21745 be387d 21 API calls 2 library calls 21840 bdf379 61 API calls 4 library calls 21488 bce379 21491 bce39b 21488->21491 21490 bce381 21492 bce3a9 21491->21492 21499 bd16dd InterlockedDecrement 21492->21499 21841 be837b 6 API calls _ValidateLocalCookies 21746 bc507a 84 API calls 21842 bc3f7a InterlockedExchangeAdd InterlockedDecrement 21517 bd8b75 21518 bd8b81 ___scrt_is_nonwritable_in_current_image 21517->21518 21549 bd889b 21518->21549 21520 bd8b88 21521 bd8cdb 21520->21521 21524 bd8bb2 21520->21524 21580 bd8f10 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 21521->21580 21523 bd8ce2 21571 be11a7 21523->21571 21533 bd8bf1 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 21524->21533 21574 be1dbf 5 API calls _ValidateLocalCookies 21524->21574 21529 bd8bcb 21531 bd8bd1 21529->21531 21575 be1d63 5 API calls _ValidateLocalCookies 21529->21575 21539 bd8c52 21533->21539 21576 be116f 38 API calls 3 library calls 21533->21576 21535 bd8c58 21561 be1d10 51 API calls 21535->21561 21538 bd8c61 21562 bd7d15 21538->21562 21560 bd902a GetStartupInfoW ___scrt_fastfail 21539->21560 21541 bd8c6d 21577 bd9060 GetModuleHandleW 21541->21577 21543 bd8c74 21543->21523 21544 bd8c78 21543->21544 21545 bd8c81 21544->21545 21578 be114a 28 API calls _abort 21544->21578 21579 bd8a2a 13 API calls 2 library calls 21545->21579 21548 bd8c89 21548->21531 21550 bd88a4 21549->21550 21582 bd8d6d IsProcessorFeaturePresent 21550->21582 21552 bd88b0 21583 bdb93d 10 API calls 3 library calls 21552->21583 21554 bd88b5 21555 bd88b9 21554->21555 21584 be1c4c IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21554->21584 21555->21520 21557 bd88c2 21558 bd88d0 21557->21558 21585 bdb966 8 API calls 3 library calls 21557->21585 21558->21520 21560->21535 21561->21538 21586 bd794d 9 API calls 21562->21586 21564 bd7d1a 21565 bccb5d 13 API calls 21564->21565 21566 bd7d28 21565->21566 21567 bd7991 274 API calls 21566->21567 21568 bd7d3a 21567->21568 21569 bccb80 TlsFree DeleteCriticalSection TlsGetValue TlsSetValue 21568->21569 21570 bd7d46 pre_c_initialization 21569->21570 21570->21541 21587 be0f24 21571->21587 21574->21529 21575->21533 21576->21539 21577->21543 21578->21545 21579->21548 21580->21523 21582->21552 21583->21554 21584->21557 21585->21555 21588 be0f30 _abort 21587->21588 21589 be0f49 21588->21589 21590 be0f37 21588->21590 21611 be801f EnterCriticalSection 21589->21611 21623 be107e GetModuleHandleW 21590->21623 21593 be0f3c 21593->21589 21624 be10c2 GetModuleHandleExW 21593->21624 21594 be0fee 21612 be102e 21594->21612 21598 be0f50 21598->21594 21600 be0fc5 21598->21600 21632 be1add 20 API calls _abort 21598->21632 21601 be0fdd 21600->21601 21633 be1d63 5 API calls _ValidateLocalCookies 21600->21633 21634 be1d63 5 API calls _ValidateLocalCookies 21601->21634 21602 be100b 21615 be103d 21602->21615 21603 be1037 21635 bedbc9 5 API calls _ValidateLocalCookies 21603->21635 21611->21598 21636 be8067 LeaveCriticalSection 21612->21636 21614 be1007 21614->21602 21614->21603 21637 be4fbc 21615->21637 21618 be106b 21621 be10c2 _abort 8 API calls 21618->21621 21619 be104b GetPEB 21619->21618 21620 be105b GetCurrentProcess TerminateProcess 21619->21620 21620->21618 21622 be1073 ExitProcess 21621->21622 21623->21593 21625 be110f 21624->21625 21626 be10ec GetProcAddress 21624->21626 21627 be111e 21625->21627 21628 be1115 FreeLibrary 21625->21628 21630 be1101 21626->21630 21629 bd92bc _ValidateLocalCookies 5 API calls 21627->21629 21628->21627 21631 be0f48 21629->21631 21630->21625 21631->21589 21632->21600 21633->21601 21634->21594 21636->21614 21638 be4fd7 21637->21638 21639 be4fe1 21637->21639 21644 bd92bc 21638->21644 21651 be4b07 5 API calls 2 library calls 21639->21651 21642 be1047 21642->21618 21642->21619 21643 be4ff8 21643->21638 21645 bd92c5 21644->21645 21646 bd92c7 IsProcessorFeaturePresent 21644->21646 21645->21642 21648 bd9309 21646->21648 21652 bd92cd SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21648->21652 21650 bd93ec 21650->21642 21651->21643 21652->21650 21810 bcc26f 41 API calls 21371 bd0a69 21378 bd0aa4 ___scrt_fastfail 21371->21378 21372 bd0af6 21375 bd0b6f 21407 bd0b8a InterlockedDecrement 21375->21407 21378->21372 21378->21375 21379 bd87d8 21378->21379 21388 bd058e 21378->21388 21406 bd0349 44 API calls 21378->21406 21380 bd87dd std::exception::exception 21379->21380 21381 bd87f7 21380->21381 21384 bd87f9 21380->21384 21408 be0ce9 7 API calls 2 library calls 21380->21408 21381->21378 21383 bd8d4f 21410 bdb8d0 RaiseException 21383->21410 21384->21383 21409 bdb8d0 RaiseException 21384->21409 21387 bd8d6c 21389 bd05af ___scrt_fastfail 21388->21389 21411 bc3820 21389->21411 21391 bd0a56 21391->21378 21393 bd05e6 21393->21391 21402 bd07ca 21393->21402 21429 bc25ce 21393->21429 21395 bd0a32 21447 bc2820 21395->21447 21396 bd0775 21396->21395 21433 bc635e 21396->21433 21398 bd0790 21398->21395 21445 bd1f21 InterlockedDecrement 21398->21445 21399 bd0a0f MultiByteToWideChar 21399->21395 21401 bd07a9 21446 bc9817 InterlockedExchangeAdd InterlockedDecrement InterlockedExchangeAdd MultiByteToWideChar 21401->21446 21402->21395 21402->21399 21406->21378 21407->21372 21408->21380 21409->21383 21410->21387 21450 bc9d99 21411->21450 21413 bc3833 SetFilePointer 21414 bc38cb 21413->21414 21415 bc3856 GetLastError 21413->21415 21414->21391 21425 bd0570 21414->21425 21415->21414 21416 bc3862 GetLastError 21415->21416 21417 bc3870 21416->21417 21452 bca285 FormatMessageW LocalFree 21417->21452 21419 bc388a 21453 bc9f61 52 API calls 21419->21453 21421 bc389d 21454 bc9dd2 56 API calls 21421->21454 21423 bc38b6 21455 bc9fe7 InterlockedIncrement InterlockedIncrement 21423->21455 21427 bc635e 68 API calls 21425->21427 21456 bc368f 21425->21456 21426 bd058b 21426->21393 21427->21426 21430 bc25e2 21429->21430 21432 bc25d5 21429->21432 21487 bc2634 InterlockedExchangeAdd InterlockedDecrement 21430->21487 21432->21396 21434 bc6406 21433->21434 21438 bc638b 21433->21438 21435 bc653b 21434->21435 21436 bc6414 21434->21436 21437 bc368f 65 API calls 21435->21437 21439 bc368f 65 API calls 21436->21439 21442 bc63fa 21436->21442 21437->21442 21438->21434 21440 bc63ca 21438->21440 21441 bc6470 21439->21441 21443 bc3820 63 API calls 21440->21443 21441->21442 21444 bc3820 63 API calls 21441->21444 21442->21398 21443->21442 21444->21442 21445->21401 21446->21402 21448 bc2827 InterlockedDecrement 21447->21448 21449 bc2835 21447->21449 21448->21449 21449->21391 21451 bc9da2 21450->21451 21451->21413 21452->21419 21453->21421 21454->21423 21455->21414 21457 bc9d99 21456->21457 21458 bc36a2 ReadFile 21457->21458 21459 bc36e4 21458->21459 21460 bc3732 21458->21460 21459->21460 21461 bc36e8 GetLastError 21459->21461 21462 bc3759 GetLastError 21460->21462 21465 bc3752 21460->21465 21463 bc36f5 GetLastError 21461->21463 21464 bc3702 ReadFile 21461->21464 21466 bc376b 21462->21466 21463->21460 21463->21464 21464->21459 21464->21460 21465->21426 21480 bca285 FormatMessageW LocalFree 21466->21480 21468 bc378c 21481 bc9f61 52 API calls 21468->21481 21470 bc379f 21482 bc9f61 52 API calls 21470->21482 21472 bc37b0 21483 bc9f61 52 API calls 21472->21483 21474 bc37c2 21484 bc9f61 52 API calls 21474->21484 21476 bc37e2 21485 bc9dd2 56 API calls 21476->21485 21478 bc37ff 21486 bc9fe7 InterlockedIncrement InterlockedIncrement 21478->21486 21480->21468 21481->21470 21482->21472 21483->21474 21484->21476 21485->21478 21486->21465 21487->21432 21512 bc8a6b 21513 bc8a77 21512->21513 21514 bc8a9a std::exception::exception 21513->21514 21516 bdffd6 22 API calls 3 library calls 21513->21516 21516->21514 21811 bed664 CloseHandle 21747 bdc060 RtlUnwind 21784 bd0163 40 API calls 21844 bd8b63 27 API calls pre_c_initialization 21812 bec25c 52 API calls 2 library calls 21785 bc3d5b SetFileValidData 21813 bca469 InterlockedIncrement InterlockedIncrement 21748 bca857 10 API calls 21711 be2351 21712 be238f 21711->21712 21716 be235f __dosmaperr 21711->21716 21719 be2304 20 API calls __dosmaperr 21712->21719 21713 be237a RtlAllocateHeap 21715 be238d 21713->21715 21713->21716 21716->21712 21716->21713 21718 be0ce9 7 API calls 2 library calls 21716->21718 21718->21716 21719->21715 21815 bcb645 DeleteCriticalSection 21787 be3945 71 API calls _free 21749 be5043 FreeLibrary

    Executed Functions

    Function 00BD85A7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNELBASE(00000000,00000000,INFOWDZ,00BD85EA,00BF85C0,00000000,00000000), ref: 00BD85B2
    • LoadResource.KERNEL32(00000000,00000000), ref: 00BD85BF
    • LockResource.KERNEL32(00000000), ref: 00BD85CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Resource$FindLoadLock
    • String ID: INFOWDZ
    • API String ID: 2752051264-456223636
    • Opcode ID: 47266fa5d5bb13f0e98ac3e28aabccbb161a4141789c01ef69fb17c244609ef0
    • Instruction ID: 9c20afa20a2125278c4c309fdc63caca295ad575fac0e71a864bc0722c721165
    • Opcode Fuzzy Hash: 47266fa5d5bb13f0e98ac3e28aabccbb161a4141789c01ef69fb17c244609ef0
    • Instruction Fuzzy Hash: F7D0C9A0380246AAEE001B72AC8DB37769EDB40B43F0400A5BA09EA6D0EE64CB00D532
    Function 00BCAA27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • ShellExecuteExW.SHELL32(0000003C), ref: 00BCAA7E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ExecuteShell
    • String ID: <$runas
    • API String ID: 587946157-1187129395
    • Opcode ID: c6c1caa73327002ec2f93962e7b87b588354ffd4154b39889ddd1b56fec2f103
    • Instruction ID: b1fba6f8d38ac1dd441aa2a5f80a60e8bcd3737bab704640455dd76500865893
    • Opcode Fuzzy Hash: c6c1caa73327002ec2f93962e7b87b588354ffd4154b39889ddd1b56fec2f103
    • Instruction Fuzzy Hash: 3B015AB5D11219ABCB40CFA9D584ADDBBF8AF48704F11826AE814E3250E77499808F54
    Function 00BC941A Relevance: 4.5, APIs: 3, Instructions: 48timeCOMMON
    Download Yara Rule
    APIs
    • GetTimeZoneInformation.KERNELBASE(?), ref: 00BC942E
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BC943E
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BC9488
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Time$FileSystem$InformationZone
    • String ID:
    • API String ID: 3846428178-0
    • Opcode ID: e44e2bbe5e5bccb208a05fd6c86a9626ddeac433d805d0f80fa005a06c7c4f5c
    • Instruction ID: d9435c10e1424a8597f6a6164c0130064953c0e0df91b9b83f48b35d55b26923
    • Opcode Fuzzy Hash: e44e2bbe5e5bccb208a05fd6c86a9626ddeac433d805d0f80fa005a06c7c4f5c
    • Instruction Fuzzy Hash: B8014072D00119ABEB14DB94DC89FEE77BCEB84315F0541A5E925E7280E6349A45CB90
    Function 00BE103D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,00BE1013,00000000,00C00BE0,0000000C,00BE116A,00000000,00000002,00000000), ref: 00BE105E
    • TerminateProcess.KERNEL32(00000000,?,00BE1013,00000000,00C00BE0,0000000C,00BE116A,00000000,00000002,00000000), ref: 00BE1065
    • ExitProcess.KERNEL32 ref: 00BE1077
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: f3e5d9a59dd94208468c33d4b11ddd1a9fe0ba7ccbb4c67292df072b541ab4ea
    • Instruction ID: 7a200bd39d103763b58ebeaab55200b41c6e57314b6fb1f362b0d3950af6fa37
    • Opcode Fuzzy Hash: f3e5d9a59dd94208468c33d4b11ddd1a9fe0ba7ccbb4c67292df072b541ab4ea
    • Instruction Fuzzy Hash: 90E0B6321005C9EBCF116F59DD49A693BA9FB44781F108868F8059B523CB35DD82DA90
    Function 00BC1538 Relevance: 72.0, APIs: 37, Strings: 4, Instructions: 297windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • _wcslen.LIBCMT ref: 00BC1587
    • MulDiv.KERNEL32(000001FA,?,00000060), ref: 00BC15B8
    • MulDiv.KERNEL32(00000083,?,00000060), ref: 00BC15C5
    • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000), ref: 00BC15CD
    • KiUserCallbackDispatcher.NTDLL(00000001), ref: 00BC15E0
    • GetSystemMetrics.USER32(00000000), ref: 00BC15EC
    • CreateWindowExW.USER32(00000000,AMORCE,?,80800000,00000000,?,00000000), ref: 00BC1607
    • GetClientRect.USER32(00000000,?), ref: 00BC161E
    • MulDiv.KERNEL32(0000002B,?,00000060), ref: 00BC1637
    • MulDiv.KERNEL32(0000002B,?,00000060), ref: 00BC164F
    • MulDiv.KERNEL32(00000011,?,00000060), ref: 00BC165E
    • MulDiv.KERNEL32(00000012,?,00000060), ref: 00BC167A
    • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000), ref: 00BC1686
    • MulDiv.KERNEL32(00000011,?,00000060), ref: 00BC1699
    • MulDiv.KERNEL32(00000012,?,00000060), ref: 00BC16A3
    • CreateWindowExW.USER32(00000000,msctls_progress32,00BF85C0,50000001,00000000,?,?,?,00000000), ref: 00BC16C3
    • SetWindowTheme.UXTHEME(00000000,00BF85C0,00BF85C0,?,00000000), ref: 00BC16CF
    • SendMessageW.USER32(?,00000409,00000000,00E1A11A), ref: 00BC16F5
    • SendMessageW.USER32(?,00002001,00000000,00FFFFFF), ref: 00BC1711
    • ShowWindow.USER32(01198500,00000005,?,00000000), ref: 00BC1718
    • KiUserCallbackDispatcher.NTDLL(01198500), ref: 00BC1721
    • SetBkMode.GDI32(00000000,00000001), ref: 00BC1742
    • SetTextColor.GDI32(00000000,00E7B86B), ref: 00BC175C
    • MulDiv.KERNEL32(000000EE,?,00000060), ref: 00BC177C
    • CreateFontIndirectW.GDI32(?), ref: 00BC17B3
    • SelectObject.GDI32(00000000,00000000), ref: 00BC17BD
      • Part of subcall function 00BC80C9: CharUpperBuffW.USER32(?,00000001,00BC159C,?,?,?,?,00000000,?,00000000), ref: 00BC80CC
    • MulDiv.KERNEL32(0000002B,?,00000060), ref: 00BC17DC
    • DrawTextW.USER32(?,?,000000FF,?,00000024), ref: 00BC1801
    • SelectObject.GDI32(?,00000000), ref: 00BC1809
    • DeleteObject.GDI32(00000000), ref: 00BC1816
    • MulDiv.KERNEL32(00000001,?,00000060), ref: 00BC1824
    • CreatePen.GDI32(00000000,00000000), ref: 00BC182D
    • SelectObject.GDI32(?,00000000), ref: 00BC183D
    • MoveToEx.GDI32(?,?,?,00000000), ref: 00BC184F
    • LineTo.GDI32(?,?,?), ref: 00BC1866
    • SelectObject.GDI32(?,00000000), ref: 00BC1872
    • DeleteObject.GDI32(00000000), ref: 00BC1875
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Object$CreateSelectWindow$CallbackDeleteDispatcherHandleMessageModuleSendTextUser$BuffCharClientColorDrawFontIndirectLineMetricsModeMoveRectShowSystemThemeUpper_wcslen
    • String ID: AMORCE$OOO$Open sans$msctls_progress32
    • API String ID: 4166743866-926394693
    • Opcode ID: 51bbbf8967d33b29ee13cdf35cf25e76872f35efee7cdfa55335207117429bbb
    • Instruction ID: b177e9c6bab6802df7b3c20b9f9dd21232bf8bc319508f1e22dd8ae10e5f725a
    • Opcode Fuzzy Hash: 51bbbf8967d33b29ee13cdf35cf25e76872f35efee7cdfa55335207117429bbb
    • Instruction Fuzzy Hash: 2AA1827264034ABFEB109F64DC49FAB7BE9EF48710F004529FA09AB191DBB19D14CB61
    Function 00BC18AD Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 179windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetClientRect.USER32(01198500,?), ref: 00BC18C4
    • CreateSolidBrush.GDI32(00F7F7F7), ref: 00BC18DC
    • SetBkMode.GDI32(00000000,00000001), ref: 00BC18F3
    • SetTextColor.GDI32(00000000,00777777), ref: 00BC190C
    • SetROP2.GDI32(00000000,0000000E), ref: 00BC1915
    • GetStockObject.GDI32(00000011), ref: 00BC191D
    • SelectObject.GDI32(00000000,00000000), ref: 00BC1925
    • MulDiv.KERNEL32(00000012,?,00000060), ref: 00BC193C
    • MulDiv.KERNEL32(0000002B,?,00000060), ref: 00BC195B
    • MulDiv.KERNEL32(0000002B,?,00000060), ref: 00BC1978
    • MulDiv.KERNEL32(00000011,?,00000060), ref: 00BC1987
    • MulDiv.KERNEL32(00000014,?,00000060), ref: 00BC19A7
    • MulDiv.KERNEL32(00000044,?,00000060), ref: 00BC19C2
    • FillRect.USER32(00000000,?,?), ref: 00BC19DB
    • DrawTextW.USER32(00000000,?,000000FF,?,00000024), ref: 00BC1A0E
    • FillRect.USER32(00000000,?,?), ref: 00BC1A35
    • DrawTextW.USER32(00000000,?,000000FF,?,00000026), ref: 00BC1A77
    • SelectObject.GDI32(00000000,?), ref: 00BC1A82
    • DeleteObject.GDI32(?), ref: 00BC1A95
    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00BC1AB2
    • SendMessageW.USER32(?,00000402,?,00000000), ref: 00BC1ABF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Object$RectText$DrawFillMessageSelectSend$BrushClientColorCreateDeleteModeSolidStock
    • String ID: %3i %%$333$@s)u$www
    • API String ID: 3018905416-1691371923
    • Opcode ID: e595319fb3eb7575665bdac23426c2376a99cf418f679c58f4e7fcea41a9fcc5
    • Instruction ID: 61a5a7ab56ae324bc054555b6459c4d4571760342a5d5157b5ec0e55734850c0
    • Opcode Fuzzy Hash: e595319fb3eb7575665bdac23426c2376a99cf418f679c58f4e7fcea41a9fcc5
    • Instruction Fuzzy Hash: A451B271604345AFDB049F64CC89F6B7BE9EF88310F044569FA45EB1A2DBB1E805CB61
    Function 00BC1430 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 90registrywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Themes\Personalize,00000000,00020019,?), ref: 00BC145E
    • RegQueryValueExW.KERNELBASE(?,AppsUseLightTheme,00000000,00000000,?,?), ref: 00BC1487
    • FindCloseChangeNotification.KERNELBASE(?), ref: 00BC149C
    • GetModuleHandleW.KERNEL32(00000000), ref: 00BC14BA
    • GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00BC14C2
    • LoadIconW.USER32(00000000), ref: 00BC14C5
    • CreateSolidBrush.GDI32(00F7F7F7), ref: 00BC14E2
    • RegisterClassW.USER32(?), ref: 00BC14F9
    • #17.COMCTL32 ref: 00BC14FF
    • GetDesktopWindow.USER32 ref: 00BC150E
    • GetDesktopWindow.USER32 ref: 00BC1512
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: DesktopHandleModuleWindow$BrushChangeClassCloseCreateFindIconLoadNotificationOpenQueryRegisterSolidValue
    • String ID: 333$@s)u$AMORCE$AppsUseLightTheme$Software\Microsoft\Windows\CurrentVersion\Themes\Personalize$`
    • API String ID: 1985229537-2780356297
    • Opcode ID: 8d583928d032ef848cdf15df6328eee57f1d062560d1e2746a783fed392fb023
    • Instruction ID: 5700f342a6daa3d2f15d21e53bdec5c0b4395de502f5ab0f01d042276621bed4
    • Opcode Fuzzy Hash: 8d583928d032ef848cdf15df6328eee57f1d062560d1e2746a783fed392fb023
    • Instruction Fuzzy Hash: 84310DB5D00259ABCB109FA6DC889AFBFFCEF84751B10446AF905EB211DB748A05CF90
    Function 00BD7991 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 269COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 53 bd7991-bd79bf call bedca0 call bc66b9 58 bd79c1-bd79c3 53->58 59 bd79d0 53->59 58->59 60 bd79c5-bd79ce call bde480 58->60 61 bd79d2-bd7acc call bc80af call bc9654 call bd87d8 call bc1ec3 call bc2156 * 3 call bc20d8 * 3 call bc1ec3 call bd87a2 call bd868d 59->61 60->61 90 bd7c95-bd7cb1 call bc2820 * 2 61->90 91 bd7ad2-bd7add call bd85d4 61->91 91->90 97 bd7ae3-bd7ae8 91->97 99 bd7aea-bd7aec 97->99 100 bd7b51-bd7b61 call bdc299 97->100 99->100 102 bd7aee-bd7b4c call bdc299 call bc572a GetModuleFileNameW call bc5e84 call bcabc3 99->102 105 bd7b77-bd7b7c 100->105 106 bd7b63-bd7b76 call bdc2f7 100->106 134 bd7c93-bd7c94 102->134 109 bd7cb2-bd7cc4 call bd7d9f 105->109 110 bd7b82-bd7b8f call bdc299 105->110 106->105 109->90 120 bd7cc6-bd7ce9 call bdc299 call bd7e19 109->120 121 bd7ba8-bd7be2 call bdc299 call bd6e0c call bd6eb0 110->121 122 bd7b91-bd7b9a 110->122 138 bd7cee-bd7cf3 120->138 146 bd7bf5-bd7c22 call bc673d call bd6e89 121->146 147 bd7be4-bd7bf0 call bd6e89 121->147 123 bd7b9c-bd7ba1 call bc4ebd 122->123 124 bd7ba3 call bc4f33 122->124 123->121 124->121 134->90 140 bd7cf9-bd7cfe 138->140 141 bd7c27-bd7c5c call bd81ad 138->141 140->90 144 bd7d00-bd7d05 140->144 151 bd7c5e-bd7c63 141->151 152 bd7c78-bd7c7f 141->152 144->90 148 bd7d07-bd7d13 call bd8339 144->148 146->141 147->90 148->90 151->152 156 bd7c65-bd7c6a 151->156 152->90 157 bd7c81 call bc1891 152->157 156->152 160 bd7c6c-bd7c73 call bd8339 156->160 163 bd7c86-bd7c8e call bd87a2 157->163 160->152 163->134
    APIs
    • _strlen.LIBCMT ref: 00BD79C6
    • _wcslen.LIBCMT ref: 00BD7AF4
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104, /RELANCE,00000000,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 00BD7B13
    • _wcslen.LIBCMT ref: 00BD7B59
    • _wcslen.LIBCMT ref: 00BD7B87
    • _wcslen.LIBCMT ref: 00BD7BB0
    • _wcslen.LIBCMT ref: 00BD7CCE
      • Part of subcall function 00BC4F33: SetErrorMode.KERNEL32(00008001,?,?,00000000,00BD7E09,00BF85C0,00000000,?,00BD7CC2), ref: 00BC4F3D
      • Part of subcall function 00BC4F33: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F4B
      • Part of subcall function 00BC4F33: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F53
      • Part of subcall function 00BC4F33: SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F5C
      • Part of subcall function 00BC4F33: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F63
      • Part of subcall function 00BD8339: GetPrivateProfileIntW.KERNEL32(INSTALL,GARDETEMP,00000000,INSTALL.INI), ref: 00BD834D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen$Error$LastMode$CurrentDirectoryFileModuleNamePrivateProfile_strlen
    • String ID: /RELANCE$@$PID$RELANCE$REP$SILENT$TIT$WAIT
    • API String ID: 2534053282-3878716525
    • Opcode ID: 77c10cd212e5ebb3ad03a0c2c4bb465e9213c81c04fafe5f8bdfa3e2e9e9b427
    • Instruction ID: 801481c10bd6ce48c962b83f3530786a6fa908c3d234cc9f59eb8983be2fa16c
    • Opcode Fuzzy Hash: 77c10cd212e5ebb3ad03a0c2c4bb465e9213c81c04fafe5f8bdfa3e2e9e9b427
    • Instruction Fuzzy Hash: DC919D711583499ED724EB24D896FEFB7D8EF81310F0409AFB58A82291FF709909CB56
    Function 00BC422B Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 165 bc422b-bc4244 call bc9d99 168 bc4249-bc4263 SetErrorMode 165->168 169 bc4246 165->169 170 bc4285-bc42a5 168->170 171 bc4265-bc4268 168->171 169->168 172 bc4318-bc432c CreateFileW 170->172 173 bc42a7-bc42c7 CreateFileW 170->173 171->170 174 bc426a-bc427c 171->174 177 bc4332-bc4352 GetLastError SetErrorMode SetLastError 172->177 175 bc42c9-bc42fc CreateFileW 173->175 176 bc430b-bc4316 SetLastError 173->176 174->170 178 bc427e-bc4280 call bc6b5c 174->178 175->177 179 bc42fe-bc4300 175->179 176->177 180 bc43fd-bc4400 177->180 181 bc4358-bc439d GetLastError call bc9d99 call bc9c72 call bca285 call bc9f61 177->181 178->170 179->177 183 bc4302-bc4309 179->183 184 bc440d-bc441d 180->184 185 bc4402-bc4404 180->185 196 bc439f-bc43a2 181->196 197 bc43c7-bc43cf call bc324d 181->197 183->177 188 bc441e-bc4423 184->188 185->184 187 bc4406 185->187 187->184 198 bc43b8-bc43c5 call bc324d 196->198 199 bc43a4-bc43a7 196->199 208 bc43d4-bc43e1 call bc9dd2 197->208 198->208 201 bc43a9-bc43b6 call bc324d 199->201 202 bc43e4-bc43fb call bc324d call bc9fe7 SetLastError 199->202 201->208 202->188 208->202
    APIs
    • SetErrorMode.KERNELBASE(00008001,00000001,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4257
    • CreateFileW.KERNEL32(?,40000000,?,00000000,00000003,?,00000000,?,00000000,?,?,?,00BC50C0,?,40000000,00000003), ref: 00BC42B8
    • CreateFileW.KERNEL32(?,40000000,?,00000000,00BC50C0,?,00000000,?,00000000,?,?,?,00BC50C0,?,40000000,00000003), ref: 00BC42ED
    • SetLastError.KERNEL32(000000B7,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4310
    • GetLastError.KERNEL32(?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4332
    • SetErrorMode.KERNELBASE(?,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC433E
    • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4349
    • GetLastError.KERNEL32(?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4358
    • SetLastError.KERNEL32(00000000,00000001,00000000,?,?,?,?,00000000), ref: 00BC43F7
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC4389
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$Last$CreateFileMode
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 3800500338-1932549541
    • Opcode ID: 25638eb03fd4a985310c916bd5d314633fc932a6a661b008a8b25ae3d0cc352b
    • Instruction ID: a8a4e1c181ebc9936267c4d7c2c155e4267a40a1e08a9bcf83e1a4423fb290da
    • Opcode Fuzzy Hash: 25638eb03fd4a985310c916bd5d314633fc932a6a661b008a8b25ae3d0cc352b
    • Instruction Fuzzy Hash: 2051FC31640745AFE714AF70CC99F7AB7E9FB88700F10866DF9259B281CB71AE118B91
    Function 00BD81AD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000000,00000000,00000000), ref: 00BD820F
    • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,?,00000001), ref: 00BD8225
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000000,00000000), ref: 00BD8247
    • SetEnvironmentVariableW.KERNEL32(ZIP_SOURCE,?), ref: 00BD8283
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00BD82F8
    • Sleep.KERNEL32(000003E8), ref: 00BD830B
    • CloseHandle.KERNEL32(00000000), ref: 00BD8318
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: CloseCodeCurrentDirectoryEnvironmentExecuteExitFileHandleModuleNameProcessShellSleepVariable
    • String ID: %s /ZIP_SOURCE="%s"$ZIP_SOURCE
    • API String ID: 2030700623-3687924777
    • Opcode ID: 2c3d7f24bcb558834ffcdb12910a985af202da7d22028866e82b821c762997b3
    • Instruction ID: 7fe39c60b7e7cb10e36fabdc56d2dda0ab0756389f95c38ad99f0070227def67
    • Opcode Fuzzy Hash: 2c3d7f24bcb558834ffcdb12910a985af202da7d22028866e82b821c762997b3
    • Instruction Fuzzy Hash: D7417D72504646ABD324EB60DC85EFBB7ECEB84751F00096EF546C7151EF309A48CBA2
    Function 00BC368F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 248 bc368f-bc36e2 call bc9d99 ReadFile 251 bc36e4-bc36e6 248->251 252 bc3732-bc3743 248->252 251->252 253 bc36e8-bc36f3 GetLastError 251->253 254 bc3759-bc3780 GetLastError call bc9d99 call bc9c72 252->254 255 bc3745-bc374a 252->255 256 bc36f5-bc3700 GetLastError 253->256 257 bc3702-bc3730 ReadFile 253->257 265 bc3786 254->265 266 bc3782-bc3784 254->266 258 bc374c-bc3750 255->258 259 bc3752-bc3754 255->259 256->252 256->257 257->251 257->252 258->254 258->259 261 bc3816-bc381d 259->261 267 bc3787-bc3814 call bca285 call bc9f61 * 4 call bc324d call bc9dd2 call bc324d call bc9fe7 265->267 266->267 267->261
    APIs
    • ReadFile.KERNELBASE(?,?,?,?,00000000,00000001,?,?,?,?), ref: 00BC36D3
    • GetLastError.KERNEL32 ref: 00BC36E8
    • GetLastError.KERNEL32 ref: 00BC36F5
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00BC3721
    • GetLastError.KERNEL32 ref: 00BC3759
    Strings
    • ##(IXStream)-bExact=<%d>##, xrefs: 00BC37A3
    • ##(IXStream)-Offset=<%I64u>##, xrefs: 00BC37D5
    • ##(IXStream)-A lire=<%u>, lu=<%u>##, xrefs: 00BC37B5
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC3792
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorLast$FileRead
    • String ID: ##(IXStream)-A lire=<%u>, lu=<%u>##$##(IXStream)-Handle=<%p>##$##(IXStream)-Offset=<%I64u>##$##(IXStream)-bExact=<%d>##
    • API String ID: 3644057887-2873668781
    • Opcode ID: dd6c019054aac2f0a47d61a8e862aeaf35c1a8b7005ba3e3ece5c1c9db6bacff
    • Instruction ID: f05eeb1f03996ed78b914c5bd0d21f377863c27d094f6b864a518720636ae12d
    • Opcode Fuzzy Hash: dd6c019054aac2f0a47d61a8e862aeaf35c1a8b7005ba3e3ece5c1c9db6bacff
    • Instruction Fuzzy Hash: CB41A4B1240705AFE711AF64CC85F3BB7E5EF44B04F0049ADF59A962A1DB71AE04CB12
    Function 00BCAA93 Relevance: 10.6, APIs: 7, Instructions: 116processCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • _wcslen.LIBCMT ref: 00BCAB00
    • _wcslen.LIBCMT ref: 00BCAB08
    • __alloca_probe_16.LIBCMT ref: 00BCAB18
    • _wcslen.LIBCMT ref: 00BCAB4F
    • __alloca_probe_16.LIBCMT ref: 00BCAB5B
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00BCAB8F
    • CloseHandle.KERNEL32(00000000), ref: 00BCAB9E
      • Part of subcall function 00BCAA27: ShellExecuteExW.SHELL32(0000003C), ref: 00BCAA7E
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen$__alloca_probe_16$CloseCreateExecuteHandleProcessShell
    • String ID:
    • API String ID: 3733558001-0
    • Opcode ID: b20c0d31a4fac51713fe30d800539f9a7ac118fca8d9a0a497e5a3406362ceb8
    • Instruction ID: 2e0cf3bb01edb2af0ffa958d252cfe9313299690c93d7f3b1ed9938f2deac732
    • Opcode Fuzzy Hash: b20c0d31a4fac51713fe30d800539f9a7ac118fca8d9a0a497e5a3406362ceb8
    • Instruction Fuzzy Hash: 2531A87290021EABDB11AB94DC46EEFBBF9EF44314F140066FA05B7151EB709D05C6E5
    Function 00BC4ADB Relevance: 9.1, APIs: 6, Instructions: 66COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetErrorMode.KERNELBASE(00008001), ref: 00BC4B1B
    • GetFileAttributesW.KERNELBASE(00000000), ref: 00BC4B20
    • GetLastError.KERNEL32 ref: 00BC4B32
    • GetLastError.KERNEL32 ref: 00BC4B3D
    • SetErrorMode.KERNELBASE(00000000), ref: 00BC4B42
    • SetLastError.KERNEL32(00000000), ref: 00BC4B45
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$Last$Mode$AttributesFile
    • String ID:
    • API String ID: 1063090721-0
    • Opcode ID: 8dcc86ca34be9378a544b4ef31bd2c1333ddaaee6ca88b48f1f0922232575dee
    • Instruction ID: 5fe537c057796f3671651e5e43009e6e39ae6e412c3986f26e97d6f7eb6e2036
    • Opcode Fuzzy Hash: 8dcc86ca34be9378a544b4ef31bd2c1333ddaaee6ca88b48f1f0922232575dee
    • Instruction Fuzzy Hash: 4411AF31640305ABD320AB64DC8AFAE77E8EF85350F40046DB90597292DA75AD08C6A2
    Function 00BC45BA Relevance: 7.6, APIs: 5, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 339 bc45ba-bc45cb 340 bc45cd-bc45cf 339->340 341 bc45d4-bc4606 call bc66b9 call bc6c0b SetErrorMode call bc6938 339->341 342 bc46a1-bc46ab 340->342 349 bc460e-bc4613 341->349 350 bc4608-bc460c 341->350 351 bc4619-bc4624 349->351 352 bc469a-bc469f call bc2820 349->352 350->349 350->351 353 bc4634 351->353 354 bc4626-bc4629 351->354 352->342 357 bc4636-bc465f call bc46ac GetLastError SetErrorMode SetLastError call bc4215 353->357 354->353 358 bc462b-bc4632 call bdc299 354->358 364 bc4664-bc4666 357->364 358->357 365 bc4668-bc468c call bc9c72 call bc9db4 call bc9fe7 364->365 366 bc4691-bc4698 364->366 365->366 366->352
    APIs
    • SetErrorMode.KERNELBASE(00008001,?,00000001), ref: 00BC45EA
    • _wcslen.LIBCMT ref: 00BC462C
    • GetLastError.KERNEL32 ref: 00BC4646
    • SetErrorMode.KERNELBASE(?), ref: 00BC4652
    • SetLastError.KERNEL32(00000000), ref: 00BC4659
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$_wcslen
    • String ID:
    • API String ID: 2399039950-0
    • Opcode ID: e24360ad7d17aada41e112e12fda8bd00c5b25cda2c70a095880ee927f7360a5
    • Instruction ID: 699d0b971003707bb7366862abb96347b44f89a8b0081ba05ce7e941aea57aa5
    • Opcode Fuzzy Hash: e24360ad7d17aada41e112e12fda8bd00c5b25cda2c70a095880ee927f7360a5
    • Instruction Fuzzy Hash: A42192316402415AD724BB609D6AFBB77E4DF92750F4004FDB50687192EFA18E49C6A1
    Function 00BC4426 Relevance: 7.6, APIs: 5, Instructions: 51fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetErrorMode.KERNELBASE(00008001), ref: 00BC445B
    • DeleteFileW.KERNELBASE(?), ref: 00BC4464
    • GetLastError.KERNEL32 ref: 00BC446E
    • SetErrorMode.KERNELBASE(00000000), ref: 00BC4477
    • SetLastError.KERNEL32(00000000), ref: 00BC447E
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$DeleteFile
    • String ID:
    • API String ID: 2979141694-0
    • Opcode ID: deff0bf946230e7088c983cfc56b8f9942940c231cbc57de47b494b5705d4db9
    • Instruction ID: 9b4bbf3071dd1ada7a2fdfa78fc82b92bf2e54eed881f7cbc7b41b5a4f39544d
    • Opcode Fuzzy Hash: deff0bf946230e7088c983cfc56b8f9942940c231cbc57de47b494b5705d4db9
    • Instruction Fuzzy Hash: 73018031640344ABE320BB70DC4EFAF77E8EF91751F40846DB51A86192DE755A048BA2
    Function 00BC4FA9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetErrorMode.KERNELBASE(00008001), ref: 00BC4FBC
    • GetTempFileNameW.KERNELBASE(?,?,00000000), ref: 00BC4FCB
    • GetLastError.KERNEL32(?,?,00000000), ref: 00BC4FD3
    • SetErrorMode.KERNELBASE(00000000,?,?,00000000), ref: 00BC4FDC
    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00BC4FE3
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$FileNameTemp
    • String ID:
    • API String ID: 138537940-0
    • Opcode ID: 0c690d30da3985c41e8107bb2e3181ae01d9d909e1e0d3cb44a688db7ca117a2
    • Instruction ID: 4746dc1b83d118811f2f0d9e7f6093d28dd9ccf4cb476f4268937d00e0e5616d
    • Opcode Fuzzy Hash: 0c690d30da3985c41e8107bb2e3181ae01d9d909e1e0d3cb44a688db7ca117a2
    • Instruction Fuzzy Hash: 4DF0A9326002157BD7112FB59C8EFAF79E9DF85360F444075FA09DF292DEA19D4096A0
    Function 00BC4BA9 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetErrorMode.KERNELBASE(00008001,00000000,?,?,?,?,00BC4539,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BBB
    • SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BC5
    • GetLastError.KERNEL32(?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BCF
    • SetErrorMode.KERNELBASE(00000000,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BD8
    • SetLastError.KERNEL32(00000000,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BDF
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$AttributesFile
    • String ID:
    • API String ID: 3259181413-0
    • Opcode ID: 3c64fe7f5517cb72c467ab91b494b3feab4fa52ca46e6389b0dfe308336a3ea7
    • Instruction ID: 76ecb8428be2903a81e5ad08f33595a23d0960ec3d6f6fdec350a94bb0e5976a
    • Opcode Fuzzy Hash: 3c64fe7f5517cb72c467ab91b494b3feab4fa52ca46e6389b0dfe308336a3ea7
    • Instruction Fuzzy Hash: F3F062325013516BE3046B759C0EF6B7AE8EF81751F00047DF506CB192EFA2690486A1
    Function 00BC40F6 Relevance: 7.5, APIs: 5, Instructions: 46timeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetErrorMode.KERNELBASE(00008001), ref: 00BC414C
    • SystemTimeToFileTime.KERNEL32(?), ref: 00BC4159
    • GetLastError.KERNEL32 ref: 00BC4161
    • SetErrorMode.KERNELBASE(00000000), ref: 00BC416A
    • SetLastError.KERNEL32(00000000), ref: 00BC4171
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastModeTime$FileSystem
    • String ID:
    • API String ID: 81331137-0
    • Opcode ID: 398163b2afc6fae9469d5254d9bc65c4ab95ee6469f1c3381b04c5aacea88918
    • Instruction ID: 1cbc452a0e9a3ea5a07cc4a88fdfd78591c0ee061d78ba5ef4a54c7f5ecb5ca3
    • Opcode Fuzzy Hash: 398163b2afc6fae9469d5254d9bc65c4ab95ee6469f1c3381b04c5aacea88918
    • Instruction Fuzzy Hash: 3001562D510255AACB00AFF4D8445EDB7B4FF5C7147148099E919D7312F7318A47C779
    Function 00BC4EBD Relevance: 7.5, APIs: 5, Instructions: 43COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 412 bc4ebd-bc4ef5 SetErrorMode GetTempPathW GetLastError SetErrorMode SetLastError 413 bc4ef7-bc4efe call bc4215 412->413 414 bc4f20-bc4f26 412->414 416 bc4f28-bc4f2a 413->416 420 bc4f00-bc4f1e call bc9c72 call bc9db4 413->420 415 bc4f2c-bc4f2e 414->415 414->416 419 bc4f2f-bc4f32 415->419 416->419 420->416
    APIs
    • SetErrorMode.KERNELBASE(00008001,?,?,?,00BC503F), ref: 00BC4EC7
    • GetTempPathW.KERNEL32(00000104,?,?,?,?,00BC503F), ref: 00BC4ED5
    • GetLastError.KERNEL32(?,?,?,00BC503F), ref: 00BC4EDD
    • SetErrorMode.KERNELBASE(00000000,?,?,?,00BC503F), ref: 00BC4EE6
    • SetLastError.KERNEL32(00000000,?,?,?,00BC503F), ref: 00BC4EED
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$PathTemp
    • String ID:
    • API String ID: 875176722-0
    • Opcode ID: 257787024066bb523362b6aef1bc42be84dbb75ba33b406317b66adcc509337c
    • Instruction ID: f0374067a509f82d172f317d890ae023851d39d1894ac3ff8fb4ac3de6a4cb3d
    • Opcode Fuzzy Hash: 257787024066bb523362b6aef1bc42be84dbb75ba33b406317b66adcc509337c
    • Instruction Fuzzy Hash: F9F09632A402556BD63037B16C5DFBB39E8CB41353F0040BDFA0ECB182EEA68A444260
    Function 00BC541D Relevance: 7.5, APIs: 5, Instructions: 36COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC80F1: _wcslen.LIBCMT ref: 00BC80FA
      • Part of subcall function 00BC4881: _wcslen.LIBCMT ref: 00BC4885
    • SetErrorMode.KERNELBASE(00008001,?,?,00000000), ref: 00BC5459
    • GetDriveTypeW.KERNELBASE(?,?,?,00000000), ref: 00BC5468
    • GetLastError.KERNEL32(?,?,00000000), ref: 00BC5470
    • SetErrorMode.KERNELBASE(00000000,?,?,00000000), ref: 00BC5479
    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00BC5480
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode_wcslen$DriveType
    • String ID:
    • API String ID: 2918200356-0
    • Opcode ID: 91897d1580acde5effe66c32b71ab96d52ebac3a10e7cfd4fa1ee3a1054ced59
    • Instruction ID: d7035de43f18b3349b0d6c5fe069b8c487fbda3d8e6ac8d3a23ceddada1c03c3
    • Opcode Fuzzy Hash: 91897d1580acde5effe66c32b71ab96d52ebac3a10e7cfd4fa1ee3a1054ced59
    • Instruction Fuzzy Hash: 11F05B725012545BC7146B74EC8DDDA77BCEB84320F2043B6F116D71D3EE705A49CA60
    Function 00BC3E58 Relevance: 7.5, APIs: 5, Instructions: 24timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000,00BC3E4E,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00BC3E62
    • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00BC3E7C
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00BC3E84
    • SetErrorMode.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00BC3E8D
    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00BC3E94
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$FileTime
    • String ID:
    • API String ID: 3468889105-0
    • Opcode ID: 521da845faa07b8b81dc94550fc3b473f31dab4ba700797453e85e5d32d866c1
    • Instruction ID: 899d805803bf5aa4f5301e8f6dc295489f5fba0625dfebd32d0edfc0cb61548a
    • Opcode Fuzzy Hash: 521da845faa07b8b81dc94550fc3b473f31dab4ba700797453e85e5d32d866c1
    • Instruction Fuzzy Hash: 7CE01236600252ABC7115FB1AC8CC9A7FA5EBD8392B004435F645C7233DE318855DB60
    Function 00BC359A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,00000001), ref: 00BC35D8
    • GetLastError.KERNEL32 ref: 00BC3605
    Strings
    • ##(IXStream)-Access=<%x>##, xrefs: 00BC364A
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC3637
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: ##(IXStream)-Access=<%x>##$##(IXStream)-Handle=<%p>##
    • API String ID: 442123175-1203569065
    • Opcode ID: c9ddf4e84bcadc3858327d50677e7db488b7ca913af54b7d512d4d4f64713770
    • Instruction ID: e2e0bb2f77cb67e711376a9e8cdf0f371ed8acc5b03ebc253ad5ab400d297643
    • Opcode Fuzzy Hash: c9ddf4e84bcadc3858327d50677e7db488b7ca913af54b7d512d4d4f64713770
    • Instruction Fuzzy Hash: 2721C131300702BFE704AB60CC85F7AF3EAFF54705F00866CF51696192CB62AD218761
    Function 00BC3820 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(?,?,?,?,00000001), ref: 00BC3849
    • GetLastError.KERNEL32 ref: 00BC385C
    • GetLastError.KERNEL32 ref: 00BC3862
      • Part of subcall function 00BCA285: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,?,00000000,?,00BC388A,00000000,?,00BFD8A8,00000001,00000003), ref: 00BCA2B0
      • Part of subcall function 00BCA285: LocalFree.KERNEL32(00000000,?,00000000,?,00BC388A,00000000,?,00BFD8A8,00000001,00000003), ref: 00BCA2CE
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC3890
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorLast$FileFormatFreeLocalMessagePointer
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 1717876565-1932549541
    • Opcode ID: 8343a757d20404b32607f469d7f9b50e99a0d98784609f5ae89173f6df7b7618
    • Instruction ID: 724fa75f9f890d165526d90fb75491a41f6d2b3ea78c264e813fc8295a0c2efe
    • Opcode Fuzzy Hash: 8343a757d20404b32607f469d7f9b50e99a0d98784609f5ae89173f6df7b7618
    • Instruction Fuzzy Hash: 58219375600605BBE704BB61DC86FBAF7E9FF44710F00866DF52697291DB71AD2087A0
    Function 00BC46AC Relevance: 4.6, APIs: 3, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(00000005), ref: 00BC4719
    • GetFileAttributesW.KERNELBASE(?), ref: 00BC4741
    • CreateDirectoryW.KERNELBASE(?,0000000C), ref: 00BC47B1
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: AttributesCreateDirectoryErrorFileLast
    • String ID:
    • API String ID: 674977465-0
    • Opcode ID: 2ae88d5ab9a3c244d1f864dfea05aba1f3865c683a8fefd61dcdba12e4f47404
    • Instruction ID: 6c4f678acfc4c2e0d66542062badfe7f1bd76aa9f23864f017e5d09b0bc263aa
    • Opcode Fuzzy Hash: 2ae88d5ab9a3c244d1f864dfea05aba1f3865c683a8fefd61dcdba12e4f47404
    • Instruction Fuzzy Hash: 973145313047018BE7215F398C68F7B76D9DFC6752F1408AFE826C7291DBA0CE088291
    Function 00BD111C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: __alloca_probe_16
    • String ID: -
    • API String ID: 1700504859-2547889144
    • Opcode ID: 4e4814d2724864f18ffc53522cdd1e309a7b808d211a75c6acdfdfc4f899cdea
    • Instruction ID: cf34fb90563ce32d2760a190cc95faf91cd8489289d1324d2bf2b93c3a85422f
    • Opcode Fuzzy Hash: 4e4814d2724864f18ffc53522cdd1e309a7b808d211a75c6acdfdfc4f899cdea
    • Instruction Fuzzy Hash: 14B12E71A00209AFDB14DFA9C895AAEF7F9FF48310F1485AAE415A7351E770AE40CF60
    Function 00BC54CB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC541D: SetErrorMode.KERNELBASE(00008001,?,?,00000000), ref: 00BC5459
      • Part of subcall function 00BC541D: GetDriveTypeW.KERNELBASE(?,?,?,00000000), ref: 00BC5468
      • Part of subcall function 00BC541D: GetLastError.KERNEL32(?,?,00000000), ref: 00BC5470
      • Part of subcall function 00BC541D: SetErrorMode.KERNELBASE(00000000,?,?,00000000), ref: 00BC5479
      • Part of subcall function 00BC541D: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00BC5480
    • QueryDosDeviceW.KERNEL32(?,?,00000104,?,?), ref: 00BC5529
      • Part of subcall function 00BC548D: _wcschr.LIBVCRUNTIME ref: 00BC5497
      • Part of subcall function 00BC81A5: _wcslen.LIBCMT ref: 00BC81AE
    Strings
    • \Device\LanmanRedirector\;, xrefs: 00BC553B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$DeviceDriveQueryType_wcschr_wcslen
    • String ID: \Device\LanmanRedirector\;
    • API String ID: 1735156782-2223467107
    • Opcode ID: d5010de41e34fd6e02d7b0d7527cca07489d3caedfca03a9e33e947a4e3dd000
    • Instruction ID: d9cf58623d9854f93ff58549b6b44967daef2f7116f5e5dc83483bd9b3c3227a
    • Opcode Fuzzy Hash: d5010de41e34fd6e02d7b0d7527cca07489d3caedfca03a9e33e947a4e3dd000
    • Instruction Fuzzy Hash: 9121C0727042086ADF24A6A49C81FEE73EEDF58354F1404AAE516D32C1EA30EA858661
    Function 00BD7D9F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen
    • String ID: WD_
    • API String ID: 176396367-4185073475
    • Opcode ID: d75d3d5edbf3675a79b233552dade7565953e0e704329c46de538e0a38f2f7e1
    • Instruction ID: 78e8c873b3ced714edf5631c2bb26df0bb99b8ef960737b03a3dafd4cb33f339
    • Opcode Fuzzy Hash: d75d3d5edbf3675a79b233552dade7565953e0e704329c46de538e0a38f2f7e1
    • Instruction Fuzzy Hash: 89F0818539DA5612962A61355825FFEC7CECF9136471400FFE90AC6781FF44CE4241D9
    Function 00BCEF36 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BCF004
    • GetLastError.KERNEL32(?,?,?,?,?,00000064,00000000,?,?,00000000,?,?), ref: 00BCF022
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorLastUnothrow_t@std@@@__ehfuncinfo$??2@
    • String ID:
    • API String ID: 4282017882-0
    • Opcode ID: 596e86b42ebdc5b09bfd901b38bc6d33abcc7f3783db063e380540e300937ac0
    • Instruction ID: fedddf078193dc1f854f8e15c19ea071b38ce1d5d024e0e67cfd4e98d93b94dc
    • Opcode Fuzzy Hash: 596e86b42ebdc5b09bfd901b38bc6d33abcc7f3783db063e380540e300937ac0
    • Instruction Fuzzy Hash: 4E417D71204342EBEB24DF24CC81F7BBBE6EB84740F2049AEF54596292EB71D944CA52
    Function 00BD87D8 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00BD8D4A
      • Part of subcall function 00BDB8D0: RaiseException.KERNEL32(?,?,?,00BD8D6C,?,?,?,?,?,?,?,?,00BD8D6C,?,00C00B64), ref: 00BDB930
    • __CxxThrowException@8.LIBVCRUNTIME ref: 00BD8D67
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Exception@8Throw$ExceptionRaise
    • String ID:
    • API String ID: 3476068407-0
    • Opcode ID: db94a478966d47fc2765f724d24bc582b75a16b0d23fe380a0e4aa7dac21e5b4
    • Instruction ID: a1115217eb9eafce58f253bd1e44c02412ebf1e34965e50043b0f6910cb847d3
    • Opcode Fuzzy Hash: db94a478966d47fc2765f724d24bc582b75a16b0d23fe380a0e4aa7dac21e5b4
    • Instruction Fuzzy Hash: D3F0902480020DBBCB04B6A4E896DADF7ECAA10311F7045F7B925956D1FF70DA598691
    Function 00BCCC1B Relevance: 3.0, APIs: 2, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • TlsFree.KERNELBASE(?,?,01192F20,00BCCB9D), ref: 00BCCC30
    • DeleteCriticalSection.KERNEL32(01192F24,00BCCB9D), ref: 00BCD2B9
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: CriticalDeleteFreeSection
    • String ID:
    • API String ID: 3112490556-0
    • Opcode ID: c5e7ae2e833e0bb7eab75db6ee4f2278a0cd8fac5bd441d0f199b95c4a04e1f4
    • Instruction ID: 9849d2cefa04f442732b00ffb9b8d8660fc5df4d099b3924c291363d4097efa3
    • Opcode Fuzzy Hash: c5e7ae2e833e0bb7eab75db6ee4f2278a0cd8fac5bd441d0f199b95c4a04e1f4
    • Instruction Fuzzy Hash: 0CD05E7A00000BEBCB045B25D9448A9FBA4FE94311300417DE016579208F70E425CA90
    Function 00BD7E19 Relevance: 1.7, APIs: 1, Instructions: 226COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00BF85C0,00000000,00000000,00000000,00BD7CEE,?,?,00000000), ref: 00BD7E3D
      • Part of subcall function 00BC1430: RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Themes\Personalize,00000000,00020019,?), ref: 00BC145E
      • Part of subcall function 00BC1430: RegQueryValueExW.KERNELBASE(?,AppsUseLightTheme,00000000,00000000,?,?), ref: 00BC1487
      • Part of subcall function 00BC1430: FindCloseChangeNotification.KERNELBASE(?), ref: 00BC149C
      • Part of subcall function 00BC1430: GetModuleHandleW.KERNEL32(00000000), ref: 00BC14BA
      • Part of subcall function 00BC1430: GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00BC14C2
      • Part of subcall function 00BC1430: LoadIconW.USER32(00000000), ref: 00BC14C5
      • Part of subcall function 00BC1430: CreateSolidBrush.GDI32(00F7F7F7), ref: 00BC14E2
      • Part of subcall function 00BC1430: RegisterClassW.USER32(?), ref: 00BC14F9
      • Part of subcall function 00BC1430: #17.COMCTL32 ref: 00BC14FF
      • Part of subcall function 00BC1430: GetDesktopWindow.USER32 ref: 00BC150E
      • Part of subcall function 00BC1430: GetDesktopWindow.USER32 ref: 00BC1512
      • Part of subcall function 00BC1538: _wcslen.LIBCMT ref: 00BC1587
      • Part of subcall function 00BC1538: MulDiv.KERNEL32(000001FA,?,00000060), ref: 00BC15B8
      • Part of subcall function 00BC1538: MulDiv.KERNEL32(00000083,?,00000060), ref: 00BC15C5
      • Part of subcall function 00BC1538: GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000), ref: 00BC15CD
      • Part of subcall function 00BC1538: KiUserCallbackDispatcher.NTDLL(00000001), ref: 00BC15E0
      • Part of subcall function 00BC1538: GetSystemMetrics.USER32(00000000), ref: 00BC15EC
      • Part of subcall function 00BC1538: CreateWindowExW.USER32(00000000,AMORCE,?,80800000,00000000,?,00000000), ref: 00BC1607
      • Part of subcall function 00BC1538: GetClientRect.USER32(00000000,?), ref: 00BC161E
      • Part of subcall function 00BC1538: MulDiv.KERNEL32(0000002B,?,00000060), ref: 00BC1637
      • Part of subcall function 00BD87D8: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD8D4A
      • Part of subcall function 00BD87D8: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD8D67
      • Part of subcall function 00BC2820: InterlockedDecrement.KERNEL32(?), ref: 00BC282B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Module$HandleWindow$CreateDesktopException@8Throw$BrushCallbackChangeClassClientCloseDecrementDispatcherFileFindIconInterlockedLoadMetricsNameNotificationOpenQueryRectRegisterSolidSystemUserValue_wcslen
    • String ID:
    • API String ID: 3652288183-0
    • Opcode ID: f5e5f8705d3523affa8c405852b61cd71fcf2101309e44b102e794e1ee0c0f88
    • Instruction ID: fce150563df808954f893c44006e2cb9904f1a399ddb73aea67ac0a95daa6702
    • Opcode Fuzzy Hash: f5e5f8705d3523affa8c405852b61cd71fcf2101309e44b102e794e1ee0c0f88
    • Instruction Fuzzy Hash: 0C9119712083819BD734EB60D895FEFB3E9AFD4305F10496DE18A97291EF309948CB92
    Function 00BD058E Relevance: 1.6, APIs: 1, Instructions: 348COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,000000FF,?,00000104), ref: 00BD0A2C
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide
    • String ID:
    • API String ID: 626452242-0
    • Opcode ID: f7b28d2850bb314a07be1cb3c160da4b274413abd3b592937c2eca01def96e89
    • Instruction ID: 9f064241f7dcb32012d5933729fc3ee3bd4a1f709b567e50c0959911b2bb8742
    • Opcode Fuzzy Hash: f7b28d2850bb314a07be1cb3c160da4b274413abd3b592937c2eca01def96e89
    • Instruction Fuzzy Hash: AFE17F70616607AFEB14EF65C890BA6F7E4FF84314F00066FF56893242E774A954CB91
    Function 00BC5301 Relevance: 1.6, APIs: 1, Instructions: 78shareCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC56DC: _wcschr.LIBVCRUNTIME ref: 00BC56EF
    • WNetGetUniversalNameW.MPR(?,00000001,?,?), ref: 00BC5356
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: NameUniversal_wcschr
    • String ID:
    • API String ID: 3553001945-0
    • Opcode ID: 38245be2db72ef9ffa11a36b96ff278077e6785c0d04b4dda7e197187c69dda2
    • Instruction ID: 2271c6bddd7d6c6f9ff9b01a740893cb9b0859fe0967560dce1927f2c63476dd
    • Opcode Fuzzy Hash: 38245be2db72ef9ffa11a36b96ff278077e6785c0d04b4dda7e197187c69dda2
    • Instruction Fuzzy Hash: 7511C47230565627EB2532648C86FFF22DDCFD5760F2001AEF906E62C2EEE5E9824175
    Function 00BE2351 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00BE2383
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 83ca02f72c0fd19782ae0fac740f4415fcae3ba61a2932d61c1e107048d03fb8
    • Instruction ID: b09f4ffaef6f6f687d7672a6229dd1b7c509b2ecb550e4a223fc3aa3c73d4fef
    • Opcode Fuzzy Hash: 83ca02f72c0fd19782ae0fac740f4415fcae3ba61a2932d61c1e107048d03fb8
    • Instruction Fuzzy Hash: 14E039355002E2AEDB2527679C05BAF76DCEB427A0B2502A1ED459A1D4DB68DC0089E9
    Function 00BC349C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(000000FF,?,00BC32E7,00000000,00BC50F6,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC34AB
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: a8cf67b4f3f5db94a14ae10eff76a1635aa9b3784eab7b2253b43feef1705e79
    • Instruction ID: 16871be55542930aaa598d2284415f2885cfbc469b1166ff6f6413e0073e9ed5
    • Opcode Fuzzy Hash: a8cf67b4f3f5db94a14ae10eff76a1635aa9b3784eab7b2253b43feef1705e79
    • Instruction Fuzzy Hash: F3E0ED75501B0156C2355F3AA848697FBE8EF94320F504A5FE07AC62A0CB7466028A54
    Function 00BC1891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • KiUserCallbackDispatcher.NTDLL(01198500,?,00BD7C86), ref: 00BC18A4
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: CallbackDispatcherUser
    • String ID:
    • API String ID: 2492992576-0
    • Opcode ID: 4fd537ec73d49fd6253c8035a0aaf6a1d47beb6e9407352beb2a49efe8415f84
    • Instruction ID: 66ce0bfc7df46ee986af773460d7d4003d74e881fd698d57936f2c19604e5682
    • Opcode Fuzzy Hash: 4fd537ec73d49fd6253c8035a0aaf6a1d47beb6e9407352beb2a49efe8415f84
    • Instruction Fuzzy Hash: 8EC04C7A151482EFDA451B55EC49959FB36FB8C6123218135F202C74308F72A821DF50

    Non-executed Functions

    Function 00BC331F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC56DC: _wcschr.LIBVCRUNTIME ref: 00BC56EF
    • LoadLibraryW.KERNEL32(NTDLL.dll), ref: 00BC334D
    • GetProcAddress.KERNEL32(00000000,NtQueryInformationFile), ref: 00BC3361
    • GetFileInformationByHandle.KERNEL32(?,?), ref: 00BC33C6
    • GetLogicalDriveStringsW.KERNEL32(00000207,?), ref: 00BC33F5
      • Part of subcall function 00BC541D: SetErrorMode.KERNELBASE(00008001,?,?,00000000), ref: 00BC5459
      • Part of subcall function 00BC541D: GetDriveTypeW.KERNELBASE(?,?,?,00000000), ref: 00BC5468
      • Part of subcall function 00BC541D: GetLastError.KERNEL32(?,?,00000000), ref: 00BC5470
      • Part of subcall function 00BC541D: SetErrorMode.KERNELBASE(00000000,?,?,00000000), ref: 00BC5479
      • Part of subcall function 00BC541D: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00BC5480
    • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00BC3446
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$DriveInformationLastMode$AddressFileHandleLibraryLoadLogicalProcStringsTypeVolume_wcschr
    • String ID: :\$NTDLL.dll$NtQueryInformationFile
    • API String ID: 2113351856-85134840
    • Opcode ID: e479b04453181964715ad2c9ff1756f2b731121a8cf13678310d72de8ba6fdcb
    • Instruction ID: d4bcbe49a8cfcfe8d03a47384cb710e0d27d61ac08d65b6a93360348c763a30d
    • Opcode Fuzzy Hash: e479b04453181964715ad2c9ff1756f2b731121a8cf13678310d72de8ba6fdcb
    • Instruction Fuzzy Hash: FE419FB5900219ABDB15DFE8DC85EFAB7FCEF04744F5084A6E905E3251EA709E84CA60
    Function 00BD7073 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
    Download Yara Rule
    APIs
    • IsDlgButtonChecked.USER32(?,000003EB), ref: 00BD7086
    • GetDlgItemTextW.USER32(?,000003E9,00000014,00000104), ref: 00BD70B5
    • GetLastError.KERNEL32(?,?,?,?,?,00BD6DF8), ref: 00BD70D2
    • FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,?,?,?,?,00BD6DF8), ref: 00BD70ED
    • MessageBoxW.USER32(?,?,00BF85C0,00000010), ref: 00BD7101
    • LocalFree.KERNEL32(?,?,?,?,?,?,00BD6DF8), ref: 00BD710B
    • EndDialog.USER32(?,00000001), ref: 00BD7138
      • Part of subcall function 00BC4881: _wcslen.LIBCMT ref: 00BC4885
      • Part of subcall function 00BD7146: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000001,00000014), ref: 00BD7178
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Message$ButtonCheckedDialogErrorFileFormatFreeItemLastLocalModuleNameText_wcslen
    • String ID:
    • API String ID: 3344454600-0
    • Opcode ID: 7808e674c70d93afc22503235ef3cedebff47bae0f33bcf94137ccbf71217e09
    • Instruction ID: 68c082fe1242e1059131ad9c852cfb43b940e840ce30ea8d19d72c9a6ea9ef54
    • Opcode Fuzzy Hash: 7808e674c70d93afc22503235ef3cedebff47bae0f33bcf94137ccbf71217e09
    • Instruction Fuzzy Hash: D821D271344245AFDB145F20DC86E7BF7EAEB84711B10876EF6139A2E1EF60AC049B51
    Function 00BE593B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1400COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 9c47870e9775c47b8fd5d83b6a0db233088c2f2400dd74d5a72dd898a40afe15
    • Instruction ID: 453e73b9021819b41dd8d2f21afb57cf671ebd27c343a0eeae4a100510212e8d
    • Opcode Fuzzy Hash: 9c47870e9775c47b8fd5d83b6a0db233088c2f2400dd74d5a72dd898a40afe15
    • Instruction Fuzzy Hash: 75C24972E086688FDB25CE29DD807EAB7F5EB54344F1441EAD84EE7241E774AE818F40
    Function 00BC4C26 Relevance: 9.1, APIs: 6, Instructions: 88fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(?,00000001,?,00000000,00000000,00000000,?,00000000), ref: 00BC4C8A
      • Part of subcall function 00BC4D31: SetErrorMode.KERNEL32(00008001,00000000,00000000,74DEE010), ref: 00BC4D51
      • Part of subcall function 00BC4D31: FindNextFileW.KERNEL32(?,?), ref: 00BC4D5C
      • Part of subcall function 00BC4D31: GetLastError.KERNEL32(?,?), ref: 00BC4D75
      • Part of subcall function 00BC4D31: SetErrorMode.KERNEL32(00000000,?,?), ref: 00BC4D7E
      • Part of subcall function 00BC4D31: SetLastError.KERNEL32(00000000,?,?), ref: 00BC4D81
    • FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00BC4C94
    • GetLastError.KERNEL32(?,00000000), ref: 00BC4CA2
    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BC4CAF
    • GetLastError.KERNEL32(?,00000000), ref: 00BC4CBA
    • GetLastError.KERNEL32(?,00000000), ref: 00BC4CC1
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$Last$FileFind$FirstMode$Next
    • String ID:
    • API String ID: 2377660678-0
    • Opcode ID: 62b5f7558270a1e886564126fc4425b12c4a5a4ef9df16996f6a821c770c45bb
    • Instruction ID: e5e75155538ce7d2f3bd07bc8b018c32bf7d324d8975ab2a9b19e2e3e068f952
    • Opcode Fuzzy Hash: 62b5f7558270a1e886564126fc4425b12c4a5a4ef9df16996f6a821c770c45bb
    • Instruction Fuzzy Hash: B421A031501241ABD320BF61DC86FAF76E8EFC6320F0005BDF94687162EF719E4586A2
    Function 00BD8339 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileIntW.KERNEL32(INSTALL,GARDETEMP,00000000,INSTALL.INI), ref: 00BD834D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: PrivateProfile
    • String ID: GARDETEMP$INSTALL$INSTALL.INI
    • API String ID: 1469295129-1261030207
    • Opcode ID: f9bd6253e2cd153237be0f97d3a2809b6aa06cfaa53efb85c82c207ea79a779c
    • Instruction ID: f7d90abadceeeee3e93030c20320bc5b090de6cfa6e9da69a5edda0c1bcdd84a
    • Opcode Fuzzy Hash: f9bd6253e2cd153237be0f97d3a2809b6aa06cfaa53efb85c82c207ea79a779c
    • Instruction Fuzzy Hash: 2EC01231380266A2C43022502C49BBA4BC09B41F61F5904F5F309BB3E1889048485294
    Function 00BE207E Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BE2176
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BE2180
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BE218D
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 35d9cd71126c236eb61bc6394c2109e04f0a70ed637b8651e23779bacf554fc0
    • Instruction ID: 062c9bb83f43dcda5311a27a77cf5a77952c871befa392ab08d39696f46da211
    • Opcode Fuzzy Hash: 35d9cd71126c236eb61bc6394c2109e04f0a70ed637b8651e23779bacf554fc0
    • Instruction Fuzzy Hash: EA31D3749412299BDB21DF69D888B9CBBF8FF08310F5041EAE50CA7251EB309B818F45
    Function 00BE03A0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 211cac29db008b71657efb950ed9a236649d95033b8929f95445fd8d9b804229
    • Instruction ID: 2cb0031ecbb35c34b5f93d18bceaca966cbdcaa07de7dfae13a2658d2efdf866
    • Opcode Fuzzy Hash: 211cac29db008b71657efb950ed9a236649d95033b8929f95445fd8d9b804229
    • Instruction Fuzzy Hash: 25022C71E102599FDF14DFA9C8806ADBBF1EF98314F2582A9D819E7384D770AE418F90
    Function 00BD3D96 Relevance: 3.2, Strings: 2, Instructions: 690COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID: F?$Q?
    • API String ID: 0-2472221975
    • Opcode ID: 8f8a0dfe55288a29795e7baf40c6fd7e8c927af380b4556be9ee466b102e1d32
    • Instruction ID: 4966d288072db5c1cf0e6f4172f14a93079ff35cfafc78ef35602d9dde798e4e
    • Opcode Fuzzy Hash: 8f8a0dfe55288a29795e7baf40c6fd7e8c927af380b4556be9ee466b102e1d32
    • Instruction Fuzzy Hash: 82526C706083468FDB18CF29C58066AFBE1EF88704F1489AEF89997341E774DA49CF56
    Function 00BD4726 Relevance: 2.0, Strings: 1, Instructions: 788COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID: H?
    • API String ID: 0-3474979535
    • Opcode ID: e8d916a253421ec9dadd8a08519b47646a8f54ca9b8b12195b52214ff46102ee
    • Instruction ID: 6448e653a1e83c0e29ad67373f198ecd8c0f8e7be233d441b5b552befc595c18
    • Opcode Fuzzy Hash: e8d916a253421ec9dadd8a08519b47646a8f54ca9b8b12195b52214ff46102ee
    • Instruction Fuzzy Hash: DD626A71A147568FCB18CF29C49026EBBE2FFC8314F144A6EE89997341E734D949CB91
    Function 00BEA911 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BEA90C,?,?,00000008,?,?,00BEBC51,00000000), ref: 00BEAB3E
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 43fd03dd281040a61e21b9a5996a329ea5db6ca8472c2d3119b8eb8ed238c82e
    • Instruction ID: 047a8f08a863ed2b4539674eba7b58e066805445d65ead15b650618aa248d1cb
    • Opcode Fuzzy Hash: 43fd03dd281040a61e21b9a5996a329ea5db6ca8472c2d3119b8eb8ed238c82e
    • Instruction Fuzzy Hash: 72B17B31610648CFD715CF29C5CAB647BE5FF44364F2986A8E89ACF2A1C335E982CB41
    Function 00BCD9E2 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC9B73: _wcslen.LIBCMT ref: 00BC9B87
    • GetVersionExW.KERNEL32(?), ref: 00BCDAA5
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Version_wcslen
    • String ID:
    • API String ID: 1320759119-0
    • Opcode ID: 632f6c90673e7b816d52364ac374cec7be382baebb5ab2bc5726d235de395a62
    • Instruction ID: 47532e190e4f2b29ec7e7ca5133d8c7e1eefad37a7d53e2c676fbbb9daf271da
    • Opcode Fuzzy Hash: 632f6c90673e7b816d52364ac374cec7be382baebb5ab2bc5726d235de395a62
    • Instruction Fuzzy Hash: 593160766587049BD331EE64DC92F97B3E8EF54710F00096DB58AD6181EBB0EA09CB91
    Function 00BD90A3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_000190AF,00BD8B68), ref: 00BD90A8
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 94c0dba3c5d6f4a2195948b51a4c5d93a07508c94c674b5ed241d12ff56cd471
    • Instruction ID: 9cea5045aa6172f4ad3403cc32b522032500577f96ad3873fa9106104c3f0eba
    • Opcode Fuzzy Hash: 94c0dba3c5d6f4a2195948b51a4c5d93a07508c94c674b5ed241d12ff56cd471
    • Instruction Fuzzy Hash:
    Function 00BDD398 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction ID: a858c9699e7672cae0f0c0fabace59e66a81bfd18ebbe233c8bc5615f3acad8a
    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction Fuzzy Hash: 8C51267020070557DF344A6884A6BBEE7D5DB12318F180ADFE8C2CB782F625EE45D756
    Function 00BE91BE Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: d765534c8df1a7f7b0891af21709dc75a9855d3cbc57f9e2b5d2f4f4d71320f8
    • Instruction ID: 94f59c5cb327a4bd22c15b42326620694866f1464d4b4bcda9076e557ce44297
    • Opcode Fuzzy Hash: d765534c8df1a7f7b0891af21709dc75a9855d3cbc57f9e2b5d2f4f4d71320f8
    • Instruction Fuzzy Hash: 43A001B4606646CBD7448F36AA4975E3AA9AA8669170680AAA505DA2A0EA2484509A02
    Function 00BE6CF9 Relevance: .6, Instructions: 637COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0757446a890f931d6258887044957513af31a44d1cae35a54d5a695e0d6c9da2
    • Instruction ID: b7ec84f2840301eb6c6e3e2f548ec3f4192a8d8d36dcae304cf3879823fb9123
    • Opcode Fuzzy Hash: 0757446a890f931d6258887044957513af31a44d1cae35a54d5a695e0d6c9da2
    • Instruction Fuzzy Hash: 18322632D69F814DD7239639C821335A699AFB73C4F15DB27F819B6EA5EF29C4838100
    Function 00BC74AD Relevance: .6, Instructions: 592COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2eda55acd491665a7d39ab1cf14996ca647a8782e43cc574981d42d72eb4e4e9
    • Instruction ID: 7c52ec3e44df16f3ff5bda070365b11c12239a346d28ec350dc87a20265293bf
    • Opcode Fuzzy Hash: 2eda55acd491665a7d39ab1cf14996ca647a8782e43cc574981d42d72eb4e4e9
    • Instruction Fuzzy Hash: 13025EB3B612184BD74CCE2DCC927DA73D3BFD4218B0E8938A849D7705F679E9194688
    Function 00BCADF0 Relevance: .3, Instructions: 274COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d9c7606cd38bf3f79000aff3ba26cd6a69f15dc2eea94422dc081b2c49323c36
    • Instruction ID: 618e01a6224bdbc7a23f14c8f85cdf34ad42b01ba281585f97aee2c42c9ca92f
    • Opcode Fuzzy Hash: d9c7606cd38bf3f79000aff3ba26cd6a69f15dc2eea94422dc081b2c49323c36
    • Instruction Fuzzy Hash: 94A1DD746046169FC714CF19C5C0E6AFBE2FF88304F5486ADE89587B81C735E8A9CB92
    Function 00BDA6EA Relevance: .3, Instructions: 254COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
    • Instruction ID: 5a5f6c94297c9d7103007821eedf1be7fbccec3aa815b126873a4d5c310b6168
    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
    • Instruction Fuzzy Hash: F29156722090A34EDB2D463A857903EFFE19A513A131A07EFD4F2CB2C5FE15C955EA21
    Function 00BDA9A5 Relevance: .2, Instructions: 244COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
    • Instruction ID: ec85f6daf639806368de1599ed5314dd4a3c2763b8cc2f5301e0ed5a248dfa5a
    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
    • Instruction Fuzzy Hash: 709132722090A34ADB69463D857403EFFE2DA523A131E07EFD4F2CB2C5FE249955E621
    Function 00BDA423 Relevance: .2, Instructions: 240COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
    • Instruction ID: 84bbe2b02d6a0dec3e39d5f99a55911dd1b703a5012886e960a9037a43334a72
    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
    • Instruction Fuzzy Hash: D09194722090A34ADB29463A847803EFFE19A523A531E07EFD4F3CB3C1FD54C565AA21
    Function 00BDD5C7 Relevance: .2, Instructions: 237COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d637aa1abbc2577e6e323ab8d05d1b0a87fe367cc725ac4319473d596ea0e2bf
    • Instruction ID: f93231758aeb604b8d98151772f5fc09a494488967f14d20a60a32be493ff538
    • Opcode Fuzzy Hash: d637aa1abbc2577e6e323ab8d05d1b0a87fe367cc725ac4319473d596ea0e2bf
    • Instruction Fuzzy Hash: 2261643164070966DE389A688892BBEE3D8EB41704F1409DBE9CADF381F622DD42D795
    Function 00BDA179 Relevance: .2, Instructions: 232COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
    • Instruction ID: 58d58c28714dd00ff1357daa81cf1313727d712f25a3e8364d05d868b00cf84a
    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
    • Instruction Fuzzy Hash: 0E8141722090A34EDB29467A857403EFFE29A523A171A07EFD4F2CB3C1FE24D955D621
    Function 00BD254D Relevance: .2, Instructions: 213COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 70062cc934670f714529fd405947d1eb9bbf6f17ed5f11c5ade195e25532dc47
    • Instruction ID: e683d73ad1ba320f236b4f26d0c03f6fefea87242282e03ad3d9497d3a0387e3
    • Opcode Fuzzy Hash: 70062cc934670f714529fd405947d1eb9bbf6f17ed5f11c5ade195e25532dc47
    • Instruction Fuzzy Hash: 69819471A142A04FCB44CF29E89053AF7E1EF9D311F4A095AF884EB382D635E915DFA1
    Function 00BC2A26 Relevance: .1, Instructions: 136COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5d18fbe1d7ec9840b5f9a5e5681c2620d7c2436dad4a174e66167df5e10be50f
    • Instruction ID: dcc15323e795c541055e0e4e693b2529b99b60997e831a753c78693e67bf4db1
    • Opcode Fuzzy Hash: 5d18fbe1d7ec9840b5f9a5e5681c2620d7c2436dad4a174e66167df5e10be50f
    • Instruction Fuzzy Hash: 0B51AB716497459FD720CF39C590BAABBE1EF88710F048A6EF98487351D234E908CB91
    Function 00BC28AF Relevance: .1, Instructions: 135COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a6a10c344300da9877612b8f65e8729ef886ff32416e295a175c5669f13b2957
    • Instruction ID: 35492d04d99d8cf10fadeae70dc0d8a57503ffaacf20f07bf960f9e74244bcf2
    • Opcode Fuzzy Hash: a6a10c344300da9877612b8f65e8729ef886ff32416e295a175c5669f13b2957
    • Instruction Fuzzy Hash: 76418D7664A3519FC704CF28C49069AFBE1FFD9304F599A6DE8D95B302C670E80ACB91
    Function 00BDB770 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction ID: e2f0bd8989a82e84557f93403057ee39869943539edc4bd5d3c40ef60b97f77e
    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction Fuzzy Hash: F111637B241141C3D618862ED8F4DAAE7D9EAD5321B2F42FBD0424B758F323DD55AA00
    Function 00BD74C4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 203COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00BD752A
      • Part of subcall function 00BC422B: SetErrorMode.KERNELBASE(00008001,00000001,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4257
      • Part of subcall function 00BC422B: CreateFileW.KERNEL32(?,40000000,?,00000000,00000003,?,00000000,?,00000000,?,?,?,00BC50C0,?,40000000,00000003), ref: 00BC42B8
      • Part of subcall function 00BC422B: CreateFileW.KERNEL32(?,40000000,?,00000000,00BC50C0,?,00000000,?,00000000,?,?,?,00BC50C0,?,40000000,00000003), ref: 00BC42ED
      • Part of subcall function 00BC422B: GetLastError.KERNEL32(?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4332
      • Part of subcall function 00BC422B: SetErrorMode.KERNELBASE(?,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC433E
      • Part of subcall function 00BC422B: SetLastError.KERNEL32(00000000,?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4349
      • Part of subcall function 00BC422B: GetLastError.KERNEL32(?,00000000,?,?,?,00BC50C0,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC4358
    • GetPrivateProfileIntW.KERNEL32(GENERAL,NATIONDEFAUT,00000000,00000000), ref: 00BD75FA
    • GetPrivateProfileIntW.KERNEL32(GENERAL,MODEPATCH,00000000,?), ref: 00BD7658
    • GetPrivateProfileStringW.KERNEL32(GENERAL,APPPATCH,00BF85C0,00000434,00000104,?), ref: 00BD7686
    • GetPrivateProfileStringW.KERNEL32(GENERAL,FICLICENCE,00BF85C0,0000063E,00000104,?), ref: 00BD76A8
    • SetWindowTextW.USER32(?,00000000), ref: 00BD76F0
      • Part of subcall function 00BC349C: FindCloseChangeNotification.KERNELBASE(000000FF,?,00BC32E7,00000000,00BC50F6,?,40000000,00000003,00000002,10000000,00000000), ref: 00BC34AB
    • SetDlgItemTextW.USER32(?,000003E8,00000000), ref: 00BD7711
    • SetDlgItemTextW.USER32(?,000003EB,00000000), ref: 00BD7728
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BD773C
    • SetDlgItemTextW.USER32(?,00000002,00000000), ref: 00BD7750
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorText$ItemPrivateProfile$FileLast$CreateModeString$ChangeCloseFindModuleNameNotificationWindow
    • String ID: APPPATCH$FICLICENCE$GENERAL$MODEPATCH$NATIONDEFAUT$TRA
    • API String ID: 902555677-3788500860
    • Opcode ID: cb662e640a658494453dc91a6c80d2bd9a2ebc73f0ce713823fa3ed33e59252d
    • Instruction ID: 9e6a30d2ce948478a502440e8e42202e10f916b614fd3525335d2083bd8146d4
    • Opcode Fuzzy Hash: cb662e640a658494453dc91a6c80d2bd9a2ebc73f0ce713823fa3ed33e59252d
    • Instruction Fuzzy Hash: D8615C712442097BD614AB20DC92FBFB7DDEF84704F40496DB689A71E2DF64AE08C7A1
    Function 00BD8362 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 191registrylibraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC8E27: _wcsstr.LIBVCRUNTIME ref: 00BC8E40
    • _wcslen.LIBCMT ref: 00BD8397
    • _wcslen.LIBCMT ref: 00BD83E9
    • _wcslen.LIBCMT ref: 00BD83F7
      • Part of subcall function 00BC8D45: _wcslen.LIBCMT ref: 00BC8D4C
    • LoadLibraryW.KERNEL32(shell32.dll,00000000,00000000,00000000,00000000,00000000,?,00000226,?,?,?), ref: 00BD8490
    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00BD84A2
    • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BD84CC
    • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,?,?,?), ref: 00BD84EF
    • RegQueryValueExW.ADVAPI32(00000104,00000000,00000000,00000000,?,?), ref: 00BD851B
    • RegCloseKey.ADVAPI32(?), ref: 00BD8527
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen$Library$AddressCloseFreeLoadOpenProcQueryValue_wcsstr
    • String ID: CSIDL($SHGetSpecialFolderPathW$shell32.dll
    • API String ID: 1081462260-1439309937
    • Opcode ID: 2fea31d7726931da15b8a7121625952705f46a1c230413f57670b89ab91ede26
    • Instruction ID: 9172c697e32385c878bcb8dc636fbbb6114fdddbdc2b4cf0652f6b4a1e1a8750
    • Opcode Fuzzy Hash: 2fea31d7726931da15b8a7121625952705f46a1c230413f57670b89ab91ede26
    • Instruction Fuzzy Hash: 9C5120B25043065FD305EF60DC95EBFB7E8EF94710F0009AEF58652292EE70AD49CA62
    Function 00BE9A40 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 00BE9A84
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE963C
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE964E
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE9660
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE9672
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE9684
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE9696
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE96A8
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE96BA
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE96CC
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE96DE
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE96F0
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE9702
      • Part of subcall function 00BE961F: _free.LIBCMT ref: 00BE9714
    • _free.LIBCMT ref: 00BE9A79
      • Part of subcall function 00BE2317: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?), ref: 00BE232D
      • Part of subcall function 00BE2317: GetLastError.KERNEL32(?,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?,?), ref: 00BE233F
    • _free.LIBCMT ref: 00BE9A9B
    • _free.LIBCMT ref: 00BE9AB0
    • _free.LIBCMT ref: 00BE9ABB
    • _free.LIBCMT ref: 00BE9ADD
    • _free.LIBCMT ref: 00BE9AF0
    • _free.LIBCMT ref: 00BE9AFE
    • _free.LIBCMT ref: 00BE9B09
    • _free.LIBCMT ref: 00BE9B41
    • _free.LIBCMT ref: 00BE9B48
    • _free.LIBCMT ref: 00BE9B65
    • _free.LIBCMT ref: 00BE9B7D
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 9ca2b9761ea6ab8a81ae61b7c60166693b890cfcc3075d03169e45dedfd635f1
    • Instruction ID: 5a26d6d35bf49a03a970c1c7f2c6158f9dc4028029d368cd3c0fe14b10c06a81
    • Opcode Fuzzy Hash: 9ca2b9761ea6ab8a81ae61b7c60166693b890cfcc3075d03169e45dedfd635f1
    • Instruction Fuzzy Hash: E9314D716007849FEB20AB3BE845B5AB3E9EF40310F1844A9E498D7191EF39ED88CB14
    Function 00BD6EC5 Relevance: 19.6, APIs: 13, Instructions: 104COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BD74C4: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,00000000), ref: 00BD752A
      • Part of subcall function 00BD74C4: GetPrivateProfileIntW.KERNEL32(GENERAL,NATIONDEFAUT,00000000,00000000), ref: 00BD75FA
    • GetParent.USER32(?), ref: 00BD6EF2
    • GetClientRect.USER32(?,?), ref: 00BD6F09
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 00BD6F41
    • SetDlgItemTextW.USER32(?,000003E9,?), ref: 00BD6F56
    • GetDlgItem.USER32(?,000003EB), ref: 00BD6F6A
    • CheckDlgButton.USER32(?,000003EB,?), ref: 00BD6F80
    • ShowWindow.USER32(00000000,00000000), ref: 00BD6F9B
    • GetDlgItem.USER32(?,000003EB), ref: 00BD6FAE
    • ShowWindow.USER32(00000000), ref: 00BD6FB1
    • GetDlgItem.USER32(?,000003ED), ref: 00BD6FBC
    • ShowWindow.USER32(00000000), ref: 00BD6FBF
      • Part of subcall function 00BD777B: GetDlgItem.USER32(?,000003EB), ref: 00BD779C
      • Part of subcall function 00BD777B: ShowWindow.USER32(00000000,?,00BD6EF1), ref: 00BD77A5
      • Part of subcall function 00BD777B: GetDlgItem.USER32(?,000003ED), ref: 00BD77B0
      • Part of subcall function 00BD777B: ShowWindow.USER32(00000000,?,00BD6EF1), ref: 00BD77B3
      • Part of subcall function 00BD777B: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00BD77FA
      • Part of subcall function 00BD777B: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00BD781D
      • Part of subcall function 00BD777B: CloseHandle.KERNEL32(?), ref: 00BD783C
      • Part of subcall function 00BD777B: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00BD786B
    • GetDlgItem.USER32(?,000003ED), ref: 00BD6FD2
    • SetWindowTheme.UXTHEME(00000000), ref: 00BD6FD5
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ItemWindow$Show$FileModuleName$ButtonCheckClientCloseHandleOpenParentPrivateProfileQueryRectTextThemeValue
    • String ID:
    • API String ID: 3953570052-0
    • Opcode ID: 1db26fc10c20996833a01d86366d19158358d9ee01b6ff28a9ffada33fa91129
    • Instruction ID: 9d3ae42629aa4e67cb67a1fbac58c323f56b9a60b78e41b0a60bd2da8e9ffa3c
    • Opcode Fuzzy Hash: 1db26fc10c20996833a01d86366d19158358d9ee01b6ff28a9ffada33fa91129
    • Instruction Fuzzy Hash: 62318976104744AFD3019B68DC85E3FBBEDEB85715F058A29F64A972A0DB21E9018A21
    Function 00BD777B Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 155registryCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003EB), ref: 00BD779C
    • ShowWindow.USER32(00000000,?,00BD6EF1), ref: 00BD77A5
    • GetDlgItem.USER32(?,000003ED), ref: 00BD77B0
    • ShowWindow.USER32(00000000,?,00BD6EF1), ref: 00BD77B3
    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00BD77FA
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00BD781D
    • CloseHandle.KERNEL32(?), ref: 00BD783C
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00BD786B
    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00BD7919
    • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,?,00000001), ref: 00BD7934
    Strings
    • Software\Microsoft\Windows\CurrentVersion\App Paths\%s.exe, xrefs: 00BD77D4
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ItemShowWindow$CloseCurrentDirectoryExecuteFileHandleModuleNameOpenQueryShellValue
    • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths\%s.exe
    • API String ID: 1530588858-1758462720
    • Opcode ID: fad789fc7fbbd3c1c4ba470a17daccfbad2d3008afa776c80050fe874a00ecb4
    • Instruction ID: 7881d66a76d66cc0a6adb9cb92f9eb61caa800d541bfd89b7ceab7c8f22d1813
    • Opcode Fuzzy Hash: fad789fc7fbbd3c1c4ba470a17daccfbad2d3008afa776c80050fe874a00ecb4
    • Instruction Fuzzy Hash: BA41C271504209ABC710EF51CC89EABBBEDEF84358F04046AF949DB152EF71EA04CBA1
    Function 00BC1B1A Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 84libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(USER32.DLL,00000000,00000000,?,?,?,?,?,?,?,00BD6F03), ref: 00BC1B37
    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00BC1B5F
    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00BC1B80
    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 00BC1B8D
    • GetSystemMetrics.USER32(00000000), ref: 00BC1BA4
    • GetSystemMetrics.USER32(00000001), ref: 00BC1BAB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: AddressProc$MetricsSystem$HandleModule
    • String ID: GetMonitorInfoW$MonitorFromPoint$MonitorFromWindow$USER32.DLL
    • API String ID: 1779409587-1569299361
    • Opcode ID: 0b41405a7d2323a1b9f561304a44ec93818767d2010a0d0c8dd0630cc6696b43
    • Instruction ID: ad709681f172529aa0265645635a746ddd69d3b54f3891c722c05c373378b5f7
    • Opcode Fuzzy Hash: 0b41405a7d2323a1b9f561304a44ec93818767d2010a0d0c8dd0630cc6696b43
    • Instruction Fuzzy Hash: 9021D771900709AFD7109F25EC81F6B7BDDEB4A710F01045AFA05A7292EBB1AC44CFA5
    Function 00BCDCB2 Relevance: 16.7, APIs: 11, Instructions: 155COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BCDCF2
    • __alloca_probe_16.LIBCMT ref: 00BCDD05
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,000000FF,?,00000001,00000000,00000000,00000001), ref: 00BCDD2B
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,000000FF,00000000,00000000), ref: 00BCDD3C
    • __alloca_probe_16.LIBCMT ref: 00BCDD5B
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,000000FF,?,?,00000001), ref: 00BCDD80
    • _strlen.LIBCMT ref: 00BCDD94
    • _memcmp.LIBVCRUNTIME ref: 00BCDDCF
    • _wcslen.LIBCMT ref: 00BCDDF9
    • _memcmp.LIBVCRUNTIME ref: 00BCDE24
      • Part of subcall function 00BC2820: InterlockedDecrement.KERNEL32(?), ref: 00BC282B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide$__alloca_probe_16_memcmp$DecrementInterlocked_strlen_wcslen
    • String ID:
    • API String ID: 3946104814-0
    • Opcode ID: 64d3450fb68eda1da652b88b586ebaec33ba3f299ccfe67aaa7980e84f4c9ad5
    • Instruction ID: 099c3e78c2969d05888898b579c347090d427109b833816351dbcf579b531740
    • Opcode Fuzzy Hash: 64d3450fb68eda1da652b88b586ebaec33ba3f299ccfe67aaa7980e84f4c9ad5
    • Instruction Fuzzy Hash: B84172B190011AAEDB25AB64DC85FFF77BCEB54310F1041BDB912A7181EE749E058BA4
    Function 00BCC432 Relevance: 15.2, APIs: 10, Instructions: 211COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,00000000,00000000,?,?,?,?,?,00000000,00BCC73A,?,?,?), ref: 00BCC478
    • __alloca_probe_16.LIBCMT ref: 00BCC492
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,00000000,?,?,?,00000000,00BCC73A,?,?,?,?,?,?), ref: 00BCC4C9
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,00000000,00000000,?,?,?,?,?,00000000,00BCC73A,?,?,?), ref: 00BCC504
    • __alloca_probe_16.LIBCMT ref: 00BCC526
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,00000000,?,?,?,00000000,00BCC73A,?,?,?,?,?,?), ref: 00BCC55D
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,00000000,00000000,?,?,?,?,?,00000000,00BCC73A,?,?,?), ref: 00BCC5AB
    • __alloca_probe_16.LIBCMT ref: 00BCC5CD
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,00000000,?,?,?,00000000,00BCC73A,?,?,?,?,?,?), ref: 00BCC608
    • LCMapStringW.KERNEL32(?,?,?,00BCC73A,?,?,?,?,?,?,?,00000000,00BCC73A,?,?,?), ref: 00BCC62B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: String$__alloca_probe_16
    • String ID:
    • API String ID: 1426756974-0
    • Opcode ID: d0c92b489f9c4166d28f276573258c4d30e5968ebcdd76c22b38c98c0d25013a
    • Instruction ID: 232431600611330de07cdb7b80ade08d0e1555d9e8910f2318a5e281b99fb495
    • Opcode Fuzzy Hash: d0c92b489f9c4166d28f276573258c4d30e5968ebcdd76c22b38c98c0d25013a
    • Instruction Fuzzy Hash: 98619B72901109AFDF158F64CD85EAF3FE9EF18350F148069F90AA7210DA34DE62DBA0
    Function 00BE2BA5 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00BE2BB9
      • Part of subcall function 00BE2317: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?), ref: 00BE232D
      • Part of subcall function 00BE2317: GetLastError.KERNEL32(?,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?,?), ref: 00BE233F
    • _free.LIBCMT ref: 00BE2BC5
    • _free.LIBCMT ref: 00BE2BD0
    • _free.LIBCMT ref: 00BE2BDB
    • _free.LIBCMT ref: 00BE2BE6
    • _free.LIBCMT ref: 00BE2BF1
    • _free.LIBCMT ref: 00BE2BFC
    • _free.LIBCMT ref: 00BE2C07
    • _free.LIBCMT ref: 00BE2C12
    • _free.LIBCMT ref: 00BE2C20
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 6d9e6815fe3c44ce2b0ecb6c8fd47ed4bed28424fe27c18a8ceb4a5935df55f7
    • Instruction ID: 96c9b35c324f148cbb105a4bfcce6e1b3324b6dd6a96fef1d1d7c2b8f9fa35e0
    • Opcode Fuzzy Hash: 6d9e6815fe3c44ce2b0ecb6c8fd47ed4bed28424fe27c18a8ceb4a5935df55f7
    • Instruction Fuzzy Hash: 7D11B376100188BFCB01EF96C842CDD7BA9EF08354B4580E5BA088F622EB35EE50DF84
    Function 00BED110 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(?,?), ref: 00BED1BC
    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BED23F
    • __alloca_probe_16.LIBCMT ref: 00BED277
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BED2D2
    • __alloca_probe_16.LIBCMT ref: 00BED321
    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BED2E9
      • Part of subcall function 00BE2351: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00BE2383
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BED365
    • __freea.LIBCMT ref: 00BED390
    • __freea.LIBCMT ref: 00BED39C
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
    • String ID:
    • API String ID: 201697637-0
    • Opcode ID: bbf97daeec6d6797f0ad3b1d3d489035973de603187f866002de1a454aa30b9f
    • Instruction ID: d0cb26ff70a556c7534743d17899a43c8820fe28527762d315f7f2cc7b6fc5a3
    • Opcode Fuzzy Hash: bbf97daeec6d6797f0ad3b1d3d489035973de603187f866002de1a454aa30b9f
    • Instruction Fuzzy Hash: F291C371E002969EDB209F66C881AEEBBF5DF45710F1802A9E905FB281D7B5DC40C766
    Function 00BE8DFB Relevance: 13.7, APIs: 9, Instructions: 209COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
    • String ID:
    • API String ID: 1282221369-0
    • Opcode ID: bd899c22321d77318d14aa8576433fe23887731bf44d390715855299e045a945
    • Instruction ID: e76b9cf38d5ac57a1f9ed173f1100a1da48f220e11ea3e9a9dd060493ba0b32b
    • Opcode Fuzzy Hash: bd899c22321d77318d14aa8576433fe23887731bf44d390715855299e045a945
    • Instruction Fuzzy Hash: 18610C71904BC4AFDB25AF669881B6E7BE8EF05310F0942EDFA0897241EF369D01C790
    Function 00BC4D31 Relevance: 13.6, APIs: 9, Instructions: 64fileCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,74DEE010), ref: 00BC4D51
    • FindNextFileW.KERNEL32(?,?), ref: 00BC4D5C
    • GetLastError.KERNEL32(?,?), ref: 00BC4D75
    • SetErrorMode.KERNEL32(00000000,?,?), ref: 00BC4D7E
    • SetLastError.KERNEL32(00000000,?,?), ref: 00BC4D81
    • GetLastError.KERNEL32(?,?), ref: 00BC4D9D
    • GetLastError.KERNEL32(?,?), ref: 00BC4DD1
    • SetErrorMode.KERNEL32(00000000,?,?), ref: 00BC4DD6
    • SetLastError.KERNEL32(00000000,?,?), ref: 00BC4DD9
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$Last$Mode$FileFindNext
    • String ID:
    • API String ID: 705879328-0
    • Opcode ID: 1b9de9c440730f18b577679a3d5feda8dc0c1f428391b9d96af5d08b3db6aedc
    • Instruction ID: 319b6eba15895a13fe486940811b436f7f7aee2a5565006d60b93424bcb7ea8e
    • Opcode Fuzzy Hash: 1b9de9c440730f18b577679a3d5feda8dc0c1f428391b9d96af5d08b3db6aedc
    • Instruction Fuzzy Hash: 5311213170024A6BE7107B709C9AF7E77E9EF80351F0406B8F902CB1D2EF619E098661
    Function 00BE5642 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BDDBF9,00BDDBF9,?,?,?,00BE5893,00000001,00000001,A0E85006), ref: 00BE569C
    • __alloca_probe_16.LIBCMT ref: 00BE56D4
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BE5893,00000001,00000001,A0E85006,?,?,?), ref: 00BE5722
    • __alloca_probe_16.LIBCMT ref: 00BE57B9
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A0E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BE581C
    • __freea.LIBCMT ref: 00BE5829
      • Part of subcall function 00BE2351: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00BE2383
    • __freea.LIBCMT ref: 00BE5832
    • __freea.LIBCMT ref: 00BE5857
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
    • String ID:
    • API String ID: 3864826663-0
    • Opcode ID: 5b1aa72c813a93c78f0fa6d96fee60301fa04dde3c2fe4a92f1bcb355e17f603
    • Instruction ID: deecf4b3046d77fc45f02a02c950dcd7c44347fdbad5b9f945767ca13fc7ae45
    • Opcode Fuzzy Hash: 5b1aa72c813a93c78f0fa6d96fee60301fa04dde3c2fe4a92f1bcb355e17f603
    • Instruction Fuzzy Hash: CC51F072600696AFEB348E62CC81EBF7BEAEB40758F1542A9FD05D6140EB34DC50C6A0
    Function 00BCDB59 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BCDBA8
    • __alloca_probe_16.LIBCMT ref: 00BCDBB9
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,000000FF,?,?,00000000,00000000,00000001), ref: 00BCDBDD
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,000000FF,00000000,00000000), ref: 00BCDBEE
    • __alloca_probe_16.LIBCMT ref: 00BCDC0F
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,000000FF,?,?,00000001), ref: 00BCDC39
    • _strlen.LIBCMT ref: 00BCDC50
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide$__alloca_probe_16$_strlen
    • String ID:
    • API String ID: 965100884-0
    • Opcode ID: ce9e1d1a22e48124b8b3f9a14a145b974e25e7d4fcd47c27cfaadb10d81283ca
    • Instruction ID: 610491ec71dcf8c20c7c6957bc6ba39c30d6878677ff9827e847647cac9aeb6c
    • Opcode Fuzzy Hash: ce9e1d1a22e48124b8b3f9a14a145b974e25e7d4fcd47c27cfaadb10d81283ca
    • Instruction Fuzzy Hash: EB4184B1904159AFE7149F94DCC5FBF77ACEF44354F1005ADB52697282DA709D01C7A0
    Function 00BC2489 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BC24BB
    • __alloca_probe_16.LIBCMT ref: 00BC24CC
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,000000FF,?,?,00000000,00000000,00000001), ref: 00BC24F0
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,000000FF,00000000,00000000), ref: 00BC2501
    • __alloca_probe_16.LIBCMT ref: 00BC2522
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,000000FF,?,?,00000001), ref: 00BC254C
    • _strlen.LIBCMT ref: 00BC2563
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide$__alloca_probe_16$_strlen
    • String ID:
    • API String ID: 965100884-0
    • Opcode ID: 1cba9585be72b37e308b7aa1967951559f426e7b25b2110c6a5e03b383b6bcb4
    • Instruction ID: 6a6465a51983dd78e5d3b1429f6424cc3455c3dbfeeed6b72321b69f1fc24dc5
    • Opcode Fuzzy Hash: 1cba9585be72b37e308b7aa1967951559f426e7b25b2110c6a5e03b383b6bcb4
    • Instruction Fuzzy Hash: 6431A471900125BBDB24AF96CC89EAF7FA8EF55770B104199B526A7281DE305A01CBA0
    Function 00BC314D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr_strlen
    • String ID: P
    • API String ID: 1576176021-3110715001
    • Opcode ID: 31f2468fdf328390cb57cbdfb0149283fbfeab3e8f4a670abf1aa04241302a8a
    • Instruction ID: 947c3bba05ffccdd2ab36827cb1f6231fd54836b021be5fe8b42c90cc7b91eff
    • Opcode Fuzzy Hash: 31f2468fdf328390cb57cbdfb0149283fbfeab3e8f4a670abf1aa04241302a8a
    • Instruction Fuzzy Hash: B661B272208B469FD724CF69C880F6BB7D4EB84710F544AADF49687281DB70ED89CB51
    Function 00BEC335 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00BECAAA,?,00000000,?,00000000,00000000), ref: 00BEC377
    • __fassign.LIBCMT ref: 00BEC3F2
    • __fassign.LIBCMT ref: 00BEC40D
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00BEC433
    • WriteFile.KERNEL32(?,?,00000000,00BECAAA,00000000,?,?,?,?,?,?,?,?,?,00BECAAA,?), ref: 00BEC452
    • WriteFile.KERNEL32(?,?,00000001,00BECAAA,00000000,?,?,?,?,?,?,?,?,?,00BECAAA,?), ref: 00BEC48B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 171cbd201b8233e072c77663869ad3b609153e4c1bfd7aa7aa176149b38142c8
    • Instruction ID: 697d15246e6c59486ae7b24365eef83386261552c27673fc1c40e33f2b13d64a
    • Opcode Fuzzy Hash: 171cbd201b8233e072c77663869ad3b609153e4c1bfd7aa7aa176149b38142c8
    • Instruction Fuzzy Hash: 285180B19002899FDB10DFA9D895AFEBFF8EF09310F1441AAE955E7391E7309941CB60
    Function 00BDB9D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 00BDB9FB
    • ___except_validate_context_record.LIBVCRUNTIME ref: 00BDBA03
    • _ValidateLocalCookies.LIBCMT ref: 00BDBA91
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00BDBABC
    • _ValidateLocalCookies.LIBCMT ref: 00BDBB11
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 965722339d43d51d0b37c32d60745060ffb7f826cccbc88983654badec147307
    • Instruction ID: 879ec946c5d0de8520512948535b996bda19ba1252c6e97d59ae9835beab6cf1
    • Opcode Fuzzy Hash: 965722339d43d51d0b37c32d60745060ffb7f826cccbc88983654badec147307
    • Instruction Fuzzy Hash: F741A434A00249EBCF10DF69C885E9EFBF5EF44318F1581EAE9155B392EB319A01CB90
    Function 00BE97C2 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00BE9786: _free.LIBCMT ref: 00BE97AF
    • _free.LIBCMT ref: 00BE9810
      • Part of subcall function 00BE2317: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?), ref: 00BE232D
      • Part of subcall function 00BE2317: GetLastError.KERNEL32(?,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?,?), ref: 00BE233F
    • _free.LIBCMT ref: 00BE981B
    • _free.LIBCMT ref: 00BE9826
    • _free.LIBCMT ref: 00BE987A
    • _free.LIBCMT ref: 00BE9885
    • _free.LIBCMT ref: 00BE9890
    • _free.LIBCMT ref: 00BE989B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: d4f64a1fa74aa0e37a3d312bb46bc20dd13bedf104f1eae442eb165625181388
    • Instruction ID: 68347de74a4892c015437f93fd671aa2235c364027e67c668d0255717189c811
    • Opcode Fuzzy Hash: d4f64a1fa74aa0e37a3d312bb46bc20dd13bedf104f1eae442eb165625181388
    • Instruction Fuzzy Hash: 4B11AC31944B98BAD632BBB3DC07FCB77DDAF40300F400954B299AA052CB29B90C8A40
    Function 00BC44D1 Relevance: 9.1, APIs: 6, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC44DD
    • DeleteFileW.KERNEL32(?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC44E6
    • GetLastError.KERNEL32(?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC44F0
    • SetErrorMode.KERNEL32(00000000,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC44F9
    • SetLastError.KERNEL32(00000000,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4500
    • GetLastError.KERNEL32(?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC450E
      • Part of subcall function 00BC4BA9: SetErrorMode.KERNELBASE(00008001,00000000,?,?,?,?,00BC4539,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BBB
      • Part of subcall function 00BC4BA9: SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BC5
      • Part of subcall function 00BC4BA9: GetLastError.KERNEL32(?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BCF
      • Part of subcall function 00BC4BA9: SetErrorMode.KERNELBASE(00000000,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BD8
      • Part of subcall function 00BC4BA9: SetLastError.KERNEL32(00000000,?,?,?,?,00BD015F,?,00BCE885,?,?), ref: 00BC4BDF
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$Last$Mode$File$AttributesDelete
    • String ID:
    • API String ID: 1985372991-0
    • Opcode ID: e915ba50ccef558319982338599e54a7965d5566e08b5376a838a3a9abd0e4ce
    • Instruction ID: 55101ca3a1252a23bab66f3218fc55927dd5a9404f5027f16c1b44241337a75a
    • Opcode Fuzzy Hash: e915ba50ccef558319982338599e54a7965d5566e08b5376a838a3a9abd0e4ce
    • Instruction Fuzzy Hash: F611BF327002426BD6146B74AC5BF7B76D8DB92762F1009BDF906CB282EF619A048271
    Function 00BC8617 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 321COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen
    • String ID: $*$l
    • API String ID: 176396367-2827349907
    • Opcode ID: e72a2029e5368a2c3329bcc5a3b80f39205fc20ba65d2f746c58082c0b492553
    • Instruction ID: fc1f0361c3df10f70e5d7dfa2387769b600c7a1ae70184524b90e0e8604f9319
    • Opcode Fuzzy Hash: e72a2029e5368a2c3329bcc5a3b80f39205fc20ba65d2f746c58082c0b492553
    • Instruction Fuzzy Hash: 96A135726043038BDB389E2CAC84F3576D1EB84750F6849BFE9C59B684FEB0CD818652
    Function 00BE2C99 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00BDCA72,?,00000002,?,00BDE93E,00BDF09C,?,00000000,?), ref: 00BE2C9D
    • _free.LIBCMT ref: 00BE2CD0
    • _free.LIBCMT ref: 00BE2CF8
    • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,00BDF09C,00000000,?,?,00BFD8A8), ref: 00BE2D05
    • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,00BDF09C,00000000,?,?,00BFD8A8), ref: 00BE2D11
    • _abort.LIBCMT ref: 00BE2D17
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 8d20466a00f116711de3315e40f66d0b97a4f27edbd422b0a08f28b7ba6e6052
    • Instruction ID: c98769d3668490b527fd34ac6c34c8cd3bdde8be5ea7bf7c93b97e44fc113781
    • Opcode Fuzzy Hash: 8d20466a00f116711de3315e40f66d0b97a4f27edbd422b0a08f28b7ba6e6052
    • Instruction Fuzzy Hash: EDF0FF361416C16AC312373BAC4AF2E22DDDFC1722B3548B4FE1593292EF65CD028164
    Function 00BDF923 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcsrchr
    • String ID: .bat$.cmd$.com$.exe
    • API String ID: 1752292252-4019086052
    • Opcode ID: 2f36d0a840caf1b687866c314c69e7e70a62ab2a0ada1e4d701a2f3d5bcf6852
    • Instruction ID: 3add68a86819fdf26277f7c5e6b494316a78d99f8102ad98bac9754537084da9
    • Opcode Fuzzy Hash: 2f36d0a840caf1b687866c314c69e7e70a62ab2a0ada1e4d701a2f3d5bcf6852
    • Instruction Fuzzy Hash: 99F0C22354CF5334592824266813FB7D7C9CF02770B2411FBF81A592E2FF09D85280E4
    Function 00BD6FE8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44comCOMMON
    Download Yara Rule
    APIs
    • OleInitialize.OLE32(00000000), ref: 00BD7001
    • SHBrowseForFolderW.SHELL32(?), ref: 00BD703B
    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BD704D
    • SetDlgItemTextW.USER32(?,000003E9,?), ref: 00BD7066
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: BrowseFolderFromInitializeItemListPathText
    • String ID: @
    • API String ID: 390972020-2766056989
    • Opcode ID: d9e31095cc29230f2617616bcb1ddb63f1c63accc77943d7f1f24245ed4d9fca
    • Instruction ID: 00b8dbb4abc26237fe5c72b596ac910713fab00c64806e286b6bd7e24baac7f7
    • Opcode Fuzzy Hash: d9e31095cc29230f2617616bcb1ddb63f1c63accc77943d7f1f24245ed4d9fca
    • Instruction Fuzzy Hash: 35011771D003099FDB11DFA5DC48AEEBBF8FB54310F00466AE511AB250EBB8AA44CF90
    Function 00BE10C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BE1073,00000000,?,00BE1013,00000000,00C00BE0,0000000C,00BE116A,00000000,00000002), ref: 00BE10E2
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BE10F5
    • FreeLibrary.KERNEL32(00000000,?,?,?,00BE1073,00000000,?,00BE1013,00000000,00C00BE0,0000000C,00BE116A,00000000,00000002), ref: 00BE1118
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 450f1a1d515bc2d1ef045e36c78beb345d91a6e92e56bba250cfc1b3d319f437
    • Instruction ID: 0042e68ee73767cabb46b8378244199b5e6843f9ab4e6da97bf1d115dce2cbdf
    • Opcode Fuzzy Hash: 450f1a1d515bc2d1ef045e36c78beb345d91a6e92e56bba250cfc1b3d319f437
    • Instruction Fuzzy Hash: 7FF08C31A0114DFBCB11AF95DC4ABAEBBF9EF04755F1041A8B905A72A1DB308A40DA91
    Function 00BC3152 Relevance: 7.7, APIs: 5, Instructions: 243COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcschr_wcslen
    • String ID:
    • API String ID: 4217289577-0
    • Opcode ID: 5ab8047e7d96cc7cb3994a5ba4a9f218e28f2119e061b2eef7ce73949d70fea4
    • Instruction ID: 205744e471c8e7916b351005ffb0e5ddc2905f90ae5fc13d11a63ef7fdedb12a
    • Opcode Fuzzy Hash: 5ab8047e7d96cc7cb3994a5ba4a9f218e28f2119e061b2eef7ce73949d70fea4
    • Instruction Fuzzy Hash: 02718D722087069FD724CF68D885F6BB7E4EB84710F10496EF986DB2C0EA70ED84C655
    Function 00BE1986 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 9e6832e8520bedbfa600955e130fd395a17b785d7ff6fca2e6e186b57d701e15
    • Instruction ID: e6ebe2c0bdb2dfaf0316eb26c108d48c7b3efe33dc9530e91889b399fcee7fe8
    • Opcode Fuzzy Hash: 9e6832e8520bedbfa600955e130fd395a17b785d7ff6fca2e6e186b57d701e15
    • Instruction Fuzzy Hash: D241D276E012409FCB20DF7AC881A6DB7F5EF89714F2545A9E515EB351EB31AD01CB80
    Function 00BE98A6 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,A0E85006,00BDCBC4,00000000,00000000,00BDDBF9,?,00BDDBF9,?,00000001,00BDCBC4,A0E85006,00000001,00BDDBF9,00BDDBF9), ref: 00BE98F3
    • __alloca_probe_16.LIBCMT ref: 00BE992B
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BE997C
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BE998E
    • __freea.LIBCMT ref: 00BE9997
      • Part of subcall function 00BE2351: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00BE2383
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
    • String ID:
    • API String ID: 313313983-0
    • Opcode ID: 9da0026e7970363e7b38aa0e6a7746cdd0feb6fe33f13cec6c6a9eced2841d43
    • Instruction ID: 9fb945699f3e7e11f2fff793e5c2a7b8719cdc2161623a57797dacb565e0a094
    • Opcode Fuzzy Hash: 9da0026e7970363e7b38aa0e6a7746cdd0feb6fe33f13cec6c6a9eced2841d43
    • Instruction Fuzzy Hash: CD31B032A0024AABDF259F66DC85EAE7BE5EB40710F0401ADFC08D7251E735CD54CBA0
    Function 00BC4934 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,00000000), ref: 00BC497F
    • GetLastError.KERNEL32(?,00000000), ref: 00BC4993
    • SetErrorMode.KERNEL32(00000000,?,00000000), ref: 00BC499C
    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00BC499F
    • GetLastError.KERNEL32(?,00000000), ref: 00BC49AE
      • Part of subcall function 00BCA285: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,?,00000000,?,00BC388A,00000000,?,00BFD8A8,00000001,00000003), ref: 00BCA2B0
      • Part of subcall function 00BCA285: LocalFree.KERNEL32(00000000,?,00000000,?,00BC388A,00000000,?,00BFD8A8,00000001,00000003), ref: 00BCA2CE
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$Last$Mode$FormatFreeLocalMessage
    • String ID:
    • API String ID: 2870544069-0
    • Opcode ID: 9dcef3f8556202c4670411eb7bebe3585355f969e0fd09aa8f6fcf70d5f62557
    • Instruction ID: 27c0499ba6dd65a28eb98ed446ab3438a096de63bb46bfc050a99276e5fd471b
    • Opcode Fuzzy Hash: 9dcef3f8556202c4670411eb7bebe3585355f969e0fd09aa8f6fcf70d5f62557
    • Instruction Fuzzy Hash: 881196316443156FE714BFB4AC86FAF76D8DF80350F00047EB90686182DEB19D0485B6
    Function 00BE8D78 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 00BE8D81
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BE8DA4
      • Part of subcall function 00BE2351: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00BE2383
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BE8DCA
    • _free.LIBCMT ref: 00BE8DDD
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BE8DEC
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: 7c887d84f367f8534d00164108a42322244f8c13e254529de6c086dbadf2ee8a
    • Instruction ID: 39a1ee4c36f3dfed87a6274d3f9537cafc4c98721ddc4cfcd6080f3388740f87
    • Opcode Fuzzy Hash: 7c887d84f367f8534d00164108a42322244f8c13e254529de6c086dbadf2ee8a
    • Instruction Fuzzy Hash: 08017172A01AD5BF27211AA75C8CC7B69ADDEC6BA131582BDF908D7281EF64CC0191B0
    Function 00BC900D Relevance: 7.6, APIs: 5, Instructions: 61COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen$_wcsstr
    • String ID:
    • API String ID: 559806763-0
    • Opcode ID: 016c04e7490dd8c0813a52c48956de6ccd21930b0367fbc21aa51c2145a78848
    • Instruction ID: 268764e23658c00ade9400a07da7d497520429c648b717b026208f131dc585d2
    • Opcode Fuzzy Hash: 016c04e7490dd8c0813a52c48956de6ccd21930b0367fbc21aa51c2145a78848
    • Instruction Fuzzy Hash: 460192723053165FA704AA699884D3F73D8DE8D715B0105EEFA46D7342EA219C0286E5
    Function 00BC3EA2 Relevance: 7.6, APIs: 5, Instructions: 57timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00BC3EB2
    • GetFileTime.KERNEL32(?,?,?,?), ref: 00BC3ECC
    • GetLastError.KERNEL32 ref: 00BC3ED4
    • SetErrorMode.KERNEL32(00000000), ref: 00BC3EDD
    • SetLastError.KERNEL32(00000000), ref: 00BC3EE4
      • Part of subcall function 00BC417E: SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000,?,?,?,?,?,00BC3F23), ref: 00BC4191
      • Part of subcall function 00BC417E: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00BC3F23), ref: 00BC419E
      • Part of subcall function 00BC417E: GetLastError.KERNEL32(?,?,?,?,?,00BC3F23), ref: 00BC41A6
      • Part of subcall function 00BC417E: SetErrorMode.KERNEL32(00000000,?,?,?,?,?,00BC3F23), ref: 00BC41AF
      • Part of subcall function 00BC417E: SetLastError.KERNEL32(00000000,?,?,?,?,?,00BC3F23), ref: 00BC41B6
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$Time$File$System
    • String ID:
    • API String ID: 1744743945-0
    • Opcode ID: 9b453f31b8fda7e02cea96f9a493ca3ab5f8f20b61e3200386ef057ef1ed9f6e
    • Instruction ID: 7a3ef7135e9ed2e03b740d5e691f6956184261880dd852ee0431030c52ff1579
    • Opcode Fuzzy Hash: 9b453f31b8fda7e02cea96f9a493ca3ab5f8f20b61e3200386ef057ef1ed9f6e
    • Instruction Fuzzy Hash: F2117C36A002059B8B10AFB1D884EAB77F9EF94B01B64C47CA902D7142EF31DE04C7A0
    Function 00BC417E Relevance: 7.6, APIs: 5, Instructions: 53timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000,?,?,?,?,?,00BC3F23), ref: 00BC4191
    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00BC3F23), ref: 00BC419E
    • GetLastError.KERNEL32(?,?,?,?,?,00BC3F23), ref: 00BC41A6
    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,00BC3F23), ref: 00BC41AF
    • SetLastError.KERNEL32(00000000,?,?,?,?,?,00BC3F23), ref: 00BC41B6
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastModeTime$FileSystem
    • String ID:
    • API String ID: 81331137-0
    • Opcode ID: 2a432f3f04ae58e6a980a752d2e1bf65e801f51beca15331001d8c8599a7e3a7
    • Instruction ID: ee103ab6c13ba5bb95cd9be5bef9e81b8d15edf604a606f4f2bbe29b1b0cd64a
    • Opcode Fuzzy Hash: 2a432f3f04ae58e6a980a752d2e1bf65e801f51beca15331001d8c8599a7e3a7
    • Instruction Fuzzy Hash: AD11FE3D91024A9AC700AFF0D5459EEB7B4EF4871471484A9EC19EB712FB328E47CB69
    Function 00BE2D1D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00000000,00BE2309,00BE560C,?,?,?,00BC9112,00000000,?,00BC1DC2,?,?,?,00BC1D00), ref: 00BE2D22
    • _free.LIBCMT ref: 00BE2D57
    • _free.LIBCMT ref: 00BE2D7E
    • SetLastError.KERNEL32(00000000), ref: 00BE2D8B
    • SetLastError.KERNEL32(00000000), ref: 00BE2D94
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: ef0d4109b05460d5c90962ce5db1b3d240b0e1dc187b4ebb23c224af3cc80386
    • Instruction ID: 08233aea377400ff03b6bcd52429390c822e9f2b2e0e9e7f02814547472ec6b6
    • Opcode Fuzzy Hash: ef0d4109b05460d5c90962ce5db1b3d240b0e1dc187b4ebb23c224af3cc80386
    • Instruction Fuzzy Hash: 6201D1721456C1AAD3126B376C86A2B22EDDFD176172581B4FA1597193EFA4CD018160
    Function 00BC47D6 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00BC480B
    • RemoveDirectoryW.KERNEL32(?), ref: 00BC4814
    • GetLastError.KERNEL32 ref: 00BC481E
    • SetErrorMode.KERNEL32(00000000), ref: 00BC4827
    • SetLastError.KERNEL32(00000000), ref: 00BC482E
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$DirectoryRemove
    • String ID:
    • API String ID: 3654348948-0
    • Opcode ID: 659baf0bd166ec3a6d28885bd6808e85abc20b699af49ef6b8be09db5acd533c
    • Instruction ID: 1effc79ff38100ee3dc63f8303643c361779daec2eed8ca26a5c97c829f0cba8
    • Opcode Fuzzy Hash: 659baf0bd166ec3a6d28885bd6808e85abc20b699af49ef6b8be09db5acd533c
    • Instruction Fuzzy Hash: D501C031640244ABE320BB70DC4EFEF77E8EF80311F00847DB61A87182DE7559048BA2
    Function 00BC4F33 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,?,00000000,00BD7E09,00BF85C0,00000000,?,00BD7CC2), ref: 00BC4F3D
    • GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F4B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F53
    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F5C
    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BC4F63
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$CurrentDirectory
    • String ID:
    • API String ID: 2233552685-0
    • Opcode ID: 62ccff79b2e57d6a20a57e3e06bed106c31b7b3da76514f9f8bab3bb3c5b85e6
    • Instruction ID: 6bbe13af2d8b34e2ae46db6e9accd61d9119bd81b1e276ef127751fc887e8ddc
    • Opcode Fuzzy Hash: 62ccff79b2e57d6a20a57e3e06bed106c31b7b3da76514f9f8bab3bb3c5b85e6
    • Instruction Fuzzy Hash: 3CF096326402546BD7203BB19C5DFAF39D9DF81361F0100BDFA0ECB182EE958A448261
    Function 00BD868D Relevance: 7.5, APIs: 5, Instructions: 42sleepCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00BD8695
    • OpenProcess.KERNEL32(00000400,00000001,00000000,00BF85C0,00000000,?,00000000,00BD7ACA,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00BD86BB
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00BD86CE
    • Sleep.KERNEL32(00000064,?,00000000,00000000,00000000,00000000), ref: 00BD86D6
    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00BD86E2
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Process$CloseCodeExitHandleOpenSleep_wcslen
    • String ID:
    • API String ID: 2166683340-0
    • Opcode ID: 4ddda0ff86634720adda78afea5cb3c92a8d018d4003c384a0fdc895c5c0a241
    • Instruction ID: 0115166a630f12abfcc2e48c49b9da4c6bc1ad9635e1b9c4c82b8c3f194e36f4
    • Opcode Fuzzy Hash: 4ddda0ff86634720adda78afea5cb3c92a8d018d4003c384a0fdc895c5c0a241
    • Instruction Fuzzy Hash: 1AF09076901616ABE711AB64AC09ABEB6DDDF41731B1400A3F901EA285FFA0CE4182A5
    Function 00BC4DEC Relevance: 7.5, APIs: 5, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4DFD
    • FindClose.KERNEL32(?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E08
    • GetLastError.KERNEL32(?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E12
    • SetErrorMode.KERNEL32(00000000,?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E1B
    • SetLastError.KERNEL32(00000000,?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E22
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode$CloseFind
    • String ID:
    • API String ID: 2489206347-0
    • Opcode ID: 0917752abe569e78db0c57525234eae54090cb74311831a5d6427c270b06c3aa
    • Instruction ID: ac8ae5e95f032e16a865ab9cab46ba591e44a2082ec85d02c1a0487bd41a1644
    • Opcode Fuzzy Hash: 0917752abe569e78db0c57525234eae54090cb74311831a5d6427c270b06c3aa
    • Instruction Fuzzy Hash: 3DF0A432500395ABD7146B749C0EFAB7BE4EF81731F008279F92ACB1D2EF718A018660
    Function 00BE971D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00BE9735
      • Part of subcall function 00BE2317: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?), ref: 00BE232D
      • Part of subcall function 00BE2317: GetLastError.KERNEL32(?,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?,?), ref: 00BE233F
    • _free.LIBCMT ref: 00BE9747
    • _free.LIBCMT ref: 00BE9759
    • _free.LIBCMT ref: 00BE976B
    • _free.LIBCMT ref: 00BE977D
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 583631fcddd6a4a47e95e0a4ae698bedbc7a2120241985a8a4905f5e4350b768
    • Instruction ID: d1d935a00f6ee3b81d4633720515775fee113dc52bc630784983f2e120ec62cc
    • Opcode Fuzzy Hash: 583631fcddd6a4a47e95e0a4ae698bedbc7a2120241985a8a4905f5e4350b768
    • Instruction Fuzzy Hash: 2DF090B25142C4ABC620EF6EF9C6E1A77DDEE4071076A0889F418D7501CB34FC88CA64
    Function 00BE1BD5 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00BE1BF3
      • Part of subcall function 00BE2317: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?), ref: 00BE232D
      • Part of subcall function 00BE2317: GetLastError.KERNEL32(?,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?,?), ref: 00BE233F
    • _free.LIBCMT ref: 00BE1C05
    • _free.LIBCMT ref: 00BE1C18
    • _free.LIBCMT ref: 00BE1C29
    • _free.LIBCMT ref: 00BE1C3A
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 28d9a17449ba08c360ef963b1cb6f1216e3274e62b120d0e119580ba9220508a
    • Instruction ID: b3b77743745c4a0ce9c6805f80096cb11103936475c15c9ecec19b2e38987f5b
    • Opcode Fuzzy Hash: 28d9a17449ba08c360ef963b1cb6f1216e3274e62b120d0e119580ba9220508a
    • Instruction Fuzzy Hash: 6BF0DAF58046A49FCA096F29BD0175E3BE9FB1571071601CAF51057272EB368951DFC4
    Function 00BE11BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\INSTALL (1).EXE,00000104), ref: 00BE11FD
    • _free.LIBCMT ref: 00BE12C8
    • _free.LIBCMT ref: 00BE12D2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\INSTALL (1).EXE
    • API String ID: 2506810119-604371735
    • Opcode ID: 0024dc7e7f1bc8e7c270ba3a256a30615f6ccd8e1fc1b0924e32786ef94f9a06
    • Instruction ID: 4e43ecdfc3537b0a386cc165d8df38f261ab3b51170f487580df0269eeeb7957
    • Opcode Fuzzy Hash: 0024dc7e7f1bc8e7c270ba3a256a30615f6ccd8e1fc1b0924e32786ef94f9a06
    • Instruction Fuzzy Hash: D03130B1A00698AFDB25DB9ADC81A9EBBFCEF85310F2045E6E604E7211D7708E40DB51
    Function 00BC3A84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84fileCOMMON
    Download Yara Rule
    APIs
    • LockFileEx.KERNEL32(?,00000000,00000000,00000001,00000000,?), ref: 00BC3AC2
    • GetLastError.KERNEL32 ref: 00BC3ACF
    • UnlockFileEx.KERNEL32(?,00000000,00000001,00000000,?), ref: 00BC3B59
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC3B00
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: File$ErrorLastLockUnlock
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 187685564-1932549541
    • Opcode ID: f1ecdf058c95cec758b2cb210f36f288f12b9c87ffd8a95d6604f917080df664
    • Instruction ID: da69dfe42f089e2ee6f4ab83749b0ab8068b1376750d32cf8a7648f4a5bcfa4a
    • Opcode Fuzzy Hash: f1ecdf058c95cec758b2cb210f36f288f12b9c87ffd8a95d6604f917080df664
    • Instruction Fuzzy Hash: AC219571640340BBE711AF54CC8AF7BB6E9EBD4F01F4441ADFA06AE193DAA18E44C671
    Function 00BCEB79 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(00000002), ref: 00BCEB86
    • SendMessageW.USER32(00000002,00000496,00000001,00000001), ref: 00BCEB9E
    • IsWindow.USER32(00000002), ref: 00BCEBA5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Window$MessageSend
    • String ID: j
    • API String ID: 1496643700-2137352139
    • Opcode ID: f4ff32f386900ccfc0c90fe92cc9a275c27acd52133e6eb393f44c522868c480
    • Instruction ID: 3830a97ea1229ca5beb95483d99dd1937c49f43eb2b2b1d451025cc46413430f
    • Opcode Fuzzy Hash: f4ff32f386900ccfc0c90fe92cc9a275c27acd52133e6eb393f44c522868c480
    • Instruction Fuzzy Hash: 05E09A32202222EBEB015F609DC8FBB7798EF06702B0441A9FA52E6190C764CC009BA6
    Function 00BE2ECC Relevance: 6.3, APIs: 4, Instructions: 305COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: af24dccd11d8528bd53f456bf5bc14ab753960b38f50bf43e0808c5f92bdb3c7
    • Instruction ID: 5fa0b1139dfc70f9c2561805fe8fd2b8a399987183f5a56561bdf4e0e76be6c1
    • Opcode Fuzzy Hash: af24dccd11d8528bd53f456bf5bc14ab753960b38f50bf43e0808c5f92bdb3c7
    • Instruction Fuzzy Hash: 58A16A32A043C69FEB25CF1AC8957AEBBE5EF15750F1842EDE5859B242C3388E41C751
    Function 00BD7146 Relevance: 6.2, APIs: 4, Instructions: 225windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000001,00000014), ref: 00BD7178
    • SendDlgItemMessageW.USER32(?,000003ED,00000401,00000000), ref: 00BD721B
    • SendDlgItemMessageW.USER32(?,000003ED,00000402,00000000,00000000), ref: 00BD7392
      • Part of subcall function 00BC2820: InterlockedDecrement.KERNEL32(?), ref: 00BC282B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ItemMessageSend$DecrementFileInterlockedModuleName
    • String ID:
    • API String ID: 4017809599-0
    • Opcode ID: 97e27273ee5a6acf9e60405092f0b332bfd24a8a810c4eb019c7b609b1024a40
    • Instruction ID: 19737f490213213720c3c7f7bd5250d6149677c723592959cba47c29ee152418
    • Opcode Fuzzy Hash: 97e27273ee5a6acf9e60405092f0b332bfd24a8a810c4eb019c7b609b1024a40
    • Instruction Fuzzy Hash: 2B916B312082819BD734EB60D986FEEB7E9EFD4301F0049ADA54A57192EF30A944CB92
    Function 00BDF50C Relevance: 6.2, APIs: 4, Instructions: 174pipeCOMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00BDF531
      • Part of subcall function 00BDF8B6: __dosmaperr.LIBCMT ref: 00BDF8F9
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BDF43A), ref: 00BDF65C
    • __dosmaperr.LIBCMT ref: 00BDF663
    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00BDF6A0
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
    • String ID:
    • API String ID: 3955570002-0
    • Opcode ID: 35b8a244a53cfe801e6e9f3c50af7afeea799566d69d0ae7474b8e4ce236d26b
    • Instruction ID: a4c5882c5dfe327b344464e010cbd8965be049133f91614e62af08483fdadbad
    • Opcode Fuzzy Hash: 35b8a244a53cfe801e6e9f3c50af7afeea799566d69d0ae7474b8e4ce236d26b
    • Instruction Fuzzy Hash: 81516C7290460A9FDB24DFB5CC419BEFBF9EF08310B14897AE556E2A60E730E945CB50
    Function 00BC8E59 Relevance: 6.1, APIs: 4, Instructions: 134COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00BC8E27: _wcsstr.LIBVCRUNTIME ref: 00BC8E40
      • Part of subcall function 00BC8D45: _wcslen.LIBCMT ref: 00BC8D4C
    • _wcslen.LIBCMT ref: 00BC8EAC
    • _wcslen.LIBCMT ref: 00BC8EB7
    • __alloca_probe_16.LIBCMT ref: 00BC8EFA
    • _wcsstr.LIBVCRUNTIME ref: 00BC8F1B
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcslen$_wcsstr$__alloca_probe_16
    • String ID:
    • API String ID: 1920192910-0
    • Opcode ID: 669b9e3663b33df0e5790c4a5e3ff71cd81daf7eed18b2f44d38346b9d7921a1
    • Instruction ID: 1524dd8432ff017fcde1718108a1be701b538ad3a9c0f4371f456f4be67c664b
    • Opcode Fuzzy Hash: 669b9e3663b33df0e5790c4a5e3ff71cd81daf7eed18b2f44d38346b9d7921a1
    • Instruction Fuzzy Hash: F6416371E00109ABDB15EFA8D881EAEB7F5EF84324F1445AEE415A7391EF309E01CB94
    Function 00BC9257 Relevance: 6.1, APIs: 4, Instructions: 119timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,00000000,?,?,00BC93EE,?,?,?,?,00BC94E5,00000000,00BC952A), ref: 00BC92B2
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BC9347
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BC93AD
    • SetLastError.KERNEL32(00000057,?,?,?,00000000,?,?,00BC93EE,?,?,?,?,00BC94E5,00000000,00BC952A), ref: 00BC93C7
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Time$FileSystem$ErrorLast
    • String ID:
    • API String ID: 2998303600-0
    • Opcode ID: 4b1e963318309da6f32231372214ee59f3c3ed5a500c7247eed595c930383e26
    • Instruction ID: 65faad51e10dd260584715631858dd7c534a2848604b71c210eec9919b69e428
    • Opcode Fuzzy Hash: 4b1e963318309da6f32231372214ee59f3c3ed5a500c7247eed595c930383e26
    • Instruction Fuzzy Hash: 9541B2311087458BD714EF24C488B6BB7F4EBC8714F004A6EF5EA97191E7B0DA858B5A
    Function 00BC1F51 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: _wcsstr$_wcschr_wcslen
    • String ID:
    • API String ID: 1239222604-0
    • Opcode ID: 58de37d925046616737e241b296a09c2ee128c62233a1c97541ce807c8ebd5fe
    • Instruction ID: dd1c34d9944333b1b8aa3274b60fae23cdc603dc70a09c625dd2a5d98bfdfc46
    • Opcode Fuzzy Hash: 58de37d925046616737e241b296a09c2ee128c62233a1c97541ce807c8ebd5fe
    • Instruction Fuzzy Hash: 793190365087129AC321EF64D840EBBB3E4EF89320F144D9EF89597261EB20D845C7A1
    Function 00BE461A Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00BE462A
      • Part of subcall function 00BE2317: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?), ref: 00BE232D
      • Part of subcall function 00BE2317: GetLastError.KERNEL32(?,?,00BE97B4,?,00000000,?,00000000,?,00BE97DB,?,00000007,?,?,00BE9BD8,?,?), ref: 00BE233F
    • GetTimeZoneInformation.KERNEL32 ref: 00BE463C
    • WideCharToMultiByte.KERNEL32(00000000,?,00C048EC,000000FF,?,0000003F,?,?), ref: 00BE46B4
    • WideCharToMultiByte.KERNEL32(00000000,?,00C04940,000000FF,?,0000003F,?,?,?,00C048EC,000000FF,?,0000003F,?,?), ref: 00BE46E1
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
    • String ID:
    • API String ID: 806657224-0
    • Opcode ID: b82871a22a190cf6253939fc1b89ccced6f74070c066d73128558c030ee66ddf
    • Instruction ID: e3099caad77f983babe55cccb74ca7d42c8cd93c96bfc31dc3dfc5319773c563
    • Opcode Fuzzy Hash: b82871a22a190cf6253939fc1b89ccced6f74070c066d73128558c030ee66ddf
    • Instruction Fuzzy Hash: 6C31ADB1900285DFCB15DF6ADC80A6EBBF8FF4632071586EAE2609B2A1D7308D01DB10
    Function 00BDF6C8 Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 00BDF6F6
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BDF70A
    • GetLastError.KERNEL32 ref: 00BDF752
    • __dosmaperr.LIBCMT ref: 00BDF759
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
    • String ID:
    • API String ID: 593088924-0
    • Opcode ID: 640f4f6c0c80dae77d55451affeeacae693c4277553ba9f268d7c7eab4b885e9
    • Instruction ID: 1a382e6b8ffc38084d11ea234352c9e6a39976694ad2f2ee87efd4defd594a49
    • Opcode Fuzzy Hash: 640f4f6c0c80dae77d55451affeeacae693c4277553ba9f268d7c7eab4b885e9
    • Instruction Fuzzy Hash: 8621EF7290414DABCB14DFE1C985AEEB7FCAB08320F1042A6E526D7291EB34DB44CB61
    Function 00BE163E Relevance: 6.1, APIs: 4, Instructions: 63COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9fba21df9b920736c7aa546650d13873a940bdf6f7de75f17435ae964b8e1114
    • Instruction ID: 8538e0296f707863db674e00d8c83ccd71228312c01da7cbecbcb57525f2e313
    • Opcode Fuzzy Hash: 9fba21df9b920736c7aa546650d13873a940bdf6f7de75f17435ae964b8e1114
    • Instruction Fuzzy Hash: C401A2B26092967EEA201A7E6CC0F27629CDF513B4B390BA5F521961D1EF758C004174
    Function 00BE4BA3 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00BE4B4A,?,00000000,00000000,00000000,?,00BE4DBB,00000006,FlsSetValue), ref: 00BE4BD5
    • GetLastError.KERNEL32(?,00BE4B4A,?,00000000,00000000,00000000,?,00BE4DBB,00000006,FlsSetValue,00BF1D98,FlsSetValue,00000000,00000364,?,00BE2D6B), ref: 00BE4BE1
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BE4B4A,?,00000000,00000000,00000000,?,00BE4DBB,00000006,FlsSetValue,00BF1D98,FlsSetValue,00000000), ref: 00BE4BEF
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: ab555f934bb37ea025bfed1800e02e4020909f2aa27e3d775c3a6a18a78aef6e
    • Instruction ID: e28019383dcbfed8a6c035a8a8a8bf9cf24942dad76c7e039e54acfd717c18d5
    • Opcode Fuzzy Hash: ab555f934bb37ea025bfed1800e02e4020909f2aa27e3d775c3a6a18a78aef6e
    • Instruction Fuzzy Hash: B80184366122679BC7214A7E9CC4A6677E8EF457A1B214660E906D7281DB21D840C6E0
    Function 00BE0A3D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
    Download Yara Rule
    APIs
    • __startOneArgErrorHandling.LIBCMT ref: 00BE0ACD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorHandling__start
    • String ID: pow
    • API String ID: 3213639722-2276729525
    • Opcode ID: 3c24627b98880dced47b2f567acf9fc85f0d325f6f86542659a831998ecc7e60
    • Instruction ID: 407776a79b5af201017a066b5ddaa212409a220f1177920ca3319bce6fbeb913
    • Opcode Fuzzy Hash: 3c24627b98880dced47b2f567acf9fc85f0d325f6f86542659a831998ecc7e60
    • Instruction Fuzzy Hash: EC515E61A6C28696D715772ADD4137A27D4EF40740F308DF8E486433A9EFB48CD1EA46
    Function 00BC51E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00BC520B
    • _wcslen.LIBCMT ref: 00BC5233
      • Part of subcall function 00BC4DEC: SetErrorMode.KERNEL32(00008001,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4DFD
      • Part of subcall function 00BC4DEC: FindClose.KERNEL32(?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E08
      • Part of subcall function 00BC4DEC: GetLastError.KERNEL32(?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E12
      • Part of subcall function 00BC4DEC: SetErrorMode.KERNEL32(00000000,?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E1B
      • Part of subcall function 00BC4DEC: SetLastError.KERNEL32(00000000,?,?,74DEE010,00000000,?,00BC4DD1,?,?), ref: 00BC4E22
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: Error$LastMode_wcslen$CloseFind
    • String ID: *.*
    • API String ID: 3603819856-438819550
    • Opcode ID: 508e2ea1832a93ce5f3ec53908eb8df330f96a4241917c06c8507f141b82a561
    • Instruction ID: c8cf9118f11f9dc5f3988e3c951c63158f01205fdacf7c957c2f125badc6ff77
    • Opcode Fuzzy Hash: 508e2ea1832a93ce5f3ec53908eb8df330f96a4241917c06c8507f141b82a561
    • Instruction Fuzzy Hash: FF21C135308B060BC635F6B498A5F7E62D6DF84710B1849FDBC029F287EF64ED8A8251
    Function 00BC3C93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC3D12
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: ErrorFileLast
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 734332943-1932549541
    • Opcode ID: 1f42f15df3c42dab9991c8dc4db2b38d4e7230b113e1de2b2f9a66a430255799
    • Instruction ID: e1c6480bbe13418ea547799d2a5a5b63bb412e2b6fbc2d7366e13aded36f7c9f
    • Opcode Fuzzy Hash: 1f42f15df3c42dab9991c8dc4db2b38d4e7230b113e1de2b2f9a66a430255799
    • Instruction Fuzzy Hash: BE119371340205BFE7006F71DC8AF7AB7DAEF50B00F4085ACF5169B292DF61AE618650
    Function 00BC3BFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?,00000001), ref: 00BC3C0F
    • GetLastError.KERNEL32 ref: 00BC3C1B
      • Part of subcall function 00BCA285: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,?,00000000,?,00BC388A,00000000,?,00BFD8A8,00000001,00000003), ref: 00BCA2B0
      • Part of subcall function 00BCA285: LocalFree.KERNEL32(00000000,?,00000000,?,00BC388A,00000000,?,00BFD8A8,00000001,00000003), ref: 00BCA2CE
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00BC3C4D
    Memory Dump Source
    • Source File: 00000000.00000002.1665520888.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true
    • Associated: 00000000.00000002.1665503929.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665554715.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665582013.0000000000C03000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1665601469.0000000000C06000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bc0000_INSTALL (1).jbxd
    Similarity
    • API ID: BuffersErrorFileFlushFormatFreeLastLocalMessage
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 1721071265-1932549541
    • Opcode ID: ed1095046e75f5d701ee7cbfb24a741a790dfb858f5d64f482c3a294fa7aaeca
    • Instruction ID: c0279231e61d16feddef7532143fd2a648a79603a978860e6cfb626975f301a2
    • Opcode Fuzzy Hash: ed1095046e75f5d701ee7cbfb24a741a790dfb858f5d64f482c3a294fa7aaeca
    • Instruction Fuzzy Hash: CF01B132340501BBE6047B71EC86F7AF39AEF90700F0086ACF51A9A292DF516C6186A1

    Execution Graph

    Execution Coverage:7.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:2.5%
    Total number of Nodes:1210
    Total number of Limit Nodes:26
    execution_graph 24548 93c102 24549 93c10c 24548->24549 24552 93c3bc 24549->24552 24578 93c11d 24552->24578 24555 93c429 24585 93c35a 6 API calls 2 library calls 24555->24585 24557 93c434 RaiseException 24572 93c119 24557->24572 24558 93c538 24563 93c5f4 24558->24563 24565 93c596 GetProcAddress 24558->24565 24559 93c44d 24559->24558 24560 93c4c5 LoadLibraryExA 24559->24560 24561 93c526 24559->24561 24559->24563 24560->24561 24562 93c4d8 GetLastError 24560->24562 24561->24558 24566 93c531 FreeLibrary 24561->24566 24564 93c501 24562->24564 24574 93c4eb 24562->24574 24588 93c35a 6 API calls 2 library calls 24563->24588 24586 93c35a 6 API calls 2 library calls 24564->24586 24565->24563 24568 93c5a6 GetLastError 24565->24568 24566->24558 24575 93c5b9 24568->24575 24569 93c50c RaiseException 24569->24572 24573 93c5da RaiseException 24576 93c11d ___delayLoadHelper2@8 6 API calls 24573->24576 24574->24561 24574->24564 24575->24563 24587 93c35a 6 API calls 2 library calls 24575->24587 24577 93c5f1 24576->24577 24577->24563 24579 93c129 24578->24579 24582 93c14a 24578->24582 24589 93c1c3 GetModuleHandleW GetProcAddress GetProcAddress DloadGetSRWLockFunctionPointers 24579->24589 24581 93c12e 24581->24582 24583 93c13e 24581->24583 24582->24555 24582->24559 24590 93c2ec VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 24583->24590 24585->24557 24586->24569 24587->24573 24588->24572 24589->24581 24590->24582 24591 93cbf1 24592 93cbfd CallCatchBlock 24591->24592 24619 93c789 24592->24619 24594 93cc04 24595 93cd57 24594->24595 24603 93cc2e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 24594->24603 24702 93cfc6 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __purecall 24595->24702 24597 93cd5e 24695 94582e 24597->24695 24601 93cd6c 24602 93cc4d 24603->24602 24610 93ccce 24603->24610 24698 945808 37 API calls 4 library calls 24603->24698 24627 93d0e1 24610->24627 24611 93cce9 24699 93d117 GetModuleHandleW 24611->24699 24613 93ccf0 24613->24597 24614 93ccf4 24613->24614 24615 93ccfd 24614->24615 24700 9457e3 23 API calls __purecall 24614->24700 24701 93c8fa 73 API calls ___scrt_uninitialize_crt 24615->24701 24618 93cd05 24618->24602 24620 93c792 24619->24620 24704 93cde9 IsProcessorFeaturePresent 24620->24704 24622 93c79e 24705 93e84e 10 API calls 2 library calls 24622->24705 24624 93c7a3 24625 93c7a7 24624->24625 24706 93e86d 7 API calls 2 library calls 24624->24706 24625->24594 24707 93da20 24627->24707 24630 93ccd4 24631 946492 24630->24631 24709 94d3fe 24631->24709 24633 94649b 24635 93ccdc 24633->24635 24715 94d6a3 37 API calls 24633->24715 24636 938d21 24635->24636 24637 938d2b __EH_prolog 24636->24637 24718 93c6e3 24637->24718 24641 938d43 24731 92fbbb 24641->24731 24643 938d60 24644 938d6a GetCommandLineW 24643->24644 24645 93c6e3 16 API calls 24644->24645 24646 938d79 24645->24646 24738 925521 24646->24738 24648 938da1 24649 93c6e3 16 API calls 24648->24649 24650 938dab 24649->24650 24748 939431 24650->24748 24655 938edb 24876 925747 24655->24876 24657 938dd6 24763 93952d 24657->24763 24659 938e3b 24659->24655 24661 938e85 24659->24661 24673 938e60 24659->24673 24660 938efe 24662 938f08 24660->24662 24879 93a421 GetProfileIntW 24660->24879 24668 938f79 44 API calls 24661->24668 24883 93a3fe 24662->24883 24666 938de9 24666->24659 24776 939aed 24666->24776 24669 938e80 24668->24669 24674 938ec1 MessageBoxW 24669->24674 24670 925521 15 API calls 24677 938f2b _AnonymousOriginator 24670->24677 24895 938f79 24673->24895 24674->24655 24886 92fbe6 24677->24886 24682 938f45 24682->24611 24686 938e12 24686->24659 24892 93a451 100 API calls __EH_prolog 24686->24892 24688 938e1b 24688->24659 24689 938e1f 24688->24689 24893 93aef6 81 API calls 3 library calls 24689->24893 24691 938e24 24691->24659 24692 925747 GetStringTypeW 24691->24692 24693 938e31 24692->24693 24693->24659 24894 9398db 111 API calls 3 library calls 24693->24894 26040 9456cc 24695->26040 24698->24610 24699->24613 24700->24615 24701->24618 24702->24597 24703 9457f2 23 API calls __purecall 24703->24601 24704->24622 24705->24624 24706->24625 24708 93d0f4 GetStartupInfoW 24707->24708 24708->24630 24710 94d407 24709->24710 24711 94d439 24709->24711 24716 9471e5 37 API calls 2 library calls 24710->24716 24711->24633 24713 94d42a 24717 94d24a 47 API calls 3 library calls 24713->24717 24715->24633 24716->24713 24717->24711 24721 93c6e8 24718->24721 24720 938d3b 24728 92e686 24720->24728 24721->24720 24723 93c704 24721->24723 24898 942544 24721->24898 24905 945392 EnterCriticalSection LeaveCriticalSection _free 24721->24905 24724 93cdcb 24723->24724 24906 93e7e2 RaiseException 24723->24906 24907 93e7e2 RaiseException 24724->24907 24727 93cde8 24910 92e631 24728->24910 24730 92e6ae 24730->24641 24732 93c6e3 16 API calls 24731->24732 24733 92fbc6 24732->24733 24914 92fc6b 24733->24914 24735 92fbd1 24917 92fd69 TlsGetValue 24735->24917 24739 925536 24738->24739 24740 92552e 24738->24740 24743 94254f ___std_exception_copy 14 API calls 24739->24743 24744 925547 error_info_injector 24739->24744 24929 94254f 24740->24929 24742 925576 error_info_injector 24742->24648 24743->24744 24744->24742 24745 942544 ___std_exception_copy 15 API calls 24744->24745 24746 925566 error_info_injector 24745->24746 24747 942544 ___std_exception_copy 15 API calls 24746->24747 24747->24742 24749 93943b __EH_prolog 24748->24749 24750 9394be GetModuleFileNameW 24749->24750 24751 9394ed 24750->24751 24939 93a95b 24751->24939 24754 939aa0 24755 939ab3 24754->24755 25166 945222 24755->25166 24757 939ac1 24758 938dc0 24757->24758 24759 939acd Sleep 24757->24759 24758->24659 24760 9257c7 24758->24760 24759->24757 25293 9255b4 24760->25293 24762 9257df 24762->24657 24764 9395ab error_info_injector 24763->24764 24765 939546 24763->24765 24768 939553 24764->24768 25316 927512 24764->25316 25298 928026 24765->25298 24771 92514a collate 42 API calls 24768->24771 24772 9395a0 24768->24772 24773 939570 collate 24771->24773 24772->24666 24774 93958a MessageBoxW 24773->24774 24775 92b858 _Receive_impl 14 API calls 24774->24775 24775->24772 24777 939af7 error_info_injector __EH_prolog 24776->24777 24778 9274e2 58 API calls 24777->24778 24779 939b46 24778->24779 24780 939b7f 24779->24780 24785 939b4a 24779->24785 25360 93bc77 24780->25360 24783 939b94 25447 93b1fc SendMessageW 24783->25447 24784 939b9f 24787 9274e2 58 API calls 24784->24787 24788 939b6b MessageBoxW 24785->24788 24790 939ba6 24787->24790 24791 938df2 24788->24791 24789 939b9b 24789->24784 24789->24791 24792 939c43 GetPrivateProfileStringW 24790->24792 24793 939bae GetPrivateProfileStringW 24790->24793 24791->24659 24806 93a133 24791->24806 24792->24791 24794 939be0 24793->24794 25380 92b80d 24794->25380 24797 92bddb 17 API calls 24798 939bfc collate 24797->24798 24799 939c04 SetWindowTextW RedrawWindow 24798->24799 25383 939c81 24799->25383 24802 939c34 24804 92b858 _Receive_impl 14 API calls 24802->24804 24803 939c3e 24805 92b858 _Receive_impl 14 API calls 24803->24805 24804->24791 24805->24792 24807 93a1a7 24806->24807 24808 93a149 24806->24808 24809 9279c3 25 API calls 24807->24809 25738 92e31d GetModuleHandleW GetProcAddress GetCurrentProcess GetVersionExW error_info_injector 24808->25738 24811 938dfb 24809->24811 24811->24659 24819 93a1ca 24811->24819 24812 93a152 error_info_injector 24813 92514a collate 42 API calls 24812->24813 24814 93a179 collate 24813->24814 25739 9279c3 24814->25739 24817 92b858 _Receive_impl 14 API calls 24818 93a1a5 24817->24818 24818->24811 24820 9279c3 25 API calls 24819->24820 24821 93a1f9 24820->24821 24822 9279c3 25 API calls 24821->24822 24823 93a20c 24822->24823 24824 9274e2 58 API calls 24823->24824 24825 93a21a 24824->24825 24826 938e04 24825->24826 25744 9273b4 58 API calls 24825->25744 24828 9395d8 24826->24828 24829 9395e2 ___scrt_uninitialize_crt __EH_prolog 24828->24829 25745 931014 24829->25745 24833 939611 GetDlgItem 25754 93112a 24833->25754 24836 939652 SendMessageW SendMessageW RedrawWindow 24837 939746 24836->24837 24842 93969a error_info_injector 24836->24842 24838 9274e2 58 API calls 24837->24838 24839 939751 24838->24839 24841 9397ec 24839->24841 24847 939759 24839->24847 24840 939641 24843 92514a collate 42 API calls 24840->24843 24845 9279c3 25 API calls 24841->24845 24875 9398b2 24841->24875 24846 9398b6 SetCursor 24842->24846 24852 9279c3 25 API calls 24842->24852 24862 939791 24842->24862 24867 939718 SendMessageW RedrawWindow 24842->24867 25764 93157b 120 API calls 2 library calls 24842->25764 25765 93addb MessageBoxW 24842->25765 24844 9397b4 collate 24843->24844 24854 9397ce MessageBoxW 24844->24854 24848 939811 24845->24848 25769 9310bc 20 API calls 24846->25769 24850 93977c MessageBoxW 24847->24850 24851 9279c3 25 API calls 24848->24851 24850->24846 24855 93982a 24851->24855 24852->24842 24853 938e09 24853->24659 24891 93a236 50 API calls 3 library calls 24853->24891 24856 92b858 _Receive_impl 14 API calls 24854->24856 25766 9273b4 58 API calls 24855->25766 24859 9397e7 24856->24859 24859->24846 24860 93983e 24861 9279c3 25 API calls 24860->24861 24863 939851 24861->24863 24862->24840 24865 9279c3 25 API calls 24863->24865 24866 939864 24865->24866 25767 9273b4 58 API calls 24866->25767 24867->24837 24867->24842 24869 939878 24870 9279c3 25 API calls 24869->24870 24871 93988b 24870->24871 24872 9279c3 25 API calls 24871->24872 24873 93989e 24872->24873 25768 9273b4 58 API calls 24873->25768 24875->24846 24877 9255b4 GetStringTypeW 24876->24877 24878 92575d 24877->24878 24878->24660 24880 93a443 24879->24880 24881 93a44e 24879->24881 25887 9281be 24880->25887 24881->24662 24884 93a40b SendMessageW 24883->24884 24885 938f13 24883->24885 24884->24885 24885->24670 26013 92fd29 TlsGetValue TlsSetValue _AnonymousOriginator 24886->26013 24888 92fbf2 24890 92fc03 _AnonymousOriginator 24888->24890 26014 92fc89 24888->26014 24890->24682 24891->24686 24892->24688 24893->24691 24894->24659 26022 938f8d 24895->26022 24904 946a91 _free 24898->24904 24899 946acf 24909 946a44 14 API calls _free 24899->24909 24901 946aba RtlAllocateHeap 24902 946acd 24901->24902 24901->24904 24902->24721 24904->24899 24904->24901 24908 945392 EnterCriticalSection LeaveCriticalSection _free 24904->24908 24905->24721 24906->24724 24907->24727 24908->24904 24909->24902 24913 92e5c4 24910->24913 24912 92e642 InitializeCriticalSection 24912->24730 24913->24912 24926 93034a InitializeCriticalSection 24914->24926 24916 92fc7c TlsAlloc 24916->24735 24918 92fd81 24917->24918 24919 92fda4 24917->24919 24920 93c6e3 16 API calls 24918->24920 24928 93045f 14 API calls ___std_exception_copy 24919->24928 24922 92fd8b 24920->24922 24927 92fcae GetCurrentThreadId 24922->24927 24923 92fbdf 24923->24643 24925 92fd96 TlsSetValue 24925->24923 24926->24916 24927->24925 24928->24923 24932 946a57 24929->24932 24931 942567 24931->24739 24933 946a62 RtlFreeHeap 24932->24933 24934 946a8b _free 24932->24934 24933->24934 24935 946a77 24933->24935 24934->24931 24938 946a44 14 API calls _free 24935->24938 24937 946a7d GetLastError 24937->24934 24938->24937 24940 93a97a error_info_injector 24939->24940 25002 9274e2 24940->25002 24943 93a9a3 GetPrivateProfileIntW 25005 92e410 24943->25005 24944 93a9cb 25010 92e482 24944->25010 24948 92e482 46 API calls 24949 93a9e3 24948->24949 24950 92e482 46 API calls 24949->24950 24951 93a9ef 24950->24951 24952 92e482 46 API calls 24951->24952 24953 93a9fb 24952->24953 24954 92e482 46 API calls 24953->24954 24955 93aa07 24954->24955 24956 92e482 46 API calls 24955->24956 24957 93aa13 24956->24957 24958 92e482 46 API calls 24957->24958 24959 93aa1f 24958->24959 24960 92e482 46 API calls 24959->24960 24961 93aa2b 24960->24961 24962 92e482 46 API calls 24961->24962 24963 93aa37 24962->24963 24964 92e482 46 API calls 24963->24964 24965 93aa43 24964->24965 24966 92e482 46 API calls 24965->24966 24967 93aa4f 24966->24967 24968 92e482 46 API calls 24967->24968 24969 93aa5b 24968->24969 24970 92e482 46 API calls 24969->24970 24971 93aa67 24970->24971 24972 92e482 46 API calls 24971->24972 24973 93aa73 24972->24973 24974 92e482 46 API calls 24973->24974 24975 93aa7f 24974->24975 24976 92e482 46 API calls 24975->24976 24977 93aa8b 24976->24977 24978 92e482 46 API calls 24977->24978 24979 93aa97 24978->24979 24980 92e482 46 API calls 24979->24980 24981 93aaa3 24980->24981 24982 92e482 46 API calls 24981->24982 24983 93aaaf 24982->24983 24984 92e482 46 API calls 24983->24984 24985 93aabb 24984->24985 24986 92e482 46 API calls 24985->24986 24987 93aac7 24986->24987 24988 92e482 46 API calls 24987->24988 24989 93aad3 24988->24989 24990 92e482 46 API calls 24989->24990 24991 93aadf 24990->24991 24992 92e482 46 API calls 24991->24992 24993 93aaeb 24992->24993 24994 92e482 46 API calls 24993->24994 24995 93aaf7 24994->24995 24996 92e482 46 API calls 24995->24996 24997 93ab03 24996->24997 24998 92e482 46 API calls 24997->24998 24999 93ab0f 24998->24999 25000 92e482 46 API calls 24999->25000 25001 938db6 25000->25001 25001->24754 25029 9274f7 25002->25029 25067 92bb34 25005->25067 25011 92e48c ___scrt_uninitialize_crt __EH_prolog 25010->25011 25012 93c6e3 16 API calls 25011->25012 25013 92e4a2 25012->25013 25129 92514a 25013->25129 25015 92e4ca collate 25016 92e4fc GetPrivateProfileStringW 25015->25016 25017 92e510 25016->25017 25018 92e519 25017->25018 25019 92e52c 25017->25019 25132 9252db 25018->25132 25021 92bb34 17 API calls 25019->25021 25023 92e53e 25021->25023 25022 92e528 25025 92bf08 42 API calls 25022->25025 25138 92bddb 25023->25138 25026 92e566 collate 25025->25026 25135 92b858 25026->25135 25032 927b20 25029->25032 25033 927b2a __EH_prolog 25032->25033 25041 92943d 25033->25041 25036 927bc4 25047 923538 25036->25047 25037 927b9b collate 25037->25036 25051 92d3ee 47 API calls collate 25037->25051 25042 927b4f 6 API calls 25041->25042 25043 92944c 25041->25043 25042->25037 25043->25042 25052 92938e 19 API calls 25043->25052 25045 92945b 25045->25042 25053 929173 18 API calls 2 library calls 25045->25053 25048 923554 25047->25048 25049 92353e 25047->25049 25048->24943 25048->24944 25049->25048 25054 93002c 25049->25054 25051->25036 25052->25045 25053->25042 25055 93004f TlsGetValue 25054->25055 25056 93003d __purecall 25054->25056 25057 93005f 25055->25057 25056->25055 25062 92fdff 25057->25062 25059 93006c 25060 930079 25059->25060 25061 94254f ___std_exception_copy 14 API calls 25059->25061 25060->25048 25061->25060 25063 92fe0a 25062->25063 25065 92fe14 25062->25065 25063->25065 25066 9302a8 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 25063->25066 25065->25059 25066->25065 25073 92b962 25067->25073 25069 92bb42 25070 92bf08 25069->25070 25084 92bed8 25070->25084 25075 92b96c error_info_injector 25073->25075 25076 92b99a __InternalCxxFrameHandler 25073->25076 25075->25076 25077 92bae4 25075->25077 25076->25069 25078 92baf4 25077->25078 25079 92bafb 25077->25079 25080 942544 ___std_exception_copy 15 API calls 25078->25080 25083 942b3e 16 API calls 2 library calls 25079->25083 25082 92baf9 25080->25082 25082->25076 25083->25082 25091 92b25a 25084->25091 25087 92bae4 collate 17 API calls 25088 92bef5 25087->25088 25095 92bf7b 25088->25095 25092 92b5aa 25091->25092 25093 92b27f error_info_injector _strlen 25091->25093 25092->25087 25093->25092 25094 9436c4 38 API calls collate 25093->25094 25094->25093 25096 92bf91 collate 25095->25096 25099 942126 25096->25099 25102 93ff21 25099->25102 25103 93ff61 25102->25103 25104 93ff49 25102->25104 25103->25104 25105 93ff69 25103->25105 25124 946a44 14 API calls _free 25104->25124 25126 9405ff 37 API calls 2 library calls 25105->25126 25108 93ff4e 25125 946987 25 API calls __wmakepath 25108->25125 25110 93ff79 collate 25127 940a13 40 API calls 3 library calls 25110->25127 25112 92bf00 25112->24944 25115 940000 25128 940682 14 API calls _free 25115->25128 25116 93ff59 25117 93d376 25116->25117 25118 93d37f IsProcessorFeaturePresent 25117->25118 25119 93d37e 25117->25119 25121 93d3c1 25118->25121 25119->25112 25122 93d384 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25121->25122 25123 93d4a4 25122->25123 25123->25112 25124->25108 25125->25116 25126->25110 25127->25115 25128->25116 25130 92bed8 collate 42 API calls 25129->25130 25131 925162 25130->25131 25131->25015 25141 925386 25132->25141 25136 94254f ___std_exception_copy 14 API calls 25135->25136 25137 92b85f 25136->25137 25137->24948 25156 92bc73 25138->25156 25142 9253a6 25141->25142 25143 92539b 25141->25143 25146 9252f6 25142->25146 25147 9253bc collate 25142->25147 25154 92519f 17 API calls collate 25142->25154 25153 925381 17 API calls 2 library calls 25143->25153 25146->25022 25147->25146 25155 9259a1 17 API calls 2 library calls 25147->25155 25149 9253e2 25150 92b962 collate 17 API calls 25149->25150 25151 9253ee 25150->25151 25152 94254f ___std_exception_copy 14 API calls 25151->25152 25152->25146 25153->25142 25154->25147 25155->25149 25157 92bdd1 25156->25157 25158 92bc8f error_info_injector collate 25156->25158 25157->25022 25158->25157 25159 942544 ___std_exception_copy 15 API calls 25158->25159 25160 92bd14 __InternalCxxFrameHandler error_info_injector __alloca_probe_16 25158->25160 25159->25160 25161 92bae4 collate 17 API calls 25160->25161 25162 92bda4 __InternalCxxFrameHandler 25161->25162 25163 92bdc8 25162->25163 25164 94254f ___std_exception_copy 14 API calls 25162->25164 25165 92b858 _Receive_impl 14 API calls 25163->25165 25164->25163 25165->25157 25167 945244 25166->25167 25168 94522f 25166->25168 25182 9451d2 25167->25182 25191 946a44 14 API calls _free 25168->25191 25171 945234 25192 946987 25 API calls __wmakepath 25171->25192 25174 94525c CreateThread 25175 94527d GetLastError 25174->25175 25176 94529b ResumeThread 25174->25176 25211 9450c4 25174->25211 25193 946a0e 14 API calls 2 library calls 25175->25193 25176->25175 25180 945289 25176->25180 25177 94523f 25177->24757 25194 945144 25180->25194 25202 94c560 25182->25202 25185 946a57 _free 14 API calls 25186 9451f0 25185->25186 25187 945214 25186->25187 25188 9451f7 GetModuleHandleExW 25186->25188 25189 945144 16 API calls 25187->25189 25188->25187 25190 94521c 25189->25190 25190->25174 25190->25180 25191->25171 25192->25177 25193->25180 25195 945174 25194->25195 25196 945150 25194->25196 25195->24757 25197 945156 CloseHandle 25196->25197 25198 94515f 25196->25198 25197->25198 25199 945165 FreeLibrary 25198->25199 25200 94516e 25198->25200 25199->25200 25201 946a57 _free 14 API calls 25200->25201 25201->25195 25203 94c56d _free 25202->25203 25204 94c5ad 25203->25204 25205 94c598 RtlAllocateHeap 25203->25205 25209 945392 EnterCriticalSection LeaveCriticalSection _free 25203->25209 25210 946a44 14 API calls _free 25204->25210 25205->25203 25207 9451e3 25205->25207 25207->25185 25209->25203 25210->25207 25212 9450d0 CallCatchBlock 25211->25212 25213 9450e4 25212->25213 25214 9450d7 GetLastError ExitThread 25212->25214 25226 947128 GetLastError 25213->25226 25219 945100 KiUserCallbackDispatcher 25258 9452b0 25219->25258 25227 94713f 25226->25227 25228 947145 25226->25228 25272 9498bf 6 API calls _free 25227->25272 25250 94714b SetLastError 25228->25250 25267 9498fe 25228->25267 25232 94c560 _free 14 API calls 25234 947173 25232->25234 25237 947192 25234->25237 25238 94717b 25234->25238 25235 9471df 25274 946732 37 API calls __purecall 25235->25274 25236 9450e9 25253 94c65d 25236->25253 25241 9498fe _free 6 API calls 25237->25241 25239 9498fe _free 6 API calls 25238->25239 25242 947189 25239->25242 25244 94719e 25241->25244 25247 946a57 _free 14 API calls 25242->25247 25245 9471a2 25244->25245 25246 9471b3 25244->25246 25248 9498fe _free 6 API calls 25245->25248 25273 946f56 14 API calls _free 25246->25273 25247->25250 25248->25242 25250->25235 25250->25236 25251 9471be 25252 946a57 _free 14 API calls 25251->25252 25252->25250 25254 9450f4 25253->25254 25255 94c66f GetPEB 25253->25255 25254->25219 25265 949a19 5 API calls _free 25254->25265 25255->25254 25256 94c682 25255->25256 25289 949785 25256->25289 25292 94517b 17 API calls _free 25258->25292 25265->25219 25275 9496c2 25267->25275 25270 947163 25270->25232 25270->25250 25271 949938 TlsSetValue 25272->25228 25273->25251 25276 9496f0 25275->25276 25279 9496ec 25275->25279 25276->25279 25282 9495fb 25276->25282 25279->25270 25279->25271 25280 94970a GetProcAddress 25280->25279 25281 94971a _free 25280->25281 25281->25279 25287 94960c ___vcrt_FlsGetValue 25282->25287 25283 9496b7 25283->25279 25283->25280 25284 94962a LoadLibraryExW 25285 949645 GetLastError 25284->25285 25284->25287 25285->25287 25286 9496a0 FreeLibrary 25286->25287 25287->25283 25287->25284 25287->25286 25288 949678 LoadLibraryExW 25287->25288 25288->25287 25290 9496c2 _free 5 API calls 25289->25290 25291 9497a1 25290->25291 25291->25254 25294 9255d8 error_info_injector 25293->25294 25295 9256a6 25294->25295 25297 942bc6 GetStringTypeW collate 25294->25297 25295->24762 25297->25294 25329 927f29 SetErrorMode GetTempPathW GetLastError SetErrorMode SetLastError 25298->25329 25301 9274e2 58 API calls 25302 92804c 25301->25302 25303 927512 60 API calls 25302->25303 25305 92805b 25302->25305 25303->25305 25306 92806e 25305->25306 25333 927fa6 SetErrorMode GetTempFileNameW GetLastError SetErrorMode SetLastError 25305->25333 25306->24768 25307 92723e 25306->25307 25308 927248 __EH_prolog 25307->25308 25309 92943d 19 API calls 25308->25309 25310 92726a SetErrorMode DeleteFileW GetLastError SetErrorMode SetLastError 25309->25310 25312 9272ab collate 25310->25312 25311 923538 Concurrency::wait 18 API calls 25313 9272e8 25311->25313 25315 9272d1 25312->25315 25339 92d3ee 47 API calls collate 25312->25339 25313->24764 25315->25311 25317 92751c __EH_prolog 25316->25317 25318 92943d 19 API calls 25317->25318 25322 92752e 25317->25322 25319 92754d SetErrorMode 25318->25319 25340 929254 25319->25340 25321 923538 Concurrency::wait 18 API calls 25321->25322 25322->24768 25323 927566 error_info_injector 25328 9275e6 25323->25328 25344 927613 25323->25344 25326 9275c5 collate 25326->25328 25357 92d3ee 47 API calls collate 25326->25357 25328->25321 25330 927f8f 25329->25330 25331 927f6a collate 25329->25331 25330->25301 25330->25306 25331->25330 25337 92d3ee 47 API calls collate 25331->25337 25335 927ff4 collate 25333->25335 25334 92801c 25334->25306 25335->25334 25338 92d3ee 47 API calls collate 25335->25338 25337->25330 25338->25334 25339->25315 25342 92925c 25340->25342 25341 929285 25341->25323 25342->25341 25358 92935e 18 API calls 25342->25358 25345 927635 25344->25345 25349 927641 25344->25349 25346 9275a5 GetLastError SetErrorMode SetLastError 25345->25346 25347 92767d SetLastError 25345->25347 25346->25326 25347->25346 25348 92769e GetFileAttributesW 25351 9276b1 25348->25351 25352 9276ba 25348->25352 25349->25347 25349->25348 25350 92768c 25349->25350 25350->25348 25359 92771f SetLastError 25351->25359 25352->25346 25354 9276f5 CreateDirectoryW 25352->25354 25355 927613 SetLastError 25352->25355 25354->25346 25356 9276ea 25355->25356 25356->25346 25356->25354 25357->25328 25358->25341 25359->25346 25448 953014 25360->25448 25362 93bc81 GetPrivateProfileStringW 25449 9241c2 25362->25449 25364 93bcd9 error_info_injector 25453 923155 25364->25453 25366 93bd0a GetPrivateProfileStringW 25367 93bd35 error_info_injector 25366->25367 25368 923155 18 API calls 25367->25368 25369 93bd56 25368->25369 25457 93b562 25369->25457 25371 93bd69 25372 93b562 18 API calls 25371->25372 25373 93bd7c 25372->25373 25374 93bd93 GetPrivateProfileStringW 25373->25374 25461 9436c4 38 API calls collate 25373->25461 25375 9241c2 18 API calls 25374->25375 25377 93bdc0 GetPrivateProfileStringW 25375->25377 25379 939b8b 25377->25379 25378 93bd8f 25378->25374 25379->24783 25379->24784 25381 92b962 collate 17 API calls 25380->25381 25382 92b81e 25381->25382 25382->24797 25384 939c8b __EH_prolog 25383->25384 25462 9445db 25384->25462 25386 939cb3 25387 9445db 38 API calls 25386->25387 25388 939cd3 25387->25388 25472 92a987 25388->25472 25392 939d20 25480 92428d 25392->25480 25395 939de9 25498 93ae2c 25395->25498 25398 939db9 25400 939dd7 MessageBoxW 25398->25400 25399 938f79 44 API calls 25401 939e15 25399->25401 25402 93a0e8 25400->25402 25512 92443d 25401->25512 25583 924245 25402->25583 25407 93b562 18 API calls 25417 939e65 error_info_injector 25407->25417 25411 93b562 18 API calls 25411->25417 25412 939c2d 25412->24802 25412->24803 25413 939f47 25576 9243e2 25413->25576 25415 93a087 25416 93ae2c 8 API calls 25415->25416 25420 93a002 25415->25420 25416->25420 25417->25411 25417->25413 25422 939f4c error_info_injector 25417->25422 25424 939eb1 25417->25424 25418 923538 Concurrency::wait 18 API calls 25418->25402 25420->25418 25422->25413 25425 939f96 25422->25425 25431 93a01d 25422->25431 25423 92443d 74 API calls 25423->25424 25424->25420 25424->25423 25429 93b562 18 API calls 25424->25429 25596 93b220 SendMessageW 25424->25596 25597 92439c InternetSetOptionW InternetSetOptionW error_info_injector collate 25424->25597 25598 924c33 18 API calls Concurrency::wait 25424->25598 25537 926036 25425->25537 25428 939fa1 25540 927046 25428->25540 25429->25417 25603 92d318 47 API calls collate 25431->25603 25433 93a069 25435 923538 Concurrency::wait 18 API calls 25433->25435 25434 939ff7 25600 9260dc 19 API calls 2 library calls 25434->25600 25435->25413 25439 939fe8 25440 939ff2 25439->25440 25441 93a007 25439->25441 25599 9262d9 15 API calls ___std_exception_copy 25440->25599 25601 9262d9 15 API calls ___std_exception_copy 25441->25601 25444 93a00c 25602 9260dc 19 API calls 2 library calls 25444->25602 25446 93a01b 25446->25413 25447->24789 25448->25362 25450 9241d2 error_info_injector 25449->25450 25451 923155 18 API calls 25450->25451 25452 9241e7 25451->25452 25452->25364 25454 92316a error_info_injector 25453->25454 25455 923538 Concurrency::wait 18 API calls 25454->25455 25456 92318c 25454->25456 25455->25456 25456->25366 25458 93b572 error_info_injector 25457->25458 25460 93b5c7 25457->25460 25459 923538 Concurrency::wait 18 API calls 25458->25459 25458->25460 25459->25460 25460->25371 25461->25378 25463 9445e9 25462->25463 25466 94460c 25462->25466 25465 9445ef 25463->25465 25463->25466 25605 946a44 14 API calls _free 25465->25605 25607 944624 38 API calls 3 library calls 25466->25607 25467 94461f 25467->25386 25469 9445f4 25606 946987 25 API calls __wmakepath 25469->25606 25471 9445ff 25471->25386 25473 92a991 __EH_prolog 25472->25473 25608 92aab5 25473->25608 25476 92aa6d 25477 92aa7b 25476->25477 25478 92b861 collate 14 API calls 25477->25478 25479 92aa83 25478->25479 25479->25392 25481 92429c 25480->25481 25483 9242ba collate 25480->25483 25623 924ce6 25481->25623 25485 9242d3 InternetSetOptionW InternetConnectW 25483->25485 25615 924dd3 25483->25615 25484 9242a1 25484->25483 25486 9242a5 25484->25486 25488 92430b 25485->25488 25489 924328 InternetSetOptionW InternetSetOptionW InternetSetOptionW 25485->25489 25632 924d16 52 API calls 2 library calls 25486->25632 25633 924d16 52 API calls 2 library calls 25488->25633 25493 9242b0 25489->25493 25496 924359 error_info_injector 25489->25496 25493->25395 25493->25398 25494 92431a 25634 92441b 25494->25634 25496->25493 25497 924372 InternetSetOptionW InternetSetOptionW 25496->25497 25497->25493 25499 93ae40 25498->25499 25500 93ae98 GetDlgItem 25498->25500 25501 93ae45 25499->25501 25502 93ae7e GetDlgItem 25499->25502 25503 93aeb0 GetDlgItem 25500->25503 25504 93ae64 GetDlgItem 25501->25504 25505 93ae4a 25501->25505 25502->25503 25506 93aebc SendMessageW 25503->25506 25504->25503 25505->25506 25507 93ae4f GetDlgItem 25505->25507 25508 93aed2 SendMessageW 25506->25508 25509 93aede 25506->25509 25507->25506 25508->25509 25510 939df2 25509->25510 25511 93aee7 Sleep 25509->25511 25510->25399 25511->25510 25513 924447 Mailbox error_info_injector __EH_prolog 25512->25513 25514 9246c2 25513->25514 25515 924483 HttpOpenRequestW 25513->25515 25514->25407 25516 9244b5 25515->25516 25517 9246ed 25515->25517 25518 92bf08 42 API calls 25516->25518 25697 924d16 52 API calls 2 library calls 25517->25697 25520 9244cc collate 25518->25520 25521 9244e5 HttpAddRequestHeadersW 25520->25521 25674 92487a InternetQueryOptionW InternetSetOptionW 25521->25674 25523 9244f9 25524 9244fe InternetSetOptionW InternetSetOptionW 25523->25524 25534 924514 25523->25534 25524->25534 25525 924686 HttpSendRequestW 25526 924531 GetLastError 25525->25526 25527 9246a6 25525->25527 25526->25534 25675 924713 25527->25675 25529 9246b0 InternetCloseHandle 25533 92b858 _Receive_impl 14 API calls 25529->25533 25531 9246c4 25696 924d16 52 API calls 2 library calls 25531->25696 25532 92461b GetDesktopWindow InternetErrorDlg 25532->25525 25533->25514 25534->25525 25534->25531 25534->25532 25536 92487a InternetQueryOptionW InternetSetOptionW 25534->25536 25536->25534 25715 925e9b 25537->25715 25539 926045 25539->25428 25541 92705b collate 25540->25541 25542 927066 SetErrorMode 25541->25542 25543 9270a1 25542->25543 25544 92707f 25542->25544 25545 9270c0 CreateFileW 25543->25545 25546 92712d CreateFileW 25543->25546 25544->25543 25718 92938e 19 API calls 25544->25718 25547 927120 SetLastError 25545->25547 25548 9270df CreateFileW 25545->25548 25549 927146 GetLastError SetErrorMode SetLastError 25546->25549 25547->25549 25548->25549 25551 927114 25548->25551 25552 927214 25549->25552 25553 92716a GetLastError 25549->25553 25551->25549 25552->25434 25562 9263d7 25552->25562 25554 92717d collate 25553->25554 25719 92d909 FormatMessageW LocalFree 25554->25719 25556 927198 25720 92d5db 42 API calls collate 25556->25720 25558 9271ab 25560 9271f6 25558->25560 25721 92d40c 47 API calls 25558->25721 25561 92720b SetLastError 25560->25561 25561->25552 25563 9263e8 collate 25562->25563 25564 926400 WriteFile 25563->25564 25575 9263ee 25563->25575 25565 926432 25564->25565 25566 92643c GetLastError 25565->25566 25565->25575 25567 92644f collate 25566->25567 25722 92d909 FormatMessageW LocalFree 25567->25722 25569 926468 25723 92d5db 42 API calls collate 25569->25723 25571 92647b 25724 92d5db 42 API calls collate 25571->25724 25573 92648e 25725 92d40c 47 API calls 25573->25725 25575->25439 25577 9243ea Mailbox 25576->25577 25578 9243f1 InternetCloseHandle 25577->25578 25579 9243ee 25577->25579 25580 92440d 25578->25580 25581 924401 25578->25581 25579->25415 25580->25415 25726 924d16 52 API calls 2 library calls 25581->25726 25584 92441b Mailbox 87 API calls 25583->25584 25585 92426b 25584->25585 25727 924c9e 25585->25727 25588 924bbe 25589 924be4 Concurrency::wait 25588->25589 25590 92b858 _Receive_impl 14 API calls 25589->25590 25591 924bec 25590->25591 25592 923538 Concurrency::wait 18 API calls 25591->25592 25593 924bf8 25592->25593 25594 923538 Concurrency::wait 18 API calls 25593->25594 25595 924c07 25594->25595 25604 92aa07 14 API calls _Receive_impl 25595->25604 25596->25424 25597->25424 25598->25424 25599->25434 25600->25420 25601->25444 25602->25446 25603->25433 25604->25412 25605->25469 25606->25471 25607->25467 25609 92aabd _Receive_impl 25608->25609 25612 92b861 25609->25612 25613 94254f ___std_exception_copy 14 API calls 25612->25613 25614 92a9d6 25613->25614 25614->25476 25616 924de1 25615->25616 25617 924dfc InternetOpenW 25615->25617 25618 924ce6 collate 75 API calls 25616->25618 25620 924dea collate 25617->25620 25619 924de6 25618->25619 25619->25617 25619->25620 25621 9242cf 25620->25621 25644 924d16 52 API calls 2 library calls 25620->25644 25621->25485 25621->25493 25624 924cf0 25623->25624 25625 924d09 25623->25625 25645 924e5c 25624->25645 25625->25484 25628 924d01 25660 92511c Sleep 25628->25660 25629 924cf9 25629->25484 25631 924d06 25631->25625 25632->25493 25633->25494 25635 9243e2 Mailbox 53 API calls 25634->25635 25636 924423 collate 25635->25636 25637 924427 25636->25637 25638 924e4a InternetCloseHandle 25636->25638 25639 924ce6 collate 75 API calls 25636->25639 25637->25493 25638->25493 25640 924e34 25639->25640 25640->25638 25641 924e38 25640->25641 25673 924d16 52 API calls 2 library calls 25641->25673 25643 924e43 25643->25493 25644->25621 25646 924e66 __EH_prolog 25645->25646 25647 924e83 25646->25647 25648 924e74 Sleep 25646->25648 25657 924cf5 25647->25657 25661 92b840 25647->25661 25648->25646 25650 924ead collate 25651 924eba LoadLibraryW 25650->25651 25652 924ecc 25651->25652 25653 924efd 28 API calls 25651->25653 25654 92514a collate 42 API calls 25652->25654 25655 924ef8 25653->25655 25658 924edb collate 25654->25658 25656 92b858 _Receive_impl 14 API calls 25655->25656 25656->25657 25657->25628 25657->25629 25659 92b858 _Receive_impl 14 API calls 25658->25659 25659->25655 25660->25631 25664 92ba70 25661->25664 25665 92ba7e 25664->25665 25667 92ba85 _strlen 25664->25667 25666 92b861 collate 14 API calls 25665->25666 25669 92b852 25666->25669 25668 92ba98 MultiByteToWideChar 25667->25668 25670 92bae4 collate 17 API calls 25668->25670 25669->25650 25671 92bab7 25670->25671 25671->25669 25672 92babc MultiByteToWideChar 25671->25672 25672->25669 25673->25643 25674->25523 25676 942544 ___std_exception_copy 15 API calls 25675->25676 25677 924731 HttpQueryInfoW 25676->25677 25678 924756 25677->25678 25679 924771 25677->25679 25680 924773 25678->25680 25681 924768 25678->25681 25686 92478d HttpQueryInfoW 25679->25686 25692 9247b9 25679->25692 25707 92b9b8 17 API calls 2 library calls 25680->25707 25683 923155 18 API calls 25681->25683 25682 924829 InternetReadFile 25685 924841 25682->25685 25682->25692 25683->25679 25709 924d16 52 API calls 2 library calls 25685->25709 25686->25692 25688 94254f ___std_exception_copy 14 API calls 25693 924856 25688->25693 25689 9247cf 25689->25688 25690 92486f 25690->25529 25692->25682 25692->25689 25698 92abe0 25692->25698 25708 92cb00 18 API calls Concurrency::wait 25692->25708 25693->25690 25710 92abb1 SendMessageW SendMessageW SendMessageW SendMessageW 25693->25710 25696->25529 25697->25514 25699 92abea 25698->25699 25700 92ac08 25698->25700 25711 939135 SendMessageW 25699->25711 25712 93913a SendMessageW 25699->25712 25700->25692 25701 92abf2 25713 939154 SendMessageW 25701->25713 25702 92abfd 25714 93916e SendMessageW 25702->25714 25707->25679 25708->25682 25709->25689 25710->25690 25711->25701 25712->25701 25713->25702 25714->25700 25716 93c6e3 16 API calls 25715->25716 25717 925eb0 25716->25717 25717->25539 25718->25543 25719->25556 25720->25558 25721->25560 25722->25569 25723->25571 25724->25573 25725->25575 25726->25580 25728 924cc4 collate 25727->25728 25729 924ccd 25728->25729 25737 924e26 86 API calls collate 25728->25737 25733 924d0b 25729->25733 25732 924272 25732->25588 25734 924d15 25733->25734 25734->25732 25735 925124 Sleep 25734->25735 25736 925135 25734->25736 25735->25734 25736->25732 25737->25729 25738->24812 25740 9279d6 error_info_injector 25739->25740 25741 927a47 25740->25741 25743 9443d1 25 API calls __wmakepath 25740->25743 25741->24817 25743->25741 25744->24826 25746 93101e __EH_prolog 25745->25746 25770 931e86 25746->25770 25748 93102c 25776 933575 25748->25776 25751 92bb34 17 API calls 25752 931065 25751->25752 25753 938ff7 LoadCursorW SetCursor 25752->25753 25753->24833 25755 93113b 25754->25755 25756 92bb34 17 API calls 25755->25756 25757 931148 collate 25756->25757 25763 927046 64 API calls 25757->25763 25758 931173 collate 25761 931177 25758->25761 25820 9336fb 25758->25820 25761->24836 25761->24840 25763->25758 25764->24842 25765->24842 25766->24860 25767->24869 25768->24875 25769->24853 25771 931e90 __EH_prolog 25770->25771 25772 926036 16 API calls 25771->25772 25773 931f12 25772->25773 25774 92b80d 17 API calls 25773->25774 25775 931f4d InitializeCriticalSection 25774->25775 25775->25748 25777 93357f __EH_prolog 25776->25777 25782 933f54 25777->25782 25804 9342d7 25782->25804 25785 932e7a 25812 932fcc 25785->25812 25787 932f3c 25788 933e9d 18 API calls 25787->25788 25789 932f53 25788->25789 25790 93400f 18 API calls 25789->25790 25791 932f68 25790->25791 25792 92b861 collate 14 API calls 25791->25792 25793 932f73 25792->25793 25794 92b861 collate 14 API calls 25793->25794 25795 932f7e 25794->25795 25796 923538 Concurrency::wait 18 API calls 25795->25796 25797 932f89 25796->25797 25798 92b861 collate 14 API calls 25797->25798 25799 932f9a 25798->25799 25800 92b861 collate 14 API calls 25799->25800 25801 932fa5 25800->25801 25802 92b861 collate 14 API calls 25801->25802 25803 931042 25802->25803 25803->25751 25806 9342e1 __EH_prolog 25804->25806 25805 94254f ___std_exception_copy 14 API calls 25807 93432d 25805->25807 25808 934324 25806->25808 25810 923538 Concurrency::wait 18 API calls 25806->25810 25811 9335c4 25806->25811 25809 94254f ___std_exception_copy 14 API calls 25807->25809 25808->25805 25809->25811 25810->25806 25811->25785 25815 933e9d 25812->25815 25816 933ea8 _AnonymousOriginator 25815->25816 25817 932fda 25815->25817 25816->25817 25819 932a3b 18 API calls 2 library calls 25816->25819 25819->25816 25821 932e7a 18 API calls 25820->25821 25822 933715 25821->25822 25823 92bb34 17 API calls 25822->25823 25824 93372f 25823->25824 25830 932277 25824->25830 25828 9311b0 25828->25761 25829 9312c9 101 API calls 4 library calls 25828->25829 25829->25761 25841 926660 25830->25841 25831 9323f6 25831->25828 25840 932a7e 49 API calls __EH_prolog 25831->25840 25832 9322a6 25832->25831 25833 942544 ___std_exception_copy 15 API calls 25832->25833 25836 9322da 25833->25836 25834 9323ed 25835 94254f ___std_exception_copy 14 API calls 25834->25835 25835->25831 25836->25831 25836->25834 25839 926660 52 API calls 25836->25839 25853 9264c9 25836->25853 25839->25836 25840->25828 25876 92d2fa 25841->25876 25843 926673 SetFilePointer 25844 926696 GetLastError 25843->25844 25852 9266f6 25843->25852 25845 9266a2 GetLastError 25844->25845 25844->25852 25846 9266b0 collate 25845->25846 25878 92d909 FormatMessageW LocalFree 25846->25878 25848 9266ca 25879 92d5db 42 API calls collate 25848->25879 25850 9266dd 25880 92d40c 47 API calls 25850->25880 25852->25832 25854 92d2fa collate 25853->25854 25855 9264de ReadFile 25854->25855 25856 92656d 25855->25856 25857 92651c 25855->25857 25859 926595 GetLastError 25856->25859 25860 92658e 25856->25860 25857->25856 25858 926520 GetLastError 25857->25858 25861 92653a ReadFile 25858->25861 25862 92652d GetLastError 25858->25862 25864 9265a7 collate 25859->25864 25860->25836 25861->25857 25863 92656b 25861->25863 25862->25856 25862->25861 25863->25856 25881 92d909 FormatMessageW LocalFree 25864->25881 25866 9265c8 25882 92d5db 42 API calls collate 25866->25882 25868 9265db 25883 92d5db 42 API calls collate 25868->25883 25870 9265ee 25884 92d5db 42 API calls collate 25870->25884 25872 926605 25885 92d5db 42 API calls collate 25872->25885 25874 926625 25886 92d40c 47 API calls 25874->25886 25877 92d305 collate 25876->25877 25877->25843 25878->25848 25879->25850 25880->25852 25881->25866 25882->25868 25883->25870 25884->25872 25885->25874 25886->25860 25890 9281d4 25887->25890 25891 9281e1 error_info_injector 25890->25891 25898 92ae00 25891->25898 25893 9281ec 25894 9281f2 25893->25894 25901 928216 25893->25901 25926 92ae76 25894->25926 25899 942544 ___std_exception_copy 15 API calls 25898->25899 25900 92ae14 25899->25900 25900->25893 25902 92822f error_info_injector 25901->25902 25913 928313 25901->25913 25903 92ae00 15 API calls 25902->25903 25902->25913 25905 928253 error_info_injector 25903->25905 25904 928259 25906 92ae76 error_info_injector 14 API calls 25904->25906 25905->25904 25908 92ae00 15 API calls 25905->25908 25907 928305 25906->25907 25910 92ae76 error_info_injector 14 API calls 25907->25910 25909 92827b 25908->25909 25909->25904 25930 927c7c 25909->25930 25911 92830c 25910->25911 25912 92ae76 error_info_injector 14 API calls 25911->25912 25912->25913 25913->25894 25915 9282eb 25979 927e55 25915->25979 25918 92723e 57 API calls 25924 928298 25918->25924 25919 928216 97 API calls 25919->25924 25920 928319 25922 927e55 52 API calls 25920->25922 25922->25904 25923 92ae76 error_info_injector 14 API calls 25923->25924 25924->25904 25924->25915 25924->25918 25924->25919 25924->25920 25924->25923 25953 92ae32 25924->25953 25957 927736 25924->25957 25966 927d93 25924->25966 25927 92ae7a 25926->25927 25929 9281c6 25926->25929 25928 94254f ___std_exception_copy 14 API calls 25927->25928 25928->25929 25929->24881 25985 953014 25930->25985 25932 927c86 SetErrorMode 25933 927cb8 25932->25933 25934 92943d 19 API calls 25933->25934 25935 927cc2 25934->25935 25986 92e126 25935->25986 25938 927cde FindFirstFileExW 25940 927cf5 GetLastError SetErrorMode SetLastError 25938->25940 25939 927ced FindFirstFileW 25939->25940 25941 927d11 GetLastError 25940->25941 25942 927d49 25940->25942 25943 927d20 collate 25941->25943 25944 927d1e GetLastError 25941->25944 25945 927d65 25942->25945 25946 927d5c 25942->25946 25949 927d44 25943->25949 25989 92d3ee 47 API calls collate 25943->25989 25944->25943 25990 92833f 25945->25990 25947 927d93 73 API calls 25946->25947 25947->25949 25950 923538 Concurrency::wait 18 API calls 25949->25950 25951 927d82 25950->25951 25951->25924 25954 92ae3f error_info_injector 25953->25954 25955 942544 ___std_exception_copy 15 API calls 25954->25955 25956 92ae56 error_info_injector 25955->25956 25956->25924 25958 927740 __EH_prolog 25957->25958 25959 92943d 19 API calls 25958->25959 25960 927762 SetErrorMode RemoveDirectoryW GetLastError SetErrorMode SetLastError 25959->25960 25963 9277a3 collate 25960->25963 25961 9277c9 25962 923538 Concurrency::wait 18 API calls 25961->25962 25964 9277e0 25962->25964 25963->25961 26010 92d3ee 47 API calls collate 25963->26010 25964->25924 25967 927daa SetErrorMode 25966->25967 25969 927dff 25966->25969 25968 927dba FindNextFileW 25967->25968 25970 927e04 GetLastError 25968->25970 25971 927dcd 25968->25971 25969->25924 25974 927e11 collate 25970->25974 25971->25968 25972 927dde GetLastError SetErrorMode SetLastError 25971->25972 25976 92833f 12 API calls 25972->25976 25973 927e34 25975 927e55 52 API calls 25973->25975 25974->25973 26011 92d3ee 47 API calls collate 25974->26011 25977 927e3e GetLastError SetErrorMode SetLastError 25975->25977 25976->25969 25977->25969 25980 927e65 SetErrorMode FindClose GetLastError SetErrorMode SetLastError 25979->25980 25981 927ec8 25979->25981 25982 927e9f collate 25980->25982 25981->25904 25984 927ec0 25982->25984 26012 92d3ee 47 API calls collate 25982->26012 25984->25981 25985->25932 25987 92e0cb GetVersionExW 25986->25987 25988 927cd4 25987->25988 25988->25938 25988->25939 25989->25949 25991 928353 error_info_injector 25990->25991 25996 926fa0 SetErrorMode FileTimeToSystemTime GetLastError SetErrorMode SetLastError 25991->25996 25994 926fa0 12 API calls 25995 92838d 25994->25995 25995->25949 25997 926fe2 25996->25997 25999 926fed 25996->25999 26000 92c801 25997->26000 25999->25994 26003 92c778 GetTimeZoneInformation 26000->26003 26004 92c797 SystemTimeToFileTime 26003->26004 26005 92c7ee 26003->26005 26004->26005 26006 92c7a6 26004->26006 26005->25999 26007 92c6be FileTimeToSystemTime FileTimeToSystemTime FileTimeToSystemTime SetLastError 26006->26007 26008 92c7c5 26007->26008 26008->26005 26009 92c7cb FileTimeToSystemTime 26008->26009 26009->26005 26010->25961 26011->25973 26012->25984 26013->24888 26018 93031c 26014->26018 26017 930366 DeleteCriticalSection 26017->24890 26019 930325 26018->26019 26020 94254f ___std_exception_copy 14 API calls 26019->26020 26021 92fc9b TlsFree 26019->26021 26020->26019 26021->26017 26023 923538 Concurrency::wait 18 API calls 26022->26023 26024 938f9c 26023->26024 26025 92b25a collate 38 API calls 26024->26025 26026 938fab 26025->26026 26033 925967 26026->26033 26028 938fb6 26032 938f8b 26028->26032 26037 925e6e 40 API calls collate 26028->26037 26030 938fcb error_info_injector 26038 928a2b 18 API calls Concurrency::wait 26030->26038 26032->24669 26034 92597d 26033->26034 26035 925971 26033->26035 26039 923426 18 API calls Concurrency::wait 26034->26039 26035->26028 26037->26030 26038->26032 26039->26035 26041 9456ec 26040->26041 26042 9456da 26040->26042 26052 945573 26041->26052 26068 93d117 GetModuleHandleW 26042->26068 26045 9456df 26045->26041 26069 945772 GetModuleHandleExW 26045->26069 26047 93cd64 26047->24703 26050 94572f 26053 94557f CallCatchBlock 26052->26053 26075 94c5fe EnterCriticalSection 26053->26075 26055 945589 26076 9455df 26055->26076 26057 945596 26080 9455b4 26057->26080 26060 945730 26085 94c6a1 GetPEB 26060->26085 26063 94575f 26066 945772 __purecall 3 API calls 26063->26066 26064 94573f GetPEB 26064->26063 26065 94574f GetCurrentProcess TerminateProcess 26064->26065 26065->26063 26067 945767 ExitProcess 26066->26067 26068->26045 26070 9457b4 26069->26070 26071 945791 GetProcAddress 26069->26071 26073 9456eb 26070->26073 26074 9457ba FreeLibrary 26070->26074 26072 9457a6 26071->26072 26072->26070 26073->26041 26074->26073 26075->26055 26077 9455eb CallCatchBlock 26076->26077 26078 94564c __purecall 26077->26078 26083 94620d 14 API calls __purecall 26077->26083 26078->26057 26084 94c646 LeaveCriticalSection 26080->26084 26082 9455a2 26082->26047 26082->26060 26083->26078 26084->26082 26086 94c6bb 26085->26086 26088 94573a 26085->26088 26089 949745 5 API calls _free 26086->26089 26088->26063 26088->26064 26089->26088 26090 939301 GetDesktopWindow CreateDialogParamW ShowWindow KiUserCallbackDispatcher 26091 939365 KiUserCallbackDispatcher 26090->26091 26092 939372 26091->26092 26093 939351 TranslateMessage DispatchMessageW 26091->26093 26093->26091 26094 9391ab 26095 93923a 26094->26095 26096 9391bc 26094->26096 26097 939244 26095->26097 26098 9392af GetDlgItem SendMessageW 26095->26098 26099 939233 26096->26099 26100 9391be 26096->26100 26101 93927a GetDlgItem SendMessageW 26097->26101 26102 939249 26097->26102 26103 9392e2 GetDlgItem SendMessageW 26098->26103 26131 93b3ba 19 API calls 2 library calls 26099->26131 26105 939223 KiUserCallbackDispatcher 26100->26105 26107 9391cb 26100->26107 26108 939202 26100->26108 26101->26103 26106 939252 GetDlgItem SendMessageW 26102->26106 26109 9391e0 26102->26109 26103->26109 26105->26109 26106->26109 26107->26109 26130 93b244 19 API calls 2 library calls 26107->26130 26108->26109 26113 93ac3a GetParent 26108->26113 26112 93921e KiUserCallbackDispatcher 26112->26105 26132 93bab1 26113->26132 26117 93acdd GetDlgItem SetWindowTextW 26118 92e442 26117->26118 26119 93ad00 GetDlgItem SetWindowTextW 26118->26119 26120 92e442 26119->26120 26121 93ad20 GetDlgItem SetWindowTextW 26120->26121 26122 92e442 26121->26122 26123 93ad40 GetDlgItem SetWindowTextW 26122->26123 26124 92e442 26123->26124 26125 93ad60 GetDlgItem SetWindowTextW 26124->26125 26126 92e442 26125->26126 26127 93ad80 GetDlgItem SetWindowTextW 26126->26127 26128 92e442 26127->26128 26129 93ada0 GetDlgItem SetWindowTextW RedrawWindow 26128->26129 26129->26112 26130->26109 26131->26109 26133 93da20 __purecall 26132->26133 26134 93bac9 GetModuleHandleW 26133->26134 26135 93bb06 26134->26135 26136 93baea GetProcAddress 26134->26136 26137 93bb21 GetProcAddress 26135->26137 26138 93bb0b GetProcAddress 26135->26138 26136->26135 26139 93bb37 GetSystemMetrics GetSystemMetrics 26137->26139 26140 93bb4c 26137->26140 26138->26137 26141 93ac62 GetClientRect SetWindowPos GetDlgItem SendMessageW 26139->26141 26142 93bb53 MonitorFromPoint 26140->26142 26143 93bb5f __purecall 26140->26143 26145 92e442 26141->26145 26142->26143 26144 93bb75 GetMonitorInfoW 26143->26144 26144->26141 26146 92e453 collate 26145->26146 26146->26117

    Executed Functions

    Function 00924E5C Relevance: 105.2, APIs: 31, Strings: 29, Instructions: 181libraryloadersleepCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 00924E61
    • Sleep.KERNEL32(00000001,?,?,?,?,00923772), ref: 00924E75
    • LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,00923772), ref: 00924EBD
    • GetProcAddress.KERNEL32(00000000,FtpCommandW), ref: 00924F09
    • GetProcAddress.KERNEL32(InternetWriteFile), ref: 00924F1B
    • GetProcAddress.KERNEL32(FtpOpenFileW), ref: 00924F2D
    • GetProcAddress.KERNEL32(InternetReadFile), ref: 00924F3F
    • GetProcAddress.KERNEL32(FtpSetCurrentDirectoryW), ref: 00924F51
    • GetProcAddress.KERNEL32(FtpGetCurrentDirectoryW), ref: 00924F63
    • GetProcAddress.KERNEL32(FtpRemoveDirectoryW), ref: 00924F75
    • GetProcAddress.KERNEL32(FtpCreateDirectoryW), ref: 00924F87
    • GetProcAddress.KERNEL32(FtpRenameFileW), ref: 00924F99
    • GetProcAddress.KERNEL32(FtpDeleteFileW), ref: 00924FAB
    • GetProcAddress.KERNEL32(InternetFindNextFileW), ref: 00924FBD
    • GetProcAddress.KERNEL32(FtpFindFirstFileW), ref: 00924FCF
    • GetProcAddress.KERNEL32(InternetSetOptionW), ref: 00924FE1
    • GetProcAddress.KERNEL32(InternetOpenW), ref: 00924FF3
    • GetProcAddress.KERNEL32(InternetCloseHandle), ref: 00925005
    • GetProcAddress.KERNEL32(InternetConnectW), ref: 00925017
    • GetProcAddress.KERNEL32(InternetGetLastResponseInfoW), ref: 00925029
    • GetProcAddress.KERNEL32(HttpOpenRequestW), ref: 0092503B
    • GetProcAddress.KERNEL32(HttpSendRequestW), ref: 0092504D
    • GetProcAddress.KERNEL32(InternetQueryOptionW), ref: 0092505F
    • GetProcAddress.KERNEL32(InternetErrorDlg), ref: 00925071
    • GetProcAddress.KERNEL32(HttpAddRequestHeadersW), ref: 00925083
    • GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 00925095
    • GetProcAddress.KERNEL32(HttpQueryInfoW), ref: 009250A2
    • GetProcAddress.KERNEL32(FtpGetFileSize), ref: 009250B4
    • GetProcAddress.KERNEL32(FtpPutFileW), ref: 009250C6
    • GetProcAddress.KERNEL32(HttpSendRequestExW), ref: 009250D3
    • GetProcAddress.KERNEL32(HttpEndRequestW), ref: 009250E0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AddressProc$H_prologLibraryLoadSleep
    • String ID: Chargement de la bibliothque %s a choue$FtpCommandW$FtpCreateDirectoryW$FtpDeleteFileW$FtpFindFirstFileW$FtpGetCurrentDirectoryW$FtpGetFileSize$FtpOpenFileW$FtpPutFileW$FtpRemoveDirectoryW$FtpRenameFileW$FtpSetCurrentDirectoryW$HttpAddRequestHeadersW$HttpEndRequestW$HttpOpenRequestW$HttpQueryInfoW$HttpSendRequestExW$HttpSendRequestW$InternetCloseHandle$InternetConnectW$InternetErrorDlg$InternetFindNextFileW$InternetGetConnectedState$InternetGetLastResponseInfoW$InternetOpenW$InternetQueryOptionW$InternetReadFile$InternetSetOptionW$InternetWriteFile
    • API String ID: 1821098947-4004274562
    • Opcode ID: 96afbdce1a141609b1afc525e634935fdf039b1daf1c1a77ac819c82af63b67d
    • Instruction ID: 250a808a0a0641926c91d62977f89fb500a3d455d53f8814bbe7ffbd0939837d
    • Opcode Fuzzy Hash: 96afbdce1a141609b1afc525e634935fdf039b1daf1c1a77ac819c82af63b67d
    • Instruction Fuzzy Hash: C5610B72D68325EACB119F72AC0991E7FA5FBC6758700842BF90DA3271EB7544A0EF40
    Function 0093BC77 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 141COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 0093BC7C
    • GetPrivateProfileStringW.KERNEL32(INSTALL,PROTOCOLE,0095D860,?,00000104,009689D4,00DBFF40,00DC0152,00DBFF48), ref: 0093BCC9
    • GetPrivateProfileStringW.KERNEL32(INSTALL,SERVEUR,0095D860,?,00000104,009689D4,PC SOFT,00000000,?,?,?), ref: 0093BD29
    • GetPrivateProfileStringW.KERNEL32(INSTALL,CHEMIN,0095D860,00000000,00000104,009689D4,00000000,00000000,?,?,?), ref: 0093BDAF
    • GetPrivateProfileStringW.KERNEL32(INSTALL,AUTHENTIFICATION,00968C28,00000000,00000104,009689D4,00000000,?,?,?), ref: 0093BDDC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: PrivateProfileString$H_prolog
    • String ID: 0$AUTHENTIFICATION$CHEMIN$INSTALL$PC SOFT$PROTOCOLE$SERVEUR
    • API String ID: 3250155223-1913864594
    • Opcode ID: 6a57d7fa92fe6f652dd77ac12565bdb8be786737981b97882e6904243bcf56ee
    • Instruction ID: 0e13ff8d640146a8da28bf85b03a85108a3b98aad5eee16a834d33ffdc49e9e1
    • Opcode Fuzzy Hash: 6a57d7fa92fe6f652dd77ac12565bdb8be786737981b97882e6904243bcf56ee
    • Instruction Fuzzy Hash: 7F41D171A40209BBDB10DBA4DC85FAAB3B8FB84714F14816AB615E71C1DBB09E44CF90
    Function 00939AED Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 00939AF2
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 00939B72
    • GetPrivateProfileStringW.KERNEL32(INSTALL,APPLI,0095D860,00DC0B84,00000104,00DBFF48), ref: 00939BCA
    • SetWindowTextW.USER32(?,00000000), ref: 00939C0B
    • RedrawWindow.USER32(?,00000000,00000000,00000100), ref: 00939C20
    • GetPrivateProfileStringW.KERNEL32(INSTALL,InstallComposite,00968C28,?,00000003,00DBFF48), ref: 00939C59
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: PrivateProfileStringWindow$H_prologMessageRedrawText
    • String ID: 0$APPLI$INSTALL$INSTALL.INI$INSTALL.ZIP$InstallComposite
    • API String ID: 2567573683-3508139281
    • Opcode ID: d0b422420bd81e43e93ff7f06c32329b5785b88c2f1c483564282cdef4400eb7
    • Instruction ID: 44de948438c7003e9b8142243b8796f4b706dd854210653360e7235123ad9acd
    • Opcode Fuzzy Hash: d0b422420bd81e43e93ff7f06c32329b5785b88c2f1c483564282cdef4400eb7
    • Instruction Fuzzy Hash: CB31CE31340616BBC708BB71AC56FEFB3ADAF84745F004221F616A20D1EFB06A549BA0
    Function 00927C7C Relevance: 13.6, APIs: 9, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 00927C81
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000), ref: 00927CA8
      • Part of subcall function 0092E126: GetVersionExW.KERNEL32(?,00000000), ref: 0092E0E8
    • FindFirstFileExW.KERNEL32(?,00000001,?,00000000,00000000,00000000,?,00000000), ref: 00927CE5
      • Part of subcall function 00927D93: SetErrorMode.KERNEL32(00008001), ref: 00927DB5
      • Part of subcall function 00927D93: FindNextFileW.KERNELBASE(?,?), ref: 00927DC3
      • Part of subcall function 00927D93: GetLastError.KERNEL32(?,?), ref: 00927DDE
      • Part of subcall function 00927D93: SetErrorMode.KERNEL32(?,?,?), ref: 00927DE9
      • Part of subcall function 00927D93: SetLastError.KERNEL32(00000000,?,?), ref: 00927DEC
    • FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00927CEF
    • GetLastError.KERNEL32(?,00000000), ref: 00927CF7
    • SetErrorMode.KERNEL32(?,?,00000000), ref: 00927D02
    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00927D06
    • GetLastError.KERNEL32(?,00000000), ref: 00927D17
    • GetLastError.KERNEL32(?,00000000), ref: 00927D1E
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$Mode$FileFind$First$H_prologNextVersion
    • String ID:
    • API String ID: 3071895801-0
    • Opcode ID: 7f85800d000a941a13b911d61c285ee05d1ebc7e9212f89f642687d3effadb7a
    • Instruction ID: b7c5bea7030f460b09314e5acec18ab9f513ec76e4f18c4d9468e594e86d4d52
    • Opcode Fuzzy Hash: 7f85800d000a941a13b911d61c285ee05d1ebc7e9212f89f642687d3effadb7a
    • Instruction Fuzzy Hash: 4B31E231D08230ABDB20ABB2FC45ABEB7B9EF81300F10406AE905B7195DB745E45CBA1
    Function 0093A95B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileIntW.KERNEL32(GENERAL,NATIONDEFAUT,00000000,?), ref: 0093A9B6
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: PrivateProfile
    • String ID: GENERAL$INSTALL.INI$NATIONDEFAUT
    • API String ID: 1469295129-3535471277
    • Opcode ID: 775b9755a9fa07ee399d5c4645a38cb49c1aa8b808948450084fa6b3a5106eb9
    • Instruction ID: 6ec8114843f2a9ed870dbe0c5ffb85921d92df91be982edf5f17e3145f44c366
    • Opcode Fuzzy Hash: 775b9755a9fa07ee399d5c4645a38cb49c1aa8b808948450084fa6b3a5106eb9
    • Instruction Fuzzy Hash: 1F318770780A3826D915B3646CA7FAD31564BC0F84FC0C258FA1A6E1D6DE941F0387DE
    Function 00924713 Relevance: 4.6, APIs: 3, Instructions: 140networkfileCOMMON
    Download Yara Rule
    APIs
    • HttpQueryInfoW.WININET(?,00000016,00000000,?,00000000), ref: 0092474C
    • HttpQueryInfoW.WININET(?,20000005,?,?,00000000), ref: 009247AC
    • InternetReadFile.WININET(?,00000000,00007D80,?), ref: 00924837
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: HttpInfoQuery$FileInternetRead
    • String ID:
    • API String ID: 58924816-0
    • Opcode ID: 5901945afbc227986f960f6488b4e2f611b9777f3279595981274ace5e98c377
    • Instruction ID: bef0c86a72d5dfa78d5b2702faafad99df30fad312ecb62aec8dff2080886a4b
    • Opcode Fuzzy Hash: 5901945afbc227986f960f6488b4e2f611b9777f3279595981274ace5e98c377
    • Instruction Fuzzy Hash: 6541ABB1204211ABD710DF25EC84E6B77ADFFC5B04F15856CF85A8B299DB30E904CBA2
    Function 00945730 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,0094572F,?,?,?,?), ref: 00945752
    • TerminateProcess.KERNEL32(00000000,?,0094572F,?,?,?,?), ref: 00945759
    • ExitProcess.KERNEL32 ref: 0094576B
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: a1399a9ea879a7561d14142734f93d5944c7e8515aa33772e28c9b2ce26f01bd
    • Instruction ID: ca2ee4b2dc0773f0a1f9e886053cd650321e03e3ef7b89fabe038af07f802191
    • Opcode Fuzzy Hash: a1399a9ea879a7561d14142734f93d5944c7e8515aa33772e28c9b2ce26f01bd
    • Instruction Fuzzy Hash: 02E04671018A08EFCB512BA5EC48E483F69FB60342B124024F90986132CB35ECD1DB40
    Function 0093AC3A Relevance: 30.1, APIs: 20, Instructions: 130windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetParent.USER32(?), ref: 0093AC52
      • Part of subcall function 0093BAB1: GetModuleHandleW.KERNEL32(USER32.DLL,?,00DBFF40,?,?,?,?,?,?,?,?,0093AC62), ref: 0093BAD1
      • Part of subcall function 0093BAB1: GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0093BAF9
      • Part of subcall function 0093BAB1: GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0093BB1A
      • Part of subcall function 0093BAB1: GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 0093BB27
      • Part of subcall function 0093BAB1: GetSystemMetrics.USER32(75C09120), ref: 0093BB3E
      • Part of subcall function 0093BAB1: GetSystemMetrics.USER32(00000001), ref: 0093BB45
    • GetClientRect.USER32(?,?), ref: 0093AC6C
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 0093ACA3
    • GetDlgItem.USER32(?,000003EC), ref: 0093ACBA
    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 0093ACC5
    • GetDlgItem.USER32(?,000003EE), ref: 0093ACE9
    • SetWindowTextW.USER32(00000000), ref: 0093ACF2
    • GetDlgItem.USER32(?,000003F3), ref: 0093AD0F
    • SetWindowTextW.USER32(00000000), ref: 0093AD12
    • GetDlgItem.USER32(?,000003F4), ref: 0093AD2F
    • SetWindowTextW.USER32(00000000), ref: 0093AD32
    • GetDlgItem.USER32(?,000003F5), ref: 0093AD4F
    • SetWindowTextW.USER32(00000000), ref: 0093AD52
    • GetDlgItem.USER32(?,000003F6), ref: 0093AD6F
    • SetWindowTextW.USER32(00000000), ref: 0093AD72
    • GetDlgItem.USER32(?,000003EF), ref: 0093AD8F
    • SetWindowTextW.USER32(00000000), ref: 0093AD92
    • GetDlgItem.USER32(?,00000002), ref: 0093ADAC
    • SetWindowTextW.USER32(00000000), ref: 0093ADAF
    • RedrawWindow.USER32(?,00000000,00000000,00000100), ref: 0093ADC0
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Window$Item$Text$AddressProc$MetricsSystem$ClientHandleMessageModuleParentRectRedrawSend
    • String ID:
    • API String ID: 55263300-0
    • Opcode ID: 46baa7b761ce74084e8da3799be8b687882b1e88fabc57e980fb81f25d026cd7
    • Instruction ID: d5b13f72a33a6d73e2643297ddb891e318e7640147e378ebc341abec09b1bb08
    • Opcode Fuzzy Hash: 46baa7b761ce74084e8da3799be8b687882b1e88fabc57e980fb81f25d026cd7
    • Instruction Fuzzy Hash: D8416271A40619BFDB11ABB5DC89FEE7BBAEF84705F044010F219E71A0CB70AD429B50
    Function 0092443D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 226networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 44 92443d-92447d call 953014 call 94226c call 924284 51 924702-924710 44->51 52 924483-9244af HttpOpenRequestW 44->52 53 9244b5-9244fc call 92bf08 call 92bb08 call 92b8d2 HttpAddRequestHeadersW call 92487a 52->53 54 9246ed-9246fc call 924d16 52->54 66 924514-92452c 53->66 67 9244fe-92450e InternetSetOptionW * 2 53->67 59 9246ff 54->59 59->51 68 924686-9246a0 HttpSendRequestW 66->68 67->66 69 924531-92453e GetLastError 68->69 70 9246a6-9246ab call 924713 68->70 71 924632-924637 69->71 72 924544 69->72 74 9246b0 70->74 75 924668-924672 71->75 76 924639-92463c 71->76 77 924611-924615 72->77 78 92454a-92454f 72->78 79 9246b3-9246bd InternetCloseHandle call 92b858 74->79 84 924674-924678 75->84 85 9246da 75->85 80 924647-92464e 76->80 81 92463e-924641 76->81 86 9246d4-9246d8 77->86 87 92461b-924630 GetDesktopWindow InternetErrorDlg 77->87 82 924555-924558 78->82 83 9245e9-9245f3 78->83 96 9246c2 79->96 80->86 89 924654-924658 80->89 81->80 81->86 90 92455a-92455d 82->90 91 9245be-9245c8 82->91 93 9246d0-9246d2 83->93 94 9245f9-9245fd 83->94 84->85 95 92467a-924683 call 92487a 84->95 92 9246dc-9246eb call 924d16 85->92 86->92 87->68 89->86 97 92465a-924666 call 92487a 89->97 100 924593-92459d 90->100 101 92455f-924562 90->101 98 9245ce-9245d2 91->98 99 9246cc-9246ce 91->99 92->79 93->92 94->93 103 924603-92460f call 92487a 94->103 95->68 96->59 97->68 98->99 108 9245d8-9245e4 call 92487a 98->108 99->92 105 9245a3-9245a7 100->105 106 9246c8-9246ca 100->106 101->86 109 924568-924572 101->109 103->68 105->106 113 9245ad-9245b9 call 92487a 105->113 106->92 108->68 116 9246c4-9246c6 109->116 117 924578-92457c 109->117 113->68 116->92 117->116 121 924582-92458e call 92487a 117->121 121->68
    APIs
    • __EH_prolog.LIBCMT ref: 00924442
    • HttpOpenRequestW.WININET(?,GET,?,HTTP/1.0,00000000,00000000,?,00000000), ref: 009244A5
    • HttpAddRequestHeadersW.WININET(00000000,00000000,00000000,A0000000), ref: 009244E7
      • Part of subcall function 0092487A: InternetQueryOptionW.WININET(00000004,0000001F,?,?), ref: 00924893
      • Part of subcall function 0092487A: InternetSetOptionW.WININET(00000004,0000001F,?,00000004), ref: 009248AA
    • InternetSetOptionW.WININET(00000000,0000004C,00000000,00000000), ref: 00924503
    • InternetSetOptionW.WININET(00000000,0000002A,00000000,00000000), ref: 0092450E
    • GetLastError.KERNEL32 ref: 00924531
    • GetDesktopWindow.USER32 ref: 00924623
    • InternetErrorDlg.WININET(00000000), ref: 0092462A
    • HttpSendRequestW.WININET(00000000,0095D860,?,?,?), ref: 00924695
    • InternetCloseHandle.WININET(00000000), ref: 009246B4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Internet$Option$HttpRequest$Error$CloseDesktopH_prologHandleHeadersLastOpenQuerySendWindow
    • String ID: Content-Type: %s$GET$HTTP/1.0
    • API String ID: 2605959784-1930603766
    • Opcode ID: 4023028ca3f8ad3eacd224742a1c52d327381bdba68c14b06f17f45990c0cd5d
    • Instruction ID: f6783cec66f803b210b7bc21f281935e19ace1237dfff8ca0cbd0a7a9d129627
    • Opcode Fuzzy Hash: 4023028ca3f8ad3eacd224742a1c52d327381bdba68c14b06f17f45990c0cd5d
    • Instruction Fuzzy Hash: 11818C71900225EBCB25EFA5ED49FAF7FB8FB86740F004419F901A61A9C774C950DBA1
    Function 009395D8 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 213windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 009395DD
      • Part of subcall function 00931014: __EH_prolog.LIBCMT ref: 00931019
      • Part of subcall function 00938FF7: LoadCursorW.USER32(00000000,00007F8A), ref: 00939007
      • Part of subcall function 00938FF7: SetCursor.USER32(00000000,?,00000000,00000000,00000000,00938E09), ref: 00939011
    • GetDlgItem.USER32(?,000003EC), ref: 00939620
    • SendMessageW.USER32(00000000,00000401,00000000,?), ref: 0093966A
    • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00939678
    • RedrawWindow.USER32(00000000,00000000,00000000,00000100,?,00000000,00000000,00000000,00938E09), ref: 00939686
    • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 00939722
    • RedrawWindow.USER32(00000000,00000000,00000000,00000100,?,?,?,?,00000000,00000000,00000000,00938E09), ref: 00939730
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 00939786
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 009397D9
    • SetCursor.USER32(?,?,00000000,00000000,00000000,00938E09), ref: 009398B9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Message$CursorSend$H_prologRedrawWindow$ItemLoad
    • String ID: WDUpdate.net$WDUpdate32.net$WDUpdate64.net
    • API String ID: 179722454-2051276035
    • Opcode ID: 113c357d26e80802a61b82b7a9ef303b555ed9f809087cff8c7adbc2c52d7fb4
    • Instruction ID: d650bd34512ea84ab0cd9e72d09789f52e92747a6957a11c8aa4d285299c4b0c
    • Opcode Fuzzy Hash: 113c357d26e80802a61b82b7a9ef303b555ed9f809087cff8c7adbc2c52d7fb4
    • Instruction Fuzzy Hash: 8F7171B1910229AFDB10EBA0DC85FEEB3BDEF84304F4044A9B506A2195EB705F85CF64
    Function 00927046 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 165fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 278 927046-927062 call 92d2fa 281 927066-92707d SetErrorMode 278->281 282 927064 278->282 283 9270a1-9270be 281->283 284 92707f-927082 281->284 282->281 285 9270c0-9270dd CreateFileW 283->285 286 92712d-927140 CreateFileW 283->286 284->283 287 927084-927094 284->287 288 927120-92712b SetLastError 285->288 289 9270df-927112 CreateFileW 285->289 290 927146-927164 GetLastError SetErrorMode SetLastError 286->290 287->283 291 927096-92709c call 92938e 287->291 288->290 289->290 293 927114-927116 289->293 294 927214-927217 290->294 295 92716a-9271b2 GetLastError call 92d2fa call 92d1ce call 92d909 call 92d5db 290->295 291->283 293->290 296 927118-92711e 293->296 297 927226-927236 294->297 298 927219-92721e 294->298 309 9271b4-9271b7 295->309 310 9271dc-9271e4 call 926016 295->310 296->290 301 927237-92723b 297->301 298->297 300 927220 298->300 300->297 311 9271b9-9271bc 309->311 312 9271cd-9271da call 926016 309->312 321 9271e9-9271f6 call 92d40c 310->321 314 9271f9-927212 call 926016 call 92d679 SetLastError 311->314 315 9271be-9271cb call 926016 311->315 312->321 314->301 315->321 321->314
    APIs
    • SetErrorMode.KERNEL32(00008001,00000001), ref: 00927073
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000), ref: 009270CE
    • CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 00927103
    • SetLastError.KERNEL32(000000B7), ref: 00927125
    • GetLastError.KERNEL32 ref: 00927146
    • SetErrorMode.KERNEL32(?), ref: 00927151
    • SetLastError.KERNEL32(00000000), ref: 0092715B
    • GetLastError.KERNEL32 ref: 0092716A
    • SetLastError.KERNEL32(?,00000001,00000000), ref: 0092720E
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 0092719E
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$CreateFileMode
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 3800500338-1932549541
    • Opcode ID: fafdd86514b4fcebc1ec0c3a7aa68e324a0640c285622b679defa20b98ea9951
    • Instruction ID: 8b4bf131e02f2b414935916002a017825309504826c939a37660a9003381409d
    • Opcode Fuzzy Hash: fafdd86514b4fcebc1ec0c3a7aa68e324a0640c285622b679defa20b98ea9951
    • Instruction Fuzzy Hash: D7510F30744316BFDB14AFB1EC85BA9B7A9FF84304F204618F925A62D5D731AC619B80
    Function 009264C9 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 134fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 328 9264c9-92651a call 92d2fa ReadFile 331 926570-926581 328->331 332 92651c-92651e 328->332 334 926583-926587 331->334 335 926595-9265bc GetLastError call 92d2fa call 92d1ce 331->335 332->331 333 926520-92652b GetLastError 332->333 339 92653a-926569 ReadFile 333->339 340 92652d-926538 GetLastError 333->340 336 926589-92658c 334->336 337 92658e-926590 334->337 347 9265c2 335->347 348 9265be-9265c0 335->348 336->335 336->337 341 926659-92665d 337->341 339->332 344 92656b 339->344 340->339 343 92656d 340->343 343->331 344->331 349 9265c3-926657 call 92d909 call 92d5db * 4 call 926016 call 92d40c call 926016 call 92d679 347->349 348->349 349->341
    APIs
    • ReadFile.KERNEL32(?,?,?,?,00000000,00000001), ref: 00926509
    • GetLastError.KERNEL32 ref: 00926520
    • GetLastError.KERNEL32 ref: 0092652D
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00926555
    • GetLastError.KERNEL32 ref: 00926595
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 009265CE
    • ##(IXStream)-Offset=<%I64u>##, xrefs: 00926618
    • ##(IXStream)-A lire=<%u>, lu=<%u>##, xrefs: 009265F8
    • ##(IXStream)-bExact=<%d>##, xrefs: 009265E1
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorLast$FileRead
    • String ID: ##(IXStream)-A lire=<%u>, lu=<%u>##$##(IXStream)-Handle=<%p>##$##(IXStream)-Offset=<%I64u>##$##(IXStream)-bExact=<%d>##
    • API String ID: 3644057887-2873668781
    • Opcode ID: 646162c09bd7f3538cfabbe46b8d7d1912f7177a0974dd7a2def7d0194d047bd
    • Instruction ID: 8dcade3696eec20b6812c85535e921c50fa631f1f5371b651e01bbd83db0295c
    • Opcode Fuzzy Hash: 646162c09bd7f3538cfabbe46b8d7d1912f7177a0974dd7a2def7d0194d047bd
    • Instruction Fuzzy Hash: 6641CD75600714FFDB20AFA4EC85FAA77B6EF84304F108418F816966A9DBB1AD90DB50
    Function 00939C81 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 376windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 368 939c81-939cda call 953014 call 9445db * 2 375 939ce5-939ce7 368->375 376 939cdc-939cdf 368->376 378 939ce8-939d68 call 92a987 call 92aa6d call 924b85 call 9241ef call 9248b4 375->378 376->375 377 939ce1-939ce3 376->377 377->378 389 939d6a-939d6e 378->389 390 939d7f-939d82 378->390 389->390 392 939d70-939d7d 389->392 391 939d84-939db7 call 92428d 390->391 395 939de9-939e43 call 93ae2c call 938f79 call 92443d 391->395 396 939db9-939de4 call 92e442 call 92d5cd MessageBoxW 391->396 392->391 409 939e45 395->409 410 939e49-939e6c call 93b562 395->410 405 93a107-93a112 call 924245 call 924bbe 396->405 415 93a117-93a132 call 92aa07 405->415 409->410 416 939f2a-939f41 call 93b562 410->416 421 939e71-939e84 call 94226c 416->421 422 939f47 416->422 428 939e86-939e8b 421->428 429 939e8d 421->429 424 93a07f-93a08c call 9243e2 422->424 430 93a097 424->430 431 93a08e-93a092 call 93ae2c 424->431 432 939e8f-939eab call 93b658 428->432 429->432 434 93a099-93a0a5 430->434 431->430 440 939eb1-939eba call 93b220 432->440 441 939f4c-939f50 432->441 436 93a0a7-93a0ae 434->436 437 93a0bc-93a0c5 434->437 436->437 439 93a0b0-93a0b7 436->439 442 93a0c7-93a0ce 437->442 443 93a0dc-93a0f1 call 923538 437->443 439->437 440->434 453 939ec0-939f25 call 92439c call 92443d call 924c33 call 93b562 440->453 441->424 445 939f56-939f69 call 94226c 441->445 442->443 447 93a0d0-93a0d7 442->447 443->405 451 93a0f3-93a0f9 443->451 456 939f72 445->456 457 939f6b-939f70 445->457 447->443 451->405 455 93a0fb-93a102 451->455 453->416 455->405 458 939f74-939f90 call 93b658 456->458 457->458 464 939f96-939fc8 call 926036 call 927046 458->464 465 93a01d-93a033 call 922d5d 458->465 480 939ff7-93a002 call 9260dc 464->480 481 939fca-939fcf 464->481 474 93a042-93a07b call 92d318 call 923538 465->474 475 93a035-93a03d call 93b530 465->475 474->424 475->474 480->434 484 939fd1-939fd4 481->484 485 939fd6-939fd8 481->485 488 939fda-939fe3 call 9263d7 484->488 485->488 490 939fe8-939ff0 488->490 491 939ff2 call 9262d9 490->491 492 93a007-93a01b call 9262d9 call 9260dc 490->492 491->480 492->424
    APIs
    • __EH_prolog.LIBCMT ref: 00939C86
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 00939DDE
      • Part of subcall function 009262D9: CloseHandle.KERNEL32(000000FF,?,0092610B), ref: 009262E8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CloseH_prologHandleMessage
    • String ID: /%s/INSTALL.ZIP$200$407$HTTP$HTTPS$application/x-www-form-urlencoded
    • API String ID: 1471042199-14889628
    • Opcode ID: bfc191a24eafc386584494c0083c7ba604fd3da29d54fd965ad8bf28cfe451f1
    • Instruction ID: 5367396878cd65cbb5ffbabf4b59bcdb1f9b28adac5c1feb50ee6d89bd227e8f
    • Opcode Fuzzy Hash: bfc191a24eafc386584494c0083c7ba604fd3da29d54fd965ad8bf28cfe451f1
    • Instruction Fuzzy Hash: 37E19171A0021AEFDB18EBA4DC55BEEB7B9AF94344F10412DF416A3191EB749E04CFA1
    Function 009391AB Relevance: 13.6, APIs: 9, Instructions: 104windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 498 9391ab-9391ba 499 93923a-939242 498->499 500 9391bc 498->500 501 939244-939247 499->501 502 9392af-9392df GetDlgItem SendMessageW 499->502 503 939233-939238 call 93b3ba 500->503 504 9391be-9391c2 500->504 505 93927a-9392ad GetDlgItem SendMessageW 501->505 506 939249-93924c 501->506 507 9392e2-9392f6 GetDlgItem SendMessageW 502->507 517 9391e0-9391e5 503->517 509 939223-93922e KiUserCallbackDispatcher 504->509 510 9391c4-9391c9 504->510 505->507 514 939252-939278 GetDlgItem SendMessageW 506->514 515 9392f8-9392fa 506->515 507->515 516 9392fd-9392fe 509->516 512 939202-93920a 510->512 513 9391cb-9391ce 510->513 520 9392fb 512->520 521 939210-939219 call 93ac3a 512->521 518 9391d0-9391d5 513->518 519 9391ea-9391f2 513->519 514->515 515->520 517->520 518->520 522 9391db call 93b244 518->522 519->520 523 9391f8-9391fd call 93adcb 519->523 520->516 527 93921e KiUserCallbackDispatcher 521->527 522->517 523->520 527->509
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 00939228
      • Part of subcall function 0093B244: __EH_prolog.LIBCMT ref: 0093B249
    • GetDlgItem.USER32(?,000003EC), ref: 0093926B
    • SendMessageW.USER32(00000000), ref: 00939272
    • GetDlgItem.USER32(?,000003EC), ref: 0093929C
    • SendMessageW.USER32(00000000), ref: 009392A5
    • GetDlgItem.USER32(?,000003EC), ref: 009392F3
    • SendMessageW.USER32(00000000), ref: 009392F6
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ItemMessageSend$CallbackDispatcherH_prologUser
    • String ID:
    • API String ID: 616606135-0
    • Opcode ID: 90f4edb0315cda1fd1f4edf341acb8072013b0a27f59b7ff30ce454ad41172c9
    • Instruction ID: a2e32ee5120b08f7858401846fe067515ae35dbf0ec5acfa35a4f672e6ffb5b2
    • Opcode Fuzzy Hash: 90f4edb0315cda1fd1f4edf341acb8072013b0a27f59b7ff30ce454ad41172c9
    • Instruction Fuzzy Hash: 4C31AD7261464ABBDB109FA9CC88FAB7F6DFB45305F000420F626E71A4C6B59D81AF10
    Function 00927D93 Relevance: 13.6, APIs: 9, Instructions: 64fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00927DB5
    • FindNextFileW.KERNELBASE(?,?), ref: 00927DC3
    • GetLastError.KERNEL32(?,?), ref: 00927DDE
    • SetErrorMode.KERNEL32(?,?,?), ref: 00927DE9
    • SetLastError.KERNEL32(00000000,?,?), ref: 00927DEC
    • GetLastError.KERNEL32(?,?), ref: 00927E0A
    • GetLastError.KERNEL32(?,?), ref: 00927E3E
    • SetErrorMode.KERNEL32(?,?,?), ref: 00927E45
    • SetLastError.KERNEL32(00000000,?,?), ref: 00927E48
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$Mode$FileFindNext
    • String ID:
    • API String ID: 705879328-0
    • Opcode ID: b4408c16ddbda798a628edf7d8612c918040245b7d49ebf488658547886fa70c
    • Instruction ID: 55f535dc96e99d3c3eb6dcac419ec4da1cce3cf198b4d4709549cabb608b1a69
    • Opcode Fuzzy Hash: b4408c16ddbda798a628edf7d8612c918040245b7d49ebf488658547886fa70c
    • Instruction Fuzzy Hash: 43113631A04234ABDB2077B1BC45AAEB7699F80756F2101A0F605F21E4EF70CE45ABB1
    Function 0093AE2C Relevance: 12.1, APIs: 8, Instructions: 65windowsleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 585 93ae2c-93ae3e 586 93ae40-93ae43 585->586 587 93ae98-93aeab GetDlgItem 585->587 588 93ae45-93ae48 586->588 589 93ae7e-93ae96 GetDlgItem 586->589 590 93aeb0-93aeba GetDlgItem 587->590 591 93ae64-93ae7c GetDlgItem 588->591 592 93ae4a-93ae4d 588->592 589->590 593 93aebc-93aed0 SendMessageW 590->593 591->590 592->593 594 93ae4f-93ae62 GetDlgItem 592->594 595 93aed2-93aedc SendMessageW 593->595 596 93aede-93aee5 593->596 594->593 595->596 597 93aef2-93aef3 596->597 598 93aee7-93aeec Sleep 596->598 598->597
    APIs
    • GetDlgItem.USER32(?,000003FA), ref: 0093AE5A
    • GetDlgItem.USER32(?,000003F9), ref: 0093AE75
    • GetDlgItem.USER32(?,000003F8), ref: 0093AE8F
    • GetDlgItem.USER32(?,000003F7), ref: 0093AEA9
    • GetDlgItem.USER32(?,000003F8), ref: 0093AEB8
    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0093AECC
    • SendMessageW.USER32(00000000,000000F1,00000002,00000000), ref: 0093AEDC
    • Sleep.KERNEL32(000003E8), ref: 0093AEEC
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Item$MessageSend$Sleep
    • String ID:
    • API String ID: 2982058494-0
    • Opcode ID: 8c8a5fef3b70e0ce5447395fee9b86b50a5a60670386a16794ec3c0b8aa80a85
    • Instruction ID: eac5daf6cf7f63b3a56d53336e7a732235e0d028d516cec13a5d5f0d90f4975c
    • Opcode Fuzzy Hash: 8c8a5fef3b70e0ce5447395fee9b86b50a5a60670386a16794ec3c0b8aa80a85
    • Instruction Fuzzy Hash: ED119132AC8727BBD7361B668D49FA6BB59E704B51F000121F715AB1E0DBA1AD40ABC1
    Function 0092428D Relevance: 10.6, APIs: 7, Instructions: 113networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 599 92428d-92429a 600 9242ba-9242c3 call 924dca 599->600 601 92429c-9242a3 call 924ce6 599->601 606 9242d3-924309 InternetSetOptionW InternetConnectW 600->606 607 9242c5-9242ca call 924dd3 600->607 601->600 608 9242a5-9242b0 call 924d16 601->608 610 92430b-924326 call 924d16 call 92441b 606->610 611 924328-924357 InternetSetOptionW * 3 606->611 614 9242cf-9242d1 607->614 619 9242b3-9242b5 608->619 620 924395 610->620 616 924359-92435e 611->616 617 92438f-924394 611->617 614->606 614->619 616->617 618 924360-924365 616->618 617->620 622 924367-92436a 618->622 623 92436c-924389 call 94226c InternetSetOptionW * 2 618->623 624 924396-924399 619->624 620->624 622->617 622->623 623->617
    APIs
    • InternetSetOptionW.WININET(?,00000002,?,00000004), ref: 009242E5
    • InternetConnectW.WININET(?,?,?,?,?,00000003,00000000,00000000), ref: 009242FF
    • InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 00924331
    • InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 00924340
    • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 0092434F
    • InternetSetOptionW.WININET(00000000,0000001C,?,00000001), ref: 00924379
    • InternetSetOptionW.WININET(00000000,0000001D,0095D860,00000001), ref: 00924389
      • Part of subcall function 00924D16: GetLastError.KERNEL32(00000000), ref: 00924D27
      • Part of subcall function 00924D16: InternetGetLastResponseInfoW.WININET(00000000,?,00000201), ref: 00924D89
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Internet$Option$Last$ConnectErrorInfoResponse
    • String ID:
    • API String ID: 722321641-0
    • Opcode ID: 62f840f7548ee572bc1f1ef89cf7c67e8b615c3ad21479cad15d6fda3745f640
    • Instruction ID: 1239ac07a91c9f839785075c15028843e2f34de282ac99bac07469869a5c1cff
    • Opcode Fuzzy Hash: 62f840f7548ee572bc1f1ef89cf7c67e8b615c3ad21479cad15d6fda3745f640
    • Instruction Fuzzy Hash: 7F316F72250215FFEB21EF60AD46FBB36ADEB84B40F004425FB16E60D5E7B09D509BA1
    Function 009495FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 629 9495fb-949607 630 9496ae-9496b1 629->630 631 9496b7 630->631 632 94960c-94961d 630->632 635 9496b9-9496bd 631->635 633 94961f-949622 632->633 634 94962a-949643 LoadLibraryExW 632->634 636 949628 633->636 637 9496ab 633->637 638 949695-94969e 634->638 639 949645-94964e GetLastError 634->639 640 9496a7-9496a9 636->640 637->630 638->640 641 9496a0-9496a1 FreeLibrary 638->641 642 949685 639->642 643 949650-949662 call 943814 639->643 640->637 645 9496be-9496c0 640->645 641->640 644 949687-949689 642->644 643->642 649 949664-949676 call 943814 643->649 644->638 647 94968b-949693 644->647 645->635 647->637 649->642 652 949678-949683 LoadLibraryExW 649->652 652->644
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID:
    • String ID: api-ms-$ext-ms-
    • API String ID: 0-537541572
    • Opcode ID: 4bbd886d6375e81569fb55d3d7eba85cb8604b5cb7c162783ccc8268e7eac846
    • Instruction ID: 8235535744914a77f756af8efe2580f3469d8cc93c6dc3908e5aab46dd1dbad4
    • Opcode Fuzzy Hash: 4bbd886d6375e81569fb55d3d7eba85cb8604b5cb7c162783ccc8268e7eac846
    • Instruction Fuzzy Hash: C621E732A05720ABCB318B359C44F1B776C9F81768F230610FD16AB291E634ED00D6E0
    Function 00927B20 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00927B25
    • SetErrorMode.KERNEL32(00008001,?,00000000,00000000,?,?), ref: 00927B6B
    • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 00927B70
    • GetLastError.KERNEL32(?,00000000,00000000,?,?), ref: 00927B81
    • GetLastError.KERNEL32(?,00000000,00000000,?,?), ref: 00927B88
    • SetErrorMode.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 00927B8D
    • SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 00927B90
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$Mode$AttributesFileH_prolog
    • String ID:
    • API String ID: 1063890512-0
    • Opcode ID: 77a80dec7562581dcb898c8f10624c59f6eb5bfd830291a1844e44125dc07ccf
    • Instruction ID: a93f6b70af7fe5e64e0a44ae840e9ab5f3a1fc6b5c94814071e062190e2345c2
    • Opcode Fuzzy Hash: 77a80dec7562581dcb898c8f10624c59f6eb5bfd830291a1844e44125dc07ccf
    • Instruction Fuzzy Hash: 73218671A01224AFDB10ABB5EC45BAE77B4EF49714F100069F905B72D1CB746E45CBA1
    Function 00939301 Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 00939309
    • CreateDialogParamW.USER32(?,00000065,00000000,Function_000191AB,00000000), ref: 00939325
    • ShowWindow.USER32(00000000,00000001), ref: 00939330
    • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00939337
    • TranslateMessage.USER32(?), ref: 00939355
    • DispatchMessageW.USER32(?), ref: 0093935F
    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0093936C
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CallbackDispatcherMessageUserWindow$CreateDesktopDialogDispatchParamShowTranslate
    • String ID:
    • API String ID: 1319164583-0
    • Opcode ID: fbc4a75098db45bed5844d4eefa1ddadd99438cd0e3b7829ecf6120a1baf4cc6
    • Instruction ID: f9a32574aac96e85149a2fba8611649f50f0a8a4c83c0b49d9868e59ad1fb4c9
    • Opcode Fuzzy Hash: fbc4a75098db45bed5844d4eefa1ddadd99438cd0e3b7829ecf6120a1baf4cc6
    • Instruction Fuzzy Hash: B7018172919229ABCB10ABA7EC4CD9B3FBCEB88716F004021F515D7154D7749582DF60
    Function 0092723E Relevance: 9.1, APIs: 6, Instructions: 62fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00927243
    • SetErrorMode.KERNEL32(00008001,?,00000000,?,?,00000000), ref: 00927286
    • DeleteFileW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0092728B
    • GetLastError.KERNEL32(?,00000000,?,?,00000000), ref: 00927294
    • SetErrorMode.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0092729D
    • SetLastError.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 009272A0
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$DeleteFileH_prolog
    • String ID:
    • API String ID: 1756590729-0
    • Opcode ID: 2fcc6bda9a3e0f6fda3ee6c0838ffc6fad7927ebf82bbbd7e9953081f7d7984c
    • Instruction ID: d5bd87593b5379b5f8781e4bea4aa78240fc3e42fe01802302134a678e8c0a6e
    • Opcode Fuzzy Hash: 2fcc6bda9a3e0f6fda3ee6c0838ffc6fad7927ebf82bbbd7e9953081f7d7984c
    • Instruction Fuzzy Hash: 1911CB72E11224ABDB10BBB5EC86BAE7778EF85705F10001AF505B3181CB749E458B61
    Function 00927736 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0092773B
    • SetErrorMode.KERNEL32(00008001,?,00000000,00000000,00000000,00000000), ref: 0092777E
    • RemoveDirectoryW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00927783
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0092778C
    • SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00927795
    • SetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00927798
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$DirectoryH_prologRemove
    • String ID:
    • API String ID: 2887201596-0
    • Opcode ID: 3fe1929c833d255a032a1d05c982bafca54f5f9c4916463694b618cd4caf6063
    • Instruction ID: 88fd9c51ad12b0f49ae2b53b4b1288b8e618a3d300e3b8e25b908fc415c765ff
    • Opcode Fuzzy Hash: 3fe1929c833d255a032a1d05c982bafca54f5f9c4916463694b618cd4caf6063
    • Instruction Fuzzy Hash: 1B11C872E11224ABDF10BBB5EC8ABAE77B8EF89715F10001AF505B3181DB749E458B61
    Function 00927512 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00927517
    • SetErrorMode.KERNEL32(00008001,?,00000001,00000000,?,?), ref: 00927552
    • GetLastError.KERNEL32(?,00000001,00000000,?,?), ref: 009275A8
    • SetErrorMode.KERNEL32(?,?,00000001,00000000,?,?), ref: 009275B3
    • SetLastError.KERNEL32(00000000,?,00000001,00000000,?,?), ref: 009275BA
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$H_prolog
    • String ID:
    • API String ID: 1274526172-0
    • Opcode ID: 91d8e9826f526b9346e2fb4494b4bbd25989bca6627718db95ab8b0357f95c90
    • Instruction ID: c82dc5f66cdcdda96cb1029567e96f26710b43e70fa8e609d1c340e9f9087592
    • Opcode Fuzzy Hash: 91d8e9826f526b9346e2fb4494b4bbd25989bca6627718db95ab8b0357f95c90
    • Instruction Fuzzy Hash: 8121D331A05234AADF24ABF1B84AFAEF678EF45304F104469F506A31D5DA744A85CBA1
    Function 00926FA0 Relevance: 7.6, APIs: 5, Instructions: 53timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000,?,?,?,?,?,00926D64), ref: 00926FB3
    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00926D64), ref: 00926FC0
    • GetLastError.KERNEL32(?,?,?,?,?,00926D64), ref: 00926FC8
    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,00926D64), ref: 00926FD1
    • SetLastError.KERNEL32(00000000,?,?,?,?,?,00926D64), ref: 00926FD8
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastModeTime$FileSystem
    • String ID:
    • API String ID: 81331137-0
    • Opcode ID: 6b1d4b44a0529b06dcade9e6cbe797426b795db8bfb7c9426eb00a86bcc386ab
    • Instruction ID: 8b2e3e2703c29a54f93635096e0f32e4c1ee233d3ae874b8061ca13ad899a19f
    • Opcode Fuzzy Hash: 6b1d4b44a0529b06dcade9e6cbe797426b795db8bfb7c9426eb00a86bcc386ab
    • Instruction Fuzzy Hash: 8211512D9142459AC700AFF1D8445EEB774FF48709B248099E909E7350E7328D47DB75
    Function 00927FA6 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00927FB9
    • GetTempFileNameW.KERNEL32(?,00968A44,00000000), ref: 00927FCA
    • GetLastError.KERNEL32(?,00968A44,00000000), ref: 00927FD2
    • SetErrorMode.KERNEL32(00000000,?,00968A44,00000000), ref: 00927FDB
    • SetLastError.KERNEL32(00000000,?,00968A44,00000000), ref: 00927FE2
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$FileNameTemp
    • String ID:
    • API String ID: 138537940-0
    • Opcode ID: 5077492e020c279b3e0c0721ab24c2da484b9527ff36a20df7c85229eafbe76c
    • Instruction ID: 7365d596c7dee7db13561b4498df848221f6aee20b9b01617b852f694756c3ee
    • Opcode Fuzzy Hash: 5077492e020c279b3e0c0721ab24c2da484b9527ff36a20df7c85229eafbe76c
    • Instruction Fuzzy Hash: A6F04432A023203BDB602BB66C0EB4F399CAF85729F150025FA05D71D1DEA18C409361
    Function 00927F29 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00927F36
    • GetTempPathW.KERNEL32(00000104), ref: 00927F44
    • GetLastError.KERNEL32 ref: 00927F4D
    • SetErrorMode.KERNEL32(00000000), ref: 00927F56
    • SetLastError.KERNEL32(00000000), ref: 00927F5D
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$PathTemp
    • String ID:
    • API String ID: 875176722-0
    • Opcode ID: 82ff178ee558a100535c8ef46d9fbdf1232c44e3f7ee60295816c767b5ee1907
    • Instruction ID: cebbad74bda1e6943cbbce600a6fbf3c5dc65e66e531bd7ec93f6cc7758cdc9a
    • Opcode Fuzzy Hash: 82ff178ee558a100535c8ef46d9fbdf1232c44e3f7ee60295816c767b5ee1907
    • Instruction Fuzzy Hash: B7F0F931B1D320ABDB6027B27C0DBAF799CDB41755F100425FA05E21C4E965CA409262
    Function 00938D21 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00938D26
    • GetCommandLineW.KERNEL32 ref: 00938D6A
      • Part of subcall function 00939431: __EH_prolog.LIBCMT ref: 00939436
      • Part of subcall function 00939431: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000004,00000004,00000000,00000000,00000000), ref: 009394D5
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 00938EC9
    Strings
    • %sCode : %dMessage : <%s>, xrefs: 00938E75
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: H_prolog$CommandFileLineMessageModuleName
    • String ID: %sCode : %dMessage : <%s>
    • API String ID: 3547249548-59199059
    • Opcode ID: 95f0bef6eab7f4cee9a98f0918b1bd80c34310106bacd4c518ac4b8da3a3b37e
    • Instruction ID: bd76b8290f4067ee11d421ce21362bdeba69acbefd7d1ea01c4d63b7603ab39d
    • Opcode Fuzzy Hash: 95f0bef6eab7f4cee9a98f0918b1bd80c34310106bacd4c518ac4b8da3a3b37e
    • Instruction Fuzzy Hash: D3518D716043049BDB24BBB5EC86B6F77A9AFC4340F14452AF806DA196DFB4C9818FA1
    Function 009263D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000001), ref: 00926413
    • GetLastError.KERNEL32 ref: 0092643D
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 0092646E
    • ##(IXStream)-Access=<%x>##, xrefs: 00926481
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: ##(IXStream)-Access=<%x>##$##(IXStream)-Handle=<%p>##
    • API String ID: 442123175-1203569065
    • Opcode ID: 4ab2e5204be8bc83fdcbfc3227ec10f28ffeaacc4cb408eb46a206ae6a8190cc
    • Instruction ID: 619ef5e03e80d05ab73e01ef147eb990525c01b38713514958864d3d450ea306
    • Opcode Fuzzy Hash: 4ab2e5204be8bc83fdcbfc3227ec10f28ffeaacc4cb408eb46a206ae6a8190cc
    • Instruction Fuzzy Hash: F9210435342612BFEB08BF65EC42FB9B36AFF84304F008518F519565A5DBB1AC61DB90
    Function 00926660 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(?,?,?,?,00000001), ref: 00926689
    • GetLastError.KERNEL32 ref: 0092669C
    • GetLastError.KERNEL32 ref: 009266A2
      • Part of subcall function 0092D909: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,00000000,?,?,00923886,00000000,?,?,?,?), ref: 0092D934
      • Part of subcall function 0092D909: LocalFree.KERNEL32(00000000,?,00923886,00000000,?,?,?), ref: 0092D952
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 009266D0
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorLast$FileFormatFreeLocalMessagePointer
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 1717876565-1932549541
    • Opcode ID: 5a4cb277550070b4cbc3a46ed90284d0b48fb797b60e6eaaa554d2d9c430ec6a
    • Instruction ID: 1fadc0e392ddf89332abdcde7366fe7ee4400a7c7aee0ca241c4325695f86a0d
    • Opcode Fuzzy Hash: 5a4cb277550070b4cbc3a46ed90284d0b48fb797b60e6eaaa554d2d9c430ec6a
    • Instruction Fuzzy Hash: 2B210275701211BFE704ABA1EC82FAAB36AFF88310F004525F925832D5DB71AC6197A0
    Function 00947128 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,009450E9,0096BE00,0000000C), ref: 0094712D
    • _free.LIBCMT ref: 0094718A
    • _free.LIBCMT ref: 009471C0
    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,009450E9,0096BE00,0000000C), ref: 009471CB
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 0bf1259405576d9449e4f66654637378fdec37c86070ec0fa0bfdd0a6e1af954
    • Instruction ID: d25f12c0e40a1b1fc9f47926589c9d5d8b5ec6d078eaba89ffdf4d892b3ebb4c
    • Opcode Fuzzy Hash: 0bf1259405576d9449e4f66654637378fdec37c86070ec0fa0bfdd0a6e1af954
    • Instruction Fuzzy Hash: 9D11297220C208ABE71527F86DC5E3B225E8BCB774B350238F224962D2EFA58C055121
    Function 00945222 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,?,Function_000250C4,00000000,00000004,00000000), ref: 00945271
    • GetLastError.KERNEL32(?,00DBFF40,?,?,?,00939AC1,Function_00019301,00000000,00000000), ref: 0094527D
    • __dosmaperr.LIBCMT ref: 00945284
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CreateErrorLastThread__dosmaperr
    • String ID:
    • API String ID: 2744730728-0
    • Opcode ID: 67066d5c33c1173e4f8e04fcc3264d80341841c5f9863d80063f2081738d228e
    • Instruction ID: af1f3348398d92a3314f50caf3ca05d6bc98df84362e4a7c2fbdf8d62c80cd08
    • Opcode Fuzzy Hash: 67066d5c33c1173e4f8e04fcc3264d80341841c5f9863d80063f2081738d228e
    • Instruction Fuzzy Hash: 2301D272514A04BBDB209FE5CC05F9E7BA9EF8237AF224215F524960D1EBB0C980E761
    Function 0092E482 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0092E487
    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,009682FC,?,00001000,00000000), ref: 0092E4FD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: H_prologPrivateProfileString
    • String ID: R%03d
    • API String ID: 3369083350-2311197019
    • Opcode ID: 5cc8133c6671e35773fd2c7c2a8c0c0deefcf739c7448c37c3b54d7d01ce5f28
    • Instruction ID: 426bfb2ee46f81db0070244aa2a6c2bc1b7aab6c36b7aad3cc52a0fe964620d0
    • Opcode Fuzzy Hash: 5cc8133c6671e35773fd2c7c2a8c0c0deefcf739c7448c37c3b54d7d01ce5f28
    • Instruction Fuzzy Hash: C23184B2900225ABDB14EFA4DC45EEFB7BCEF84714B104466F505A7296DB34AE04CB61
    Function 0093A421 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • GetProfileIntW.KERNEL32(PREINSTALL,GARDETEMP,00000000), ref: 0093A438
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Profile
    • String ID: GARDETEMP$PREINSTALL
    • API String ID: 1323996051-2455646009
    • Opcode ID: 3d728cbb96512b9900b104b3c6775b5d80f2163206b5d9809afb9c029332dd00
    • Instruction ID: 05d948ac25ec667bf28bbd1f4aaadb3c132113e23bf920979c32cf405e29fad6
    • Opcode Fuzzy Hash: 3d728cbb96512b9900b104b3c6775b5d80f2163206b5d9809afb9c029332dd00
    • Instruction Fuzzy Hash: 60D022331983106BC110A756EC1BFA3777CE7E5708F400000F502A32E1AEC1BC808BA1
    Function 00927613 Relevance: 4.6, APIs: 3, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(00000005,?,00000001,00000000,00000001,00000000), ref: 0092767F
    • GetFileAttributesW.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,?), ref: 009276A6
    • CreateDirectoryW.KERNEL32(00000000,0000000C,?,00000001,00000000), ref: 00927714
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AttributesCreateDirectoryErrorFileLast
    • String ID:
    • API String ID: 674977465-0
    • Opcode ID: c037bcb07e91db1c261d15f2ae7ec3b11d45aaa5fb8e664c87706e5de10c9fc4
    • Instruction ID: f8c5c14f72dc5a5307a936041561fadd671ebc3497d1bd3e0248635e8227cc09
    • Opcode Fuzzy Hash: c037bcb07e91db1c261d15f2ae7ec3b11d45aaa5fb8e664c87706e5de10c9fc4
    • Instruction Fuzzy Hash: A2313522308B209BEB254ABDAC4876BF6DD9FC4315F14082DE526E72D4EAB0CC458792
    Function 0092C778 Relevance: 4.5, APIs: 3, Instructions: 48timeCOMMON
    Download Yara Rule
    APIs
    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000), ref: 0092C78C
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0092C79C
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0092C7E6
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Time$FileSystem$InformationZone
    • String ID:
    • API String ID: 3846428178-0
    • Opcode ID: 96e85d75db05a5e6f647c643d23d79089c75c525ec78ca139f83c40037c4a33d
    • Instruction ID: 12509f9d5a06ce9abc1b9899a6608cfd4e28c2e63041562a22868ef2113e2947
    • Opcode Fuzzy Hash: 96e85d75db05a5e6f647c643d23d79089c75c525ec78ca139f83c40037c4a33d
    • Instruction Fuzzy Hash: E80192B2D04129ABDB14CBA5FC44F9EB7BCEB40315F114161E915E31C4E7309A48DB90
    Function 009450C4 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(0096BE00,0000000C), ref: 009450D7
    • ExitThread.KERNEL32 ref: 009450DE
    • KiUserCallbackDispatcher.NTDLL ref: 0094511A
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CallbackDispatcherErrorExitLastThreadUser
    • String ID:
    • API String ID: 316949098-0
    • Opcode ID: 47a26e9f8b78a9ecfa7f486991adfdea892a841614b5fa7425a84aaf2dc28680
    • Instruction ID: 370099f10f8ad376bcd23f5cecd6dd4435d37ed002592a8dba0f214544fca025
    • Opcode Fuzzy Hash: 47a26e9f8b78a9ecfa7f486991adfdea892a841614b5fa7425a84aaf2dc28680
    • Instruction Fuzzy Hash: C5F0AF716086059FDB05AFF0D80AF6E7760EF85706F214159F2059B292DB706981DBD1
    Function 00939431 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00939436
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000004,00000004,00000000,00000000,00000000), ref: 009394D5
      • Part of subcall function 0093A95B: GetPrivateProfileIntW.KERNEL32(GENERAL,NATIONDEFAUT,00000000,?), ref: 0093A9B6
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: FileH_prologModuleNamePrivateProfile
    • String ID:
    • API String ID: 1212290808-0
    • Opcode ID: 106d1606153acb13706efff13e068dd6780cda1ed30cb485f414299db36059ed
    • Instruction ID: e175b47c3031f51289ddcfb11f6960604ae9d4fe0dc6ec8db686ab5fb10ea046
    • Opcode Fuzzy Hash: 106d1606153acb13706efff13e068dd6780cda1ed30cb485f414299db36059ed
    • Instruction Fuzzy Hash: 821184B5A00716EBC708EF75D881BE9F7B5FF94300F10822EE61953281EB702659CB90
    Function 0092FC89 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • TlsFree.KERNEL32(?,?,00DBACE0,0092FC03), ref: 0092FC9E
    • DeleteCriticalSection.KERNEL32(00DBACE4,0092FC03), ref: 00930367
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CriticalDeleteFreeSection
    • String ID:
    • API String ID: 3112490556-0
    • Opcode ID: 682dfa695599c0f96c5c1cb31b6fabcb75e89173f8bff2dba66bdbb1544b1cbe
    • Instruction ID: 50cd44e309df27053bd9803db680daf7252b0402162de12b5a57f69ec2bd3b46
    • Opcode Fuzzy Hash: 682dfa695599c0f96c5c1cb31b6fabcb75e89173f8bff2dba66bdbb1544b1cbe
    • Instruction Fuzzy Hash: 1CD0A775024507EBCB5C6F21D9188D6FF74FEF43513100116E01642910DF709024DFA0
    Function 0093952D Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 00939592
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: 95f1be44693a5666aee409ef8688b9e92cc1842766bc80f92c76d074743b912c
    • Instruction ID: c96d49d9ee9af5e30aa5f0f3459b7111da02992df346fe87cf1093fa6ef2f2de
    • Opcode Fuzzy Hash: 95f1be44693a5666aee409ef8688b9e92cc1842766bc80f92c76d074743b912c
    • Instruction Fuzzy Hash: CC11A57230412566CF157B65FC41BEF379D9FC4350F004425FD0ADA186EE649E458BA9
    Function 009496C2 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 32ed6a35af0f7c6a0d87a89b7ae63c248d6e156299d7f50b9af2ffc15510176a
    • Instruction ID: 8d62a3278118b3f3e3d2f89edf9f509cea558dc061976ad5d73b32128bb8fa3b
    • Opcode Fuzzy Hash: 32ed6a35af0f7c6a0d87a89b7ae63c248d6e156299d7f50b9af2ffc15510176a
    • Instruction Fuzzy Hash: B20140377242115F9F268F6DDC80E9F33DAEBC5370B254124F905CB195DA70D8419790
    Function 00924DD3 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
    Download Yara Rule
    APIs
    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00924E03
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: InternetOpen
    • String ID:
    • API String ID: 2038078732-0
    • Opcode ID: 5a1ec0061f5081b25a8761ce986e87e427b6d73e95a2913d37a2f9ae5e5a5982
    • Instruction ID: 87e6e7d246bd2259a7764cee335563a0fdff0efed5dc09f6deae01af559238ba
    • Opcode Fuzzy Hash: 5a1ec0061f5081b25a8761ce986e87e427b6d73e95a2913d37a2f9ae5e5a5982
    • Instruction Fuzzy Hash: 81F0A0327502A076E7307667BC0AF6B3AADEBD2F50F01483EF909C2189E590A85196B0
    Function 0094C560 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009472CA,00000001,00000364,00000006,000000FF,?,00946A49,00946AD4,?,?,00925A50,00000002), ref: 0094C5A1
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 28ef744e557d137fca3dc9774bc9593e4db99f4367669b77bd222890add2c58d
    • Instruction ID: 1e0ec0b45a12887316a628139e6bd62ecf57aeccfaf6ba47ee197437e0f36ec3
    • Opcode Fuzzy Hash: 28ef744e557d137fca3dc9774bc9593e4db99f4367669b77bd222890add2c58d
    • Instruction Fuzzy Hash: 34F0E9B250E620AFDFA16B669C01F5E3B4CAFC1760F158511BC04E6090EB71FC4186E0
    Function 00946A91 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00925A50,00000002,?,?), ref: 00946AC3
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 4e78f0f6e37341e6aef7949c1e1ffb2f3e0129516a36766ca79a05e3d9906215
    • Instruction ID: 308d0c71fb494c5e634d5e0e4ebf635178025fdce57c273099dde8eaef712ecc
    • Opcode Fuzzy Hash: 4e78f0f6e37341e6aef7949c1e1ffb2f3e0129516a36766ca79a05e3d9906215
    • Instruction Fuzzy Hash: FBE065A2114E20AADB216F659C11F5A3A5DDFC37A4F1AC111ED05B6091EA64DC4086E3
    Function 0093A3FE Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000002,00000000,00000000), ref: 0093A412
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 56ba39564848a7d2e08104ca0490019ff3b5b3a61d7092a7ded1778b6c345e46
    • Instruction ID: 5b0884879d6db7642e25e1fe75535d626e14ad9a211c6b9c85df1d0bc45a1a42
    • Opcode Fuzzy Hash: 56ba39564848a7d2e08104ca0490019ff3b5b3a61d7092a7ded1778b6c345e46
    • Instruction Fuzzy Hash: 15D01231258B6067E7304B2AAC4EFC273D85B00B12F24041AB265EB1C1E7E4A8809A58
    Function 0094254F Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00942562
      • Part of subcall function 00946A57: RtlFreeHeap.NTDLL(00000000,00000000,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?), ref: 00946A6D
      • Part of subcall function 00946A57: GetLastError.KERNEL32(?,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?,?), ref: 00946A7F
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorFreeHeapLast_free
    • String ID:
    • API String ID: 1353095263-0
    • Opcode ID: 95ad726996baa8e6c4895e431215cb5c95e766e28b8789aa5becff6fbe456ae1
    • Instruction ID: 78a23313cd7c8fb53fad031f9c73ed9210af9cbdcac52ac5040044bbf72cc0e7
    • Opcode Fuzzy Hash: 95ad726996baa8e6c4895e431215cb5c95e766e28b8789aa5becff6fbe456ae1
    • Instruction Fuzzy Hash: 28C04CB1500248BBDB05DF45D906F4E7BA9DB81364F204054F41567251DBB1EE449695
    Function 0093C102 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0093C114
      • Part of subcall function 0093C3BC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0093C42F
      • Part of subcall function 0093C3BC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0093C440
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 552f3dd37df22481de02978113976d6d25e2f531716816b0a48e52fd79439fde
    • Instruction ID: 6a26dd1e503776814beccb646174f556b64953d38c3b8fe9748a21b958945c16
    • Opcode Fuzzy Hash: 552f3dd37df22481de02978113976d6d25e2f531716816b0a48e52fd79439fde
    • Instruction Fuzzy Hash: D3B012C12BC6007C721471407C22D37134CC1C2B10730892FF800F0053A4401C001D33
    Function 00939135 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000072A,?,00000000), ref: 0093914A
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 717a945d2f1f2dcbb84a620aa003f66d0f512f0e4a5623c4577a8ed7993d3ca7
    • Instruction ID: 90d8ca5f8a03847a6d5072a149089ee25749381640f75e971cf0a5e51590e1ba
    • Opcode Fuzzy Hash: 717a945d2f1f2dcbb84a620aa003f66d0f512f0e4a5623c4577a8ed7993d3ca7
    • Instruction Fuzzy Hash: 42C08C32184208B7CA004B90DC02FD4BF20FB18349F108010F609180A0D373A435FB85
    Function 0093913A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000072A,?,00000000), ref: 0093914A
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: b78a6ad38193d17bd25f34193ce9127b17673ae47a5df42a940f2a5d6c1b783d
    • Instruction ID: 3c22e540aa6542a613ed48ee2edb9b860f07ee93929530bc58471132c14b40fd
    • Opcode Fuzzy Hash: b78a6ad38193d17bd25f34193ce9127b17673ae47a5df42a940f2a5d6c1b783d
    • Instruction Fuzzy Hash: 84C09B31144308B7D6011B91DD06F95BF19E755755F108011F7191C0A1D777A561BB95
    Function 00939154 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000072B,?,00000000), ref: 00939164
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 295bf4217382178d7ad58beb143218fed00df1889a78d1f410dd69f8d75b50c9
    • Instruction ID: 1ec95839130215611b94676b3d0080c0952b8469a37eb6a09a29da4dce16c159
    • Opcode Fuzzy Hash: 295bf4217382178d7ad58beb143218fed00df1889a78d1f410dd69f8d75b50c9
    • Instruction Fuzzy Hash: B7C09232188308BBDA012B82ED06F95BF29EB59B95F108021F7181C0A1C7B7A461BB98
    Function 0093916E Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000072C,?,00000000), ref: 0093917E
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 12d8838c8d9f10087e44f3bd2562235445fe99719aaa37767a321d3d6b2d32a8
    • Instruction ID: 2b88e2fdc3dfde3c6635287a79feecf2cdd43b600ff645bc44382eed711d0591
    • Opcode Fuzzy Hash: 12d8838c8d9f10087e44f3bd2562235445fe99719aaa37767a321d3d6b2d32a8
    • Instruction Fuzzy Hash: 98C09B31144308B7D6011B91DD06F95BF19D755755F108011F7181C0A1C777A461BB94
    Function 0093002C Relevance: 1.3, APIs: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 8d9f1d7829698d8597265e3aa0e0987baa547d8c910539fbefaa80ff4458bf8e
    • Instruction ID: 7c0d61820905d18828508628b3f8d2e1f9c99928e42d534c113d90b438ff1513
    • Opcode Fuzzy Hash: 8d9f1d7829698d8597265e3aa0e0987baa547d8c910539fbefaa80ff4458bf8e
    • Instruction Fuzzy Hash: 25F059331042042BE7205B15AC46F7AF79CEFC6720F000229F94083082D7A1A946CAB0
    Function 00939AA0 Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: b8550a0d3aff1a3d2746a091ccc476677e6299199e7b61ba76e01ba652aef0df
    • Instruction ID: 3a4b23f6fbb748d961009d064bc215aa13118128c0fcf645e646dd6a04068941
    • Opcode Fuzzy Hash: b8550a0d3aff1a3d2746a091ccc476677e6299199e7b61ba76e01ba652aef0df
    • Instruction Fuzzy Hash: 44E0D833614214AF930017FDBCCAAAF329DD784379B150726F523C71E0D6E11C815A61

    Non-executed Functions

    Function 0093A236 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 140COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0092E31D: GetVersionExW.KERNEL32(00000114), ref: 0092E33F
    • GetPrivateProfileStringW.KERNEL32(WDF,APPLI,0095D860,00DC0B84,00000104,00DC0770), ref: 0093A3A3
    • SetWindowTextW.USER32(?,00000000), ref: 0093A3E0
      • Part of subcall function 00939376: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 009393E8
      • Part of subcall function 00939376: GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 00939427
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: PrivateProfileString$DirectoryTextVersionWindowWindows
    • String ID: .WXF$APPLI$INST$INSTPRG$INSTPRGCLIENT%s$PARAMINSTALLEUR$PARAMINSTALLEUR_PROG_INSTALLCLIENT$WDF$WDSetup.EXE
    • API String ID: 2147892605-1515113056
    • Opcode ID: fd61136434cc3cacd1f53cd65d4d0bf6b615a4c24bde4895949005508c27982c
    • Instruction ID: 3a3ed0a77cae6d8df048f069d2f05376f99e7d9d2402f91c48b1c175741930f1
    • Opcode Fuzzy Hash: fd61136434cc3cacd1f53cd65d4d0bf6b615a4c24bde4895949005508c27982c
    • Instruction Fuzzy Hash: EA41C172A002196ACB10EB60DC92EEB33ADEFD4714F540166F945AB0C6EF709F45CBA1
    Function 0094CA59 Relevance: 9.2, APIs: 6, Instructions: 194fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0094CB49
    • _free.LIBCMT ref: 0094CC19
    • FindNextFileW.KERNEL32(00000000,?), ref: 0094CC27
    • _free.LIBCMT ref: 0094CC75
    • FindClose.KERNEL32(00000000), ref: 0094CC84
    • _free.LIBCMT ref: 0094CC9A
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Find_free$File$CloseFirstNext
    • String ID:
    • API String ID: 1576393127-0
    • Opcode ID: 9cd48b51fec568bcaa6685fe0aba5532f4b1830053746d5d807b8f7601977796
    • Instruction ID: a03b8c979a7445b32a3d7d78b99bee4cf270c645764576c094bfb1a05b378db9
    • Opcode Fuzzy Hash: 9cd48b51fec568bcaa6685fe0aba5532f4b1830053746d5d807b8f7601977796
    • Instruction Fuzzy Hash: B861DFF190611C6EDF60DF78CC99FBAB7B8AB45304F1442DAE04DA3241DA318E859F54
    Function 0093CFC6 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0093CFD2
    • IsDebuggerPresent.KERNEL32 ref: 0093D09E
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0093D0BE
    • UnhandledExceptionFilter.KERNEL32(?), ref: 0093D0C8
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 3eff639a35ddb4e97c478c8cd4fa336c75337a18c354a202a42b25e0dc7646a2
    • Instruction ID: 68d6f2e613296de294955e3c55bf1f2d5fa19617215453d5dc82ca64e20d8dae
    • Opcode Fuzzy Hash: 3eff639a35ddb4e97c478c8cd4fa336c75337a18c354a202a42b25e0dc7646a2
    • Instruction Fuzzy Hash: E0312BB5D1631C9BDB20DFA5DD497CDBBB8AF18304F10409AE40DAB250EB715A85DF44
    Function 009214A0 Relevance: 3.0, APIs: 2, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(00970EAC,00000001,00000000,0092151F,00000004,00000000,0000FFFF,?), ref: 009214A9
    • SetSecurityDescriptorDacl.ADVAPI32(00970EAC,00000001,00000000,00000000), ref: 009214B6
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: DescriptorSecurity$DaclInitialize
    • String ID:
    • API String ID: 625223987-0
    • Opcode ID: 0fc0d4a68b5cb6c6bf92375872ac7c61332511472981c34b4c5f4d3fa278b29a
    • Instruction ID: cf0f25aef2088977cb834d49c1ce2f39f721f968e495bc4e289e2b30c77e092a
    • Opcode Fuzzy Hash: 0fc0d4a68b5cb6c6bf92375872ac7c61332511472981c34b4c5f4d3fa278b29a
    • Instruction Fuzzy Hash: 7BD06773269300EBE3A15B15BD4AB273AA5BBC1B16F600919F209992E0C3F614C1A714
    Function 00928FF2 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 51libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,009290B7,009290EB,0092C8A3), ref: 00929005
    • GetProcAddress.KERNEL32(00000000,NtOpenKey), ref: 0092901D
    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 0092902E
    • GetProcAddress.KERNEL32(00000000,NtQueryValueKey), ref: 00929036
    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 0092903E
    • GetProcAddress.KERNEL32(00000000,RtlFreeUnicodeString), ref: 00929046
    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0092904E
    • GetProcAddress.KERNEL32(00000000,RtlSetDaclSecurityDescriptor), ref: 0092905B
    • GetProcAddress.KERNEL32(00000000,RtlCreateSecurityDescriptor), ref: 00929068
    • GetProcAddress.KERNEL32(00000000,NtSetSecurityObject), ref: 00929075
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: NtClose$NtOpenKey$NtQueryValueKey$NtSetSecurityObject$RtlCreateSecurityDescriptor$RtlFreeUnicodeString$RtlInitUnicodeString$RtlNtStatusToDosError$RtlSetDaclSecurityDescriptor$ntdll.dll
    • API String ID: 667068680-2339282825
    • Opcode ID: 62f210e0968f2ffe5e28ab8e5552fc859e859f57ded7ebcb4d96df0976026c41
    • Instruction ID: f80155ad432e30cfcdc77a7a8ce6e14c0cd0240ac9b07175ea5044d64e6e077b
    • Opcode Fuzzy Hash: 62f210e0968f2ffe5e28ab8e5552fc859e859f57ded7ebcb4d96df0976026c41
    • Instruction Fuzzy Hash: 91F0A43A696774F586233B36EC0DCCB3E9C9FD6B197020416F014A21D4CBF68851EEA5
    Function 0093BAB1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 85libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(USER32.DLL,?,00DBFF40,?,?,?,?,?,?,?,?,0093AC62), ref: 0093BAD1
    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0093BAF9
    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0093BB1A
    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 0093BB27
    • GetSystemMetrics.USER32(75C09120), ref: 0093BB3E
    • GetSystemMetrics.USER32(00000001), ref: 0093BB45
    • MonitorFromPoint.USER32(?,?,00000001), ref: 0093BB57
    • GetMonitorInfoW.USER32(00000000,?), ref: 0093BB80
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AddressProc$MetricsMonitorSystem$FromHandleInfoModulePoint
    • String ID: GetMonitorInfoW$MonitorFromPoint$MonitorFromWindow$USER32.DLL
    • API String ID: 170033150-1569299361
    • Opcode ID: cc423de842aa24be05f6cc8c6e8978f4f8213a158cd0bedd708d983a3d9131e2
    • Instruction ID: c0fb1dd2e5650cc2e7d8261f1b6fbab2dcd4edbff7860bac30411136e5c719ce
    • Opcode Fuzzy Hash: cc423de842aa24be05f6cc8c6e8978f4f8213a158cd0bedd708d983a3d9131e2
    • Instruction Fuzzy Hash: 6821A772E24304ABD7149F659D86FAA77BCFF88754F004419F609A7180DBF19C809B50
    Function 0094E7F2 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 0094E836
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E40C
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E41E
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E430
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E442
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E454
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E466
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E478
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E48A
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E49C
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E4AE
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E4C0
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E4D2
      • Part of subcall function 0094E3EF: _free.LIBCMT ref: 0094E4E4
    • _free.LIBCMT ref: 0094E82B
      • Part of subcall function 00946A57: RtlFreeHeap.NTDLL(00000000,00000000,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?), ref: 00946A6D
      • Part of subcall function 00946A57: GetLastError.KERNEL32(?,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?,?), ref: 00946A7F
    • _free.LIBCMT ref: 0094E84D
    • _free.LIBCMT ref: 0094E862
    • _free.LIBCMT ref: 0094E86D
    • _free.LIBCMT ref: 0094E88F
    • _free.LIBCMT ref: 0094E8A2
    • _free.LIBCMT ref: 0094E8B0
    • _free.LIBCMT ref: 0094E8BB
    • _free.LIBCMT ref: 0094E8F3
    • _free.LIBCMT ref: 0094E8FA
    • _free.LIBCMT ref: 0094E917
    • _free.LIBCMT ref: 0094E92F
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: da87e5c3e9e7a25638213bb39a4c051522f885506bd72a0b737ea9c33849eb4f
    • Instruction ID: b001e7da6d21ce279e1891127292e5422281e50f2173f4b6ecaf19a03a4ff959
    • Opcode Fuzzy Hash: da87e5c3e9e7a25638213bb39a4c051522f885506bd72a0b737ea9c33849eb4f
    • Instruction Fuzzy Hash: BF3148B16006009FEF25EE39D845F6A73E9BF41350F149829E099E72A1DB31ED80CB25
    Function 0093B896 Relevance: 19.6, APIs: 13, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0093B8A8
      • Part of subcall function 0093BAB1: GetModuleHandleW.KERNEL32(USER32.DLL,?,00DBFF40,?,?,?,?,?,?,?,?,0093AC62), ref: 0093BAD1
      • Part of subcall function 0093BAB1: GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0093BAF9
      • Part of subcall function 0093BAB1: GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0093BB1A
      • Part of subcall function 0093BAB1: GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 0093BB27
      • Part of subcall function 0093BAB1: GetSystemMetrics.USER32(75C09120), ref: 0093BB3E
      • Part of subcall function 0093BAB1: GetSystemMetrics.USER32(00000001), ref: 0093BB45
    • GetClientRect.USER32(?,?), ref: 0093B8BF
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 0093B8F3
    • SetWindowTextW.USER32(?,?), ref: 0093B910
    • GetDlgItem.USER32(?,000003EB), ref: 0093B92E
    • SetWindowTextW.USER32(00000000), ref: 0093B931
    • GetDlgItem.USER32(?,000003EC), ref: 0093B949
    • SetWindowTextW.USER32(00000000), ref: 0093B94C
    • GetDlgItem.USER32(?,000003EE), ref: 0093B964
    • SetWindowTextW.USER32(00000000), ref: 0093B967
    • GetDlgItem.USER32(?,000003ED), ref: 0093B97F
    • SetWindowTextW.USER32(00000000), ref: 0093B982
    • RedrawWindow.USER32(?,00000000,00000000,00000100), ref: 0093B990
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Window$Text$Item$AddressProc$MetricsSystem$ClientHandleModuleParentRectRedraw
    • String ID:
    • API String ID: 805021853-0
    • Opcode ID: 47fd5fd56278ccc7cc1eb6459031fa02ba7f6cca4e6960d7910979945236641a
    • Instruction ID: 42f16b76da7e080e7af9020ff12232827820e59f76ffddcaab7ace6b0623a6f5
    • Opcode Fuzzy Hash: 47fd5fd56278ccc7cc1eb6459031fa02ba7f6cca4e6960d7910979945236641a
    • Instruction Fuzzy Hash: 46311970610606AFDB209B6ACD4AF6FB7EDEF4831AF044528B655E21B0D770ED419E20
    Function 0093AEF6 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 167windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0093AEFB
    • GetDlgItem.USER32(?,000003EC), ref: 0093AF70
    • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0093AF83
    • SendMessageW.USER32(00000000,00000401,00000000,?), ref: 0093AF9B
      • Part of subcall function 0093AE2C: GetDlgItem.USER32(?,000003FA), ref: 0093AE5A
      • Part of subcall function 0093AE2C: SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0093AECC
      • Part of subcall function 0093AE2C: SendMessageW.USER32(00000000,000000F1,00000002,00000000), ref: 0093AEDC
      • Part of subcall function 0093AE2C: Sleep.KERNEL32(000003E8), ref: 0093AEEC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: MessageSend$Item$H_prologSleep
    • String ID: %s%s.DLL$%s%s.WDZ$%s.DLL$DLLInst$INST
    • API String ID: 1231116712-4546804
    • Opcode ID: b07ad9df4cef1b3dc87fc891e9cedb2984672e87e400b7b028cf65186663a304
    • Instruction ID: 0d9638a78c1fbb5b02b5c562baa6f8e41ab016b138fea0b0a602b7eb3c25b465
    • Opcode Fuzzy Hash: b07ad9df4cef1b3dc87fc891e9cedb2984672e87e400b7b028cf65186663a304
    • Instruction Fuzzy Hash: C15183B1A0022AAFDB14EB60CC95BFEB7ADEF84304F004159F219A7185DB746F55CBA1
    Function 009398DB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135sleepwindowCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.KERNEL32(0000001C,?,00DC0770), ref: 00939958
    • GetCurrentProcessId.KERNEL32(0000001C,?,00DC0770), ref: 00939977
    • GetCommandLineW.KERNEL32(0000FFFF), ref: 00939998
    • Sleep.KERNEL32(000003E8,00000004), ref: 00939A08
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00939A13
    • CloseHandle.KERNEL32(00000000), ref: 00939A2D
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 00939A8D
    Strings
    • INSTALL, xrefs: 00939918, 00939923, 0093995F
    • /REP="%s" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" , xrefs: 00939985
    • /REP="%s%s\" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" , xrefs: 00939967
    • %s%s, xrefs: 0093992B
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Process$Current$CloseCodeCommandExitHandleLineMessageSleep
    • String ID: /REP="%s" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" $ /REP="%s%s\" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" $%s%s$INSTALL
    • API String ID: 2671753509-3563714991
    • Opcode ID: 91fa7d0847586618f07e31794231571c68e2ba0136858e20ed43288e90faf973
    • Instruction ID: b71eec55fe20e72b2403cac36d9e88e786e6d446198a3f42fa22f487690af4ea
    • Opcode Fuzzy Hash: 91fa7d0847586618f07e31794231571c68e2ba0136858e20ed43288e90faf973
    • Instruction Fuzzy Hash: 4741A7B2A442156BDB10BBB1AC86FEE336DAFD4301F040175FE069618BEE705A44DB65
    Function 0092F4EE Relevance: 16.7, APIs: 11, Instructions: 206COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,000000FF,?), ref: 0092F541
    • __alloca_probe_16.LIBCMT ref: 0092F554
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 0092F581
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,000000FF,?), ref: 0092F5AB
    • __alloca_probe_16.LIBCMT ref: 0092F5CD
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 0092F5F8
    • LCMapStringW.KERNEL32(?,?,?,000000FF,?,000000FF,?,000000FF,?), ref: 0092F61C
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,000000FF,?), ref: 0092F646
    • __alloca_probe_16.LIBCMT ref: 0092F668
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 0092F693
    • LCMapStringW.KERNEL32(?,?,?,000000FF,?,000000FF,?,000000FF,?), ref: 0092F6DB
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: String$__alloca_probe_16
    • String ID:
    • API String ID: 1426756974-0
    • Opcode ID: 5d2a3889e07278e1f5e106c6f076c4c55d0e9d4f8ab4d7f44b5615f05b8a1a8f
    • Instruction ID: 8d04c9e5c58ba7d8cc8544fa4369b944293fffaacf3b4e622a9ba280dd0f9876
    • Opcode Fuzzy Hash: 5d2a3889e07278e1f5e106c6f076c4c55d0e9d4f8ab4d7f44b5615f05b8a1a8f
    • Instruction Fuzzy Hash: 4B615772804129BFDF119F60EC15EAF3BB9EB98760F148439F905D7220D635CDA29BA0
    Function 0093EDCB Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 0093EEC8
    • type_info::operator==.LIBVCRUNTIME ref: 0093EEEA
    • ___TypeMatch.LIBVCRUNTIME ref: 0093EFF9
    • IsInExceptionSpec.LIBVCRUNTIME ref: 0093F0CB
    • _UnwindNestedFrames.LIBCMT ref: 0093F14F
    • CallUnexpected.LIBVCRUNTIME ref: 0093F16A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 2123188842-393685449
    • Opcode ID: 568e642a366f5278cb795751b8f8eb360f1039fdca4dfad6c291f1f1e868de7a
    • Instruction ID: 84684931089d810fd444fab1f5a6d63d20a5c06dea75f3228828d1d53fd0c7eb
    • Opcode Fuzzy Hash: 568e642a366f5278cb795751b8f8eb360f1039fdca4dfad6c291f1f1e868de7a
    • Instruction Fuzzy Hash: 0BB17871C00209EFCF29DFA8D891AAEBBB9BF44310F10416AE8156B252D775EE51CF91
    Function 0092615E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(NTDLL.dll), ref: 0092618C
    • GetProcAddress.KERNEL32(00000000,NtQueryInformationFile), ref: 009261A0
    • GetFileInformationByHandle.KERNEL32(?,?), ref: 00926205
    • GetLogicalDriveStringsW.KERNEL32(00000207,?), ref: 00926234
      • Part of subcall function 00928391: SetErrorMode.KERNEL32(00008001,?,?,00000000), ref: 009283CD
      • Part of subcall function 00928391: GetDriveTypeW.KERNEL32(?,?,?,00000000), ref: 009283DC
      • Part of subcall function 00928391: GetLastError.KERNEL32(?,?,00000000), ref: 009283E4
      • Part of subcall function 00928391: SetErrorMode.KERNEL32(00000000,?,?,00000000), ref: 009283ED
      • Part of subcall function 00928391: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 009283F4
    • GetVolumeInformationW.KERNEL32(003A0020,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00926283
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$DriveInformationLastMode$AddressFileHandleLibraryLoadLogicalProcStringsTypeVolume
    • String ID: $NTDLL.dll$NtQueryInformationFile$\
    • API String ID: 523946653-297113928
    • Opcode ID: 6333df56eb5f876a1818c26421f4ed8a4524b7ef3313b95e8fa7b6b1a87190d3
    • Instruction ID: e83002c52b11ae408d5a461a8f2b805dcbd6e9a1bd6204174c3235c453a4b389
    • Opcode Fuzzy Hash: 6333df56eb5f876a1818c26421f4ed8a4524b7ef3313b95e8fa7b6b1a87190d3
    • Instruction Fuzzy Hash: 33419F75901229EEDF10DBA5EC49EEEB7BCEF40349F104462E915E3190EB759E84CB60
    Function 009238DC Relevance: 15.2, APIs: 10, Instructions: 174networkCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 009238E1
    • InternetSetOptionW.WININET(00000002,?,00000004), ref: 00923916
    • InternetConnectW.WININET(?,?,00000000,?,00000001,?,00000000), ref: 0092393F
    • InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 0092395D
    • InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 0092396B
    • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 00923979
    • GetLastError.KERNEL32(?,00000000,?), ref: 009239AD
    • FtpCommandW.WININET(00000000,00000000,00000001,00000000,?,00000000), ref: 00923A03
    • InternetCloseHandle.WININET(00000000), ref: 00923A3B
      • Part of subcall function 00923843: GetLastError.KERNEL32(00000000), ref: 0092385F
      • Part of subcall function 00923843: InternetGetLastResponseInfoW.WININET(?,?,00000000), ref: 009238A8
    • InternetCloseHandle.WININET(00000000), ref: 00923A9F
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Internet$Option$Last$CloseErrorHandle$CommandConnectH_prologInfoResponse
    • String ID:
    • API String ID: 633864153-0
    • Opcode ID: 68554b9ca19c7a21d199e3e6f5089c6aa218e50eb16b655527a840116e3c3d08
    • Instruction ID: ea3300a2f99332affdc7b18e49e4227d74ff5076a9243e07a6216e81db05701c
    • Opcode Fuzzy Hash: 68554b9ca19c7a21d199e3e6f5089c6aa218e50eb16b655527a840116e3c3d08
    • Instruction Fuzzy Hash: 8C51A272610215EFDB209F64EC46FAE37ADFF84710F108429FA05E61A5D7788E94DB90
    Function 00947010 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00947026
      • Part of subcall function 00946A57: RtlFreeHeap.NTDLL(00000000,00000000,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?), ref: 00946A6D
      • Part of subcall function 00946A57: GetLastError.KERNEL32(?,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?,?), ref: 00946A7F
    • _free.LIBCMT ref: 00947032
    • _free.LIBCMT ref: 0094703D
    • _free.LIBCMT ref: 00947048
    • _free.LIBCMT ref: 00947053
    • _free.LIBCMT ref: 0094705E
    • _free.LIBCMT ref: 00947069
    • _free.LIBCMT ref: 00947074
    • _free.LIBCMT ref: 0094707F
    • _free.LIBCMT ref: 0094708D
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 5ab94152e04b796ebd20614224ae91be542463f520ec8384282d988885e3f165
    • Instruction ID: 6d14a4e1f57c342e55b94d9c58976026f6dfe16aaabefab96bdcc0b9d4a8b8f6
    • Opcode Fuzzy Hash: 5ab94152e04b796ebd20614224ae91be542463f520ec8384282d988885e3f165
    • Instruction Fuzzy Hash: 9921B7B6900108EFCB05EF94C885EDE7BB8BF49340F0191A6F519AB522DB35EA54CB81
    Function 0093A50D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003EC), ref: 0093A529
    • SendMessageW.USER32(00000000,00000401,00000000,?), ref: 0093A54A
    • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0093A556
    • RedrawWindow.USER32(00000000,00000000,00000000,00000100), ref: 0093A562
      • Part of subcall function 0092ACD8: CharUpperW.USER32(?,009278A1,?,00927860), ref: 0092ACD9
    • SendMessageW.USER32(00000000,00000403,00000001,00000000), ref: 0093A62E
    • MessageBoxW.USER32(?,00000000,00000000,00000010), ref: 0093A6AB
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Message$Send$CharItemRedrawUpperWindow
    • String ID: %s%s.WDZ$.WDZ
    • API String ID: 922213482-305230444
    • Opcode ID: 25216809b4f9e53af5a963a489de8b59fb44329cbd1377d89395508c8ed43054
    • Instruction ID: e19f0c98aefa66db68abf4544201e0b90b0d8c0a24aae6b3af2df01efe0b83d2
    • Opcode Fuzzy Hash: 25216809b4f9e53af5a963a489de8b59fb44329cbd1377d89395508c8ed43054
    • Instruction Fuzzy Hash: D041A2312042116BDB00EB21DC86FEB33DDEFC5704F088939F959DA196EB709A05CB61
    Function 009214DA Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 82fileCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.KERNEL32 ref: 009214E6
      • Part of subcall function 009214A0: InitializeSecurityDescriptor.ADVAPI32(00970EAC,00000001,00000000,0092151F,00000004,00000000,0000FFFF,?), ref: 009214A9
      • Part of subcall function 009214A0: SetSecurityDescriptorDacl.ADVAPI32(00970EAC,00000001,00000000,00000000), ref: 009214B6
    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,0000FFFF,?), ref: 00921522
    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,0000FFFF), ref: 00921533
    • CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 0092156D
    • CreateEventW.KERNEL32(00000000,00000000,00000001,?), ref: 0092159E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Create$DescriptorEventFileSecurity$CurrentDaclInitializeMappingProcessView
    • String ID: %sEVT_MSGDISPO_%d$%sEVT_MSGTRAITE_%d$%sMAPPING_%d
    • API String ID: 2991646597-1430784409
    • Opcode ID: 8750fed6d047dc8699912bb0870ffd3d8cf733705dba308e31895a20e431aaee
    • Instruction ID: 051f108e091c1902ce01d8800cfaf6ab80ccebb062150fc4effe1ab5b332a0ca
    • Opcode Fuzzy Hash: 8750fed6d047dc8699912bb0870ffd3d8cf733705dba308e31895a20e431aaee
    • Instruction Fuzzy Hash: 09210BF2D54328BAD760A7B1BC89FA73AECDBE4759F000561B505D3081EA7198D4CBB4
    Function 0094D896 Relevance: 12.2, APIs: 8, Instructions: 208COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: c5fdd0990a4514736f50aae66d23be0e463413af677b791821ed21e29cb2aa99
    • Instruction ID: 3c5f65be7851e26e5a5cd4ddd6039aa0f1b3011c27fa10167599d60f6399fce2
    • Opcode Fuzzy Hash: c5fdd0990a4514736f50aae66d23be0e463413af677b791821ed21e29cb2aa99
    • Instruction Fuzzy Hash: 6D5158B5A0A301ABCB24EFB8C892F6E77E8EF41710F14452EF915E7281E77199008B50
    Function 00930AA4 Relevance: 12.2, APIs: 8, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00930AA9
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00930B03
    • __alloca_probe_16.LIBCMT ref: 00930B14
    • WideCharToMultiByte.KERNEL32(000004E4,00000000,?,?,?,?,00000000,00000000,?,?,00000000), ref: 00930B39
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00930B49
    • __alloca_probe_16.LIBCMT ref: 00930B6A
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,?,?,?,?,00000001,?,?,00000000), ref: 00930B93
    • _strlen.LIBCMT ref: 00930BAC
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ByteCharMultiWide$__alloca_probe_16$H_prolog_strlen
    • String ID:
    • API String ID: 4031684469-0
    • Opcode ID: 92cab2da0d1b3dd0683d21c419abd2a201587bd4006eda5cafdc962bcbf31c23
    • Instruction ID: a487caacaba7b3095b8ba3e871f87e532324b057712828bbe99a45fc516a5ef0
    • Opcode Fuzzy Hash: 92cab2da0d1b3dd0683d21c419abd2a201587bd4006eda5cafdc962bcbf31c23
    • Instruction Fuzzy Hash: 5851BBB1A00209AFDB14DFA5DC95EBFBBB8FB84358F104468F50597291DA349E05CFA0
    Function 00925F00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr_strlen
    • String ID: P
    • API String ID: 1576176021-3110715001
    • Opcode ID: a1114d003246552d7bd9bea2ea52bbcbbc7b8d4b1f8d676869c55f6585079788
    • Instruction ID: 552cfc84bda1f9854aed9acb7d1d62be516079075992104d4657fd3e412639a9
    • Opcode Fuzzy Hash: a1114d003246552d7bd9bea2ea52bbcbbc7b8d4b1f8d676869c55f6585079788
    • Instruction Fuzzy Hash: 7961B0716093619FD714CF28E884B6BB7E8BF84714F044A2DF886DB285DB74E904CB96
    Function 00923AC5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 210networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetWriteFile.WININET(?,?,?,?), ref: 00923BB0
    • InternetReadFile.WININET(?,00000000,0000FA00,00000000), ref: 00923C30
    • InternetGetLastResponseInfoW.WININET(?,?,?), ref: 00923C82
    • InternetCloseHandle.WININET(00000000), ref: 00923CA4
    • InternetGetLastResponseInfoW.WININET(?,?,?), ref: 00923CC7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Internet$FileInfoLastResponse$CloseHandleReadWrite
    • String ID: PASV
    • API String ID: 490010189-2291125535
    • Opcode ID: 43ae0a184c08ded4c6570f2da8a6a5f343fe52104e0885af25fa88266e73f279
    • Instruction ID: 03b657cd9dfdc63ffa328649e807bc7c4e5e5a12ecce1ad9e73cea56bc45964d
    • Opcode Fuzzy Hash: 43ae0a184c08ded4c6570f2da8a6a5f343fe52104e0885af25fa88266e73f279
    • Instruction Fuzzy Hash: C571BD71600229ABDF14DF64EC45BFE37BDBF88744F118129B90AA6254E738CA51DB90
    Function 009219DC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 155COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: ://$ftp$ftpes$ftps$sftp
    • API String ID: 3519838083-284551153
    • Opcode ID: 66c584cda773ae97ec4ca8da1976c2e2e27466cde83988f8873b3547e309eaef
    • Instruction ID: 2ac733f08eea4edc8edbaed23a399a11b987afd08db31255cd6edd852c910125
    • Opcode Fuzzy Hash: 66c584cda773ae97ec4ca8da1976c2e2e27466cde83988f8873b3547e309eaef
    • Instruction Fuzzy Hash: 8F51933190122A9BCF15EFA0EC92BFE77B8FFA0351F004529F91566199EB309A59C790
    Function 0093E8D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 0093E907
    • ___except_validate_context_record.LIBVCRUNTIME ref: 0093E90F
    • _ValidateLocalCookies.LIBCMT ref: 0093E998
    • __IsNonwritableInCurrentImage.LIBCMT ref: 0093E9C3
    • _ValidateLocalCookies.LIBCMT ref: 0093EA18
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 720675b1faa9824a30484e88827ce7623595e3e727eafc48314eaca35f6fbf6b
    • Instruction ID: 75bfc6ccdedd2561c59b5287ad7104e9259fa8ed500fab914d39f9d492761af6
    • Opcode Fuzzy Hash: 720675b1faa9824a30484e88827ce7623595e3e727eafc48314eaca35f6fbf6b
    • Instruction Fuzzy Hash: A541A134E00208DBCF10DF68C885B9EBBB5EF85324F1485A5F919AB3A2D7719A45CF91
    Function 009273CA Relevance: 10.6, APIs: 7, Instructions: 85fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 009273CF
    • SetErrorMode.KERNEL32(00008001), ref: 009273F0
    • CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 0092744A
    • GetLastError.KERNEL32(?,00000000), ref: 00927459
    • GetLastError.KERNEL32(?,00000000), ref: 00927460
    • SetErrorMode.KERNEL32(00000000,?,00000000), ref: 00927465
    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00927468
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$Mode$CopyFileH_prolog
    • String ID:
    • API String ID: 887865962-0
    • Opcode ID: 7a1a113a0dea1d95b11c3ab948de2a477c9f7342ed0dbc3d3a196385dc40b9f6
    • Instruction ID: 8de24ce660f4551f32aa41ae35fa2f2611e76d6c7201802c1f16c567d9600eeb
    • Opcode Fuzzy Hash: 7a1a113a0dea1d95b11c3ab948de2a477c9f7342ed0dbc3d3a196385dc40b9f6
    • Instruction Fuzzy Hash: B731D171E01228ABDB14EBB1EC4ABAEBBB4EF44714F504059F509632D1CB749E45CB61
    Function 0094E58E Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0094E556: _free.LIBCMT ref: 0094E57B
    • _free.LIBCMT ref: 0094E5DC
      • Part of subcall function 00946A57: RtlFreeHeap.NTDLL(00000000,00000000,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?), ref: 00946A6D
      • Part of subcall function 00946A57: GetLastError.KERNEL32(?,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?,?), ref: 00946A7F
    • _free.LIBCMT ref: 0094E5E7
    • _free.LIBCMT ref: 0094E5F2
    • _free.LIBCMT ref: 0094E646
    • _free.LIBCMT ref: 0094E651
    • _free.LIBCMT ref: 0094E65C
    • _free.LIBCMT ref: 0094E667
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: b89aa68b50a4026dbd1207eb1ccebb2b2aa0c3f9eda47e84d3a6003c7d9125e3
    • Instruction ID: 7aa77e4fdd6455b79800ed4af606d080bf72e1e637991128c2d5e9b8ab8e7bd7
    • Opcode Fuzzy Hash: b89aa68b50a4026dbd1207eb1ccebb2b2aa0c3f9eda47e84d3a6003c7d9125e3
    • Instruction Fuzzy Hash: 2C115BB1940B44AADA38FBB4CC07FCB77DDAF81740F404D19B299B6092EAB5F5048759
    Function 0093B9BC Relevance: 10.6, APIs: 7, Instructions: 60windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003E9), ref: 0093B9D7
    • GetWindowTextLengthW.USER32(00000000), ref: 0093B9E0
    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0093B9F5
      • Part of subcall function 0094254F: _free.LIBCMT ref: 00942562
    • GetDlgItem.USER32(?,00000000), ref: 0093BA17
    • GetWindowTextLengthW.USER32(00000000), ref: 0093BA20
    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0093BA35
    • SendMessageW.USER32(?,00000002,00000000,00000000), ref: 0093BA57
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: TextWindow$ItemLength$MessageSend_free
    • String ID:
    • API String ID: 298498057-0
    • Opcode ID: 3720e147b4ca4d0a2ce9a1baa84671e261ffbbe8a6b5ac1b3a5b0e389b051ba5
    • Instruction ID: bd3b75dd889498f6e88e3cda90d0708905d8f8ddbe75266eedfd4ae29d7f50c9
    • Opcode Fuzzy Hash: 3720e147b4ca4d0a2ce9a1baa84671e261ffbbe8a6b5ac1b3a5b0e389b051ba5
    • Instruction Fuzzy Hash: 2411A375214220AFC7106F61EC89F6E77B9EF85716F004018F916A71A2DB74AD41DB61
    Function 0095158B Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 009515D3
    • __fassign.LIBCMT ref: 009517B8
    • __fassign.LIBCMT ref: 009517D5
    • WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0095181D
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0095185D
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00951905
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: FileWrite__fassign$ConsoleErrorLastOutput
    • String ID:
    • API String ID: 1735259414-0
    • Opcode ID: de761fb89a41ac296818ba72b06d77b663c19bcac0edf1f1c87c025dd9d317c7
    • Instruction ID: bef6fbba2b482ac59347720943c51ead8fe2145d780b91c72fb9008e5c4f3c39
    • Opcode Fuzzy Hash: de761fb89a41ac296818ba72b06d77b663c19bcac0edf1f1c87c025dd9d317c7
    • Instruction Fuzzy Hash: 37C1DD75D002589FCB14CFE9D890AEDBBB9AF49305F28416AE855FB341D6309D4ACF60
    Function 009278DD Relevance: 9.1, APIs: 6, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 009278E2
    • SetErrorMode.KERNEL32(00008001,?,00000000), ref: 00927932
    • GetLastError.KERNEL32(?,00000000), ref: 00927944
    • SetErrorMode.KERNEL32(00000000,?,00000000), ref: 0092794D
    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00927950
    • GetLastError.KERNEL32(?,00000000), ref: 0092795F
      • Part of subcall function 0092D909: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,00000000,?,?,00923886,00000000,?,?,?,?), ref: 0092D934
      • Part of subcall function 0092D909: LocalFree.KERNEL32(00000000,?,00923886,00000000,?,?,?), ref: 0092D952
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$Mode$FormatFreeH_prologLocalMessage
    • String ID:
    • API String ID: 1371860015-0
    • Opcode ID: 59a7b772eb3f33f4a2dfeea55fc9779d50f9c4b10452ac6f002f0aba3c194e7d
    • Instruction ID: 5731de1a6baabd48f7bced84a0c1eca501944931f93707ce85e725f1524f2f87
    • Opcode Fuzzy Hash: 59a7b772eb3f33f4a2dfeea55fc9779d50f9c4b10452ac6f002f0aba3c194e7d
    • Instruction Fuzzy Hash: 1F21C872E05224AFDB14BBF1BC46BBE7678EF84344F10002AF505A3181DBB45E45CBA1
    Function 009272FA Relevance: 9.1, APIs: 6, Instructions: 74fileCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00927312
    • DeleteFileW.KERNEL32 ref: 00927317
    • GetLastError.KERNEL32 ref: 00927320
    • SetErrorMode.KERNEL32(00000000), ref: 00927329
    • SetLastError.KERNEL32(00000000), ref: 0092732C
    • GetLastError.KERNEL32 ref: 00927339
      • Part of subcall function 00927BFC: SetErrorMode.KERNEL32(00008001,?,00000000), ref: 00927C11
      • Part of subcall function 00927BFC: SetFileAttributesW.KERNEL32(?,?), ref: 00927C1D
      • Part of subcall function 00927BFC: GetLastError.KERNEL32 ref: 00927C26
      • Part of subcall function 00927BFC: SetErrorMode.KERNEL32(00000000), ref: 00927C2F
      • Part of subcall function 00927BFC: SetLastError.KERNEL32(00000000), ref: 00927C36
      • Part of subcall function 0092723E: __EH_prolog.LIBCMT ref: 00927243
      • Part of subcall function 0092723E: SetErrorMode.KERNEL32(00008001,?,00000000,?,?,00000000), ref: 00927286
      • Part of subcall function 0092723E: DeleteFileW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0092728B
      • Part of subcall function 0092723E: GetLastError.KERNEL32(?,00000000,?,?,00000000), ref: 00927294
      • Part of subcall function 0092723E: SetErrorMode.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0092729D
      • Part of subcall function 0092723E: SetLastError.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 009272A0
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$Last$Mode$File$Delete$AttributesH_prolog
    • String ID:
    • API String ID: 2270752586-0
    • Opcode ID: 21169b324a666cec0d86b0fcf839fe81ecae3ac2eee0c9da4bc87d9cab6c2e80
    • Instruction ID: 11d35fa299ca22d69eca7291a9fc1b6d316ee35fc1ecaa118795a4af983e17cc
    • Opcode Fuzzy Hash: 21169b324a666cec0d86b0fcf839fe81ecae3ac2eee0c9da4bc87d9cab6c2e80
    • Instruction Fuzzy Hash: DE110B32B153207BDB14A7F5BC46A6EB66CDF81365F200469F902E71D5EE70DD409361
    Function 0093EA94 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,0093EA8B,0093DA08,0093D1AA), ref: 0093EAA2
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0093EAB0
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0093EAC9
    • SetLastError.KERNEL32(00000000,0093EA8B,0093DA08,0093D1AA), ref: 0093EB1B
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 84235daa48a048c0de5f25be50f26bd103aa03125ba7b6a86f6d2c453b67b851
    • Instruction ID: 924abf8ed2d3da72204f620a4f62df49363729bebb3139490ab8d30f980cd508
    • Opcode Fuzzy Hash: 84235daa48a048c0de5f25be50f26bd103aa03125ba7b6a86f6d2c453b67b851
    • Instruction Fuzzy Hash: 3501F132A1C3116EE6212B766CA5A672AACEB42775F300239F510810F1EF916C017A44
    Function 0094CD7E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    Strings
    • C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE, xrefs: 0094CD83
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID:
    • String ID: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
    • API String ID: 0-2717945903
    • Opcode ID: 5863b6cb1d98c1fbabbfee8c5c400894df8f8ead7fc56dac27ba591c388f34e7
    • Instruction ID: 79853404a959bc62055875964f8d4839fb9402dd1498554c8971e995cec6ad12
    • Opcode Fuzzy Hash: 5863b6cb1d98c1fbabbfee8c5c400894df8f8ead7fc56dac27ba591c388f34e7
    • Instruction Fuzzy Hash: 6521F0F2605215BFEF60AF65CC80E6B77ACEF413687108924F91997191EB30EC5197A0
    Function 0093FB07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,?,?,0093FBC8,?,?,0096FD34,00000000,?,0093FCF3,00000004,InitializeCriticalSectionEx,00954FD4,InitializeCriticalSectionEx,00000000), ref: 0093FB97
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: api-ms-
    • API String ID: 3664257935-2084034818
    • Opcode ID: 90d9da501ee5e79a8612d4e978010b425d7d0dcb5cbe3854cb00a87714bfffc5
    • Instruction ID: 06e4d974ce3da002d060295e012b931f051c001285b2fb82d4e618a4f92d0440
    • Opcode Fuzzy Hash: 90d9da501ee5e79a8612d4e978010b425d7d0dcb5cbe3854cb00a87714bfffc5
    • Instruction Fuzzy Hash: 6B11E371E04220ABDF628B69EC31B59B3B8AF157B5F250130F908EB2D0D760ED409BD1
    Function 0092E12E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process), ref: 0092E151
    • GetProcAddress.KERNEL32(00000000), ref: 0092E158
    • GetCurrentProcess.KERNEL32(00000000), ref: 0092E172
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AddressCurrentHandleModuleProcProcess
    • String ID: IsWow64Process$kernel32.dll
    • API String ID: 4190356694-3024904723
    • Opcode ID: 81fd6556280d5e1a3bdec3716a6ca91604938574f9a400a351a9b1ec60d3e5a9
    • Instruction ID: b45bdd09bd408fd12ca1dc459d5d69342c9a36b2174f4d9896b698ef9b325cd2
    • Opcode Fuzzy Hash: 81fd6556280d5e1a3bdec3716a6ca91604938574f9a400a351a9b1ec60d3e5a9
    • Instruction Fuzzy Hash: 4CF05872A2C309EBCB00CBB1FC49A1A37ACFF8078AF104824E105E3190D7B5C980AB10
    Function 00945772 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00945767,?,?,0094572F,?,?,?), ref: 00945787
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0094579A
    • FreeLibrary.KERNEL32(00000000,?,?,00945767,?,?,0094572F,?,?,?), ref: 009457BD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 3019bad55c0960cd9f0bebd878f53451e3d5401b67d97e2342d6d6c2067e3452
    • Instruction ID: 7dafff79f32a43a6961646a499e28f34626b95ae4425c72c18f68bdb13a15591
    • Opcode Fuzzy Hash: 3019bad55c0960cd9f0bebd878f53451e3d5401b67d97e2342d6d6c2067e3452
    • Instruction Fuzzy Hash: 6FF08231615719FBDB119BA2DD0AF9D7A69DB4075FF110060B905A10A1CB708F44EB91
    Function 0094A033 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • __alloca_probe_16.LIBCMT ref: 0094A0B7
    • __alloca_probe_16.LIBCMT ref: 0094A17D
    • __freea.LIBCMT ref: 0094A1E9
      • Part of subcall function 00946A91: RtlAllocateHeap.NTDLL(00000000,?,?,?,00925A50,00000002,?,?), ref: 00946AC3
    • __freea.LIBCMT ref: 0094A1F2
    • __freea.LIBCMT ref: 0094A215
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: __freea$__alloca_probe_16$AllocateHeap
    • String ID:
    • API String ID: 1423051803-0
    • Opcode ID: 8a945bea3fd867af1c4c2e0ef635c6ed288b0e34b8b58116ec18978e578bf542
    • Instruction ID: 26dc91162514167081202b1ae81baa241d976f193239e7b262a95126493b850a
    • Opcode Fuzzy Hash: 8a945bea3fd867af1c4c2e0ef635c6ed288b0e34b8b58116ec18978e578bf542
    • Instruction Fuzzy Hash: 3151EE7268420AAFEB219F60CC41FAB3BADEF89750F254528FD04AB140E775DD40D7A2
    Function 00943BAF Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00943AE1), ref: 00943BD1
    • GetFileInformationByHandle.KERNEL32(?,?), ref: 00943C2B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00943AE1,?,000000FF,00000000,00000000), ref: 00943CB9
    • __dosmaperr.LIBCMT ref: 00943CC0
    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00943CFD
      • Part of subcall function 00943FEC: __dosmaperr.LIBCMT ref: 00944021
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
    • String ID:
    • API String ID: 1206951868-0
    • Opcode ID: 2c2ab49cdf8ac40c8c3c8e7da10bb359ba897222f7dab2e98ec59bd3f43ee6cd
    • Instruction ID: 82359b42c5a88710554d9a0c7cd2ff9bf9820e0f458cc9123632469c1bdedda2
    • Opcode Fuzzy Hash: 2c2ab49cdf8ac40c8c3c8e7da10bb359ba897222f7dab2e98ec59bd3f43ee6cd
    • Instruction Fuzzy Hash: 10413B72910704AFDB24DFB6DC45DABBBF9EF89300B108929F856E3651E7309A44DB60
    Function 00926CE3 Relevance: 7.6, APIs: 5, Instructions: 57timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001), ref: 00926CF3
    • GetFileTime.KERNEL32(?,?,?,?), ref: 00926D0D
    • GetLastError.KERNEL32 ref: 00926D15
    • SetErrorMode.KERNEL32(00000000), ref: 00926D1E
    • SetLastError.KERNEL32(00000000), ref: 00926D25
      • Part of subcall function 00926FA0: SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000,?,?,?,?,?,00926D64), ref: 00926FB3
      • Part of subcall function 00926FA0: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,00926D64), ref: 00926FC0
      • Part of subcall function 00926FA0: GetLastError.KERNEL32(?,?,?,?,?,00926D64), ref: 00926FC8
      • Part of subcall function 00926FA0: SetErrorMode.KERNEL32(00000000,?,?,?,?,?,00926D64), ref: 00926FD1
      • Part of subcall function 00926FA0: SetLastError.KERNEL32(00000000,?,?,?,?,?,00926D64), ref: 00926FD8
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$Time$File$System
    • String ID:
    • API String ID: 1744743945-0
    • Opcode ID: e35fdb6ee201242824230e134a55719849b453c84beaab3b8d2f69f81c56d584
    • Instruction ID: 0dd650345fc2a8cc363ae7e282da59a81e25b6ad16d59226de5b656a28a2bbbf
    • Opcode Fuzzy Hash: e35fdb6ee201242824230e134a55719849b453c84beaab3b8d2f69f81c56d584
    • Instruction Fuzzy Hash: 6A116532B00219ABDB209FB2FC44AEF777DAF84745B248525E911D25D8EB30DD058760
    Function 00927BFC Relevance: 7.5, APIs: 5, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,00000000), ref: 00927C11
    • SetFileAttributesW.KERNEL32(?,?), ref: 00927C1D
    • GetLastError.KERNEL32 ref: 00927C26
    • SetErrorMode.KERNEL32(00000000), ref: 00927C2F
    • SetLastError.KERNEL32(00000000), ref: 00927C36
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$AttributesFile
    • String ID:
    • API String ID: 3259181413-0
    • Opcode ID: fa7210d5701ed172488e833f4e2a9283ace7ff8073826f9f9edfe447ce665d6e
    • Instruction ID: 95e8f53c34784039a383b9cc9b3f35f2f0dd3c2c93f3c913bee76315ffa462ac
    • Opcode Fuzzy Hash: fa7210d5701ed172488e833f4e2a9283ace7ff8073826f9f9edfe447ce665d6e
    • Instruction Fuzzy Hash: D601F232E01220BBDB106BB2BC0AA9E7EB8EF80701F100065FA05A71D1DB719E419BA1
    Function 00926F18 Relevance: 7.5, APIs: 5, Instructions: 46timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,?,?,?,?,?,?,00926C7B), ref: 00926F6E
    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00926C7B), ref: 00926F7B
    • GetLastError.KERNEL32(?,?,?,?,?,00926C7B), ref: 00926F83
    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,00926C7B), ref: 00926F8C
    • SetLastError.KERNEL32(00000000,?,?,?,?,?,00926C7B), ref: 00926F93
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastModeTime$FileSystem
    • String ID:
    • API String ID: 81331137-0
    • Opcode ID: 21f15020574bccf3155f3077aa1ed0a6aa9e3b5341c4b627d30c415628620c89
    • Instruction ID: 1617b965f6174ac96460d029396c301dbf6f47ba53b420882c96e479ffe1ea22
    • Opcode Fuzzy Hash: 21f15020574bccf3155f3077aa1ed0a6aa9e3b5341c4b627d30c415628620c89
    • Instruction Fuzzy Hash: FA01802D910315AACB00AFF1E8445DEB378FF0C719B148199EA19E7350F7328987CB69
    Function 00927E55 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,74DEE010,?,?,?,00927E3E,?,?), ref: 00927E6B
    • FindClose.KERNEL32(?,?,74DEE010,?,?,?,00927E3E,?,?), ref: 00927E75
    • GetLastError.KERNEL32(?,?,74DEE010,?,?,?,00927E3E,?,?), ref: 00927E7E
    • SetErrorMode.KERNEL32(00000000,?,?,74DEE010,?,?,?,00927E3E,?,?), ref: 00927E87
    • SetLastError.KERNEL32(00000000,?,?,74DEE010,?,?,?,00927E3E,?,?), ref: 00927E8E
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$CloseFind
    • String ID:
    • API String ID: 2489206347-0
    • Opcode ID: d0db436f648bc5befcb9982e8527bf39db948138df23db80f766dc5940ed8eb9
    • Instruction ID: 20a679b6cbec8a61b0585245195cad061d0516fcedf27c38869d5e82c24c2562
    • Opcode Fuzzy Hash: d0db436f648bc5befcb9982e8527bf39db948138df23db80f766dc5940ed8eb9
    • Instruction Fuzzy Hash: F2012632915320ABDB102BB5FC0AA5E7AA8EF41325F200268F551E31E0DB719D82D7A1
    Function 0094E4ED Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0094E505
      • Part of subcall function 00946A57: RtlFreeHeap.NTDLL(00000000,00000000,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?), ref: 00946A6D
      • Part of subcall function 00946A57: GetLastError.KERNEL32(?,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?,?), ref: 00946A7F
    • _free.LIBCMT ref: 0094E517
    • _free.LIBCMT ref: 0094E529
    • _free.LIBCMT ref: 0094E53B
    • _free.LIBCMT ref: 0094E54D
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 1a74be0c607b2263665a798550ae1f65bb35aaa3c1a9ef905c216c649f8a2f36
    • Instruction ID: 58eb06a5f585a5cd840cd72fdcebea2b01fb58d27826e1acc5c1f9df068ed7c3
    • Opcode Fuzzy Hash: 1a74be0c607b2263665a798550ae1f65bb35aaa3c1a9ef905c216c649f8a2f36
    • Instruction Fuzzy Hash: 85F036B2518640ABCA24EF5CF4C5D2677DDFA417147945809F05CF7501D770FD808A65
    Function 00928391 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,?,?,00000000), ref: 009283CD
    • GetDriveTypeW.KERNEL32(?,?,?,00000000), ref: 009283DC
    • GetLastError.KERNEL32(?,?,00000000), ref: 009283E4
    • SetErrorMode.KERNEL32(00000000,?,?,00000000), ref: 009283ED
    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 009283F4
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$DriveType
    • String ID:
    • API String ID: 4016283455-0
    • Opcode ID: 533d1efe37fb614430f75bbe339a2943f754a3a61e5bc96267fa6614ddda9f5f
    • Instruction ID: 66d2e3cf6b2c473331e8ef305362caa6503815341f0dfac89bfc15437638bb40
    • Opcode Fuzzy Hash: 533d1efe37fb614430f75bbe339a2943f754a3a61e5bc96267fa6614ddda9f5f
    • Instruction Fuzzy Hash: B1F09A735193249BC71067B5FC4DACA7768EB84326F304366F226921D2EF305989CB91
    Function 00926C98 Relevance: 7.5, APIs: 5, Instructions: 27timeCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008001,00000000,00000000,00000000,?,00926C8F,00000000,00000000,00000000), ref: 00926CA5
    • SetFileTime.KERNEL32(?,?,?,00000000,?,00926C8F,00000000,00000000,00000000), ref: 00926CBC
    • GetLastError.KERNEL32(?,00926C8F,00000000,00000000,00000000), ref: 00926CC4
    • SetErrorMode.KERNEL32(00000000,?,00926C8F,00000000,00000000,00000000), ref: 00926CCD
    • SetLastError.KERNEL32(00000000,?,00926C8F,00000000,00000000,00000000), ref: 00926CD4
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Error$LastMode$FileTime
    • String ID:
    • API String ID: 3468889105-0
    • Opcode ID: 9b49a8ca78cb0b943dc08ec95c75c3ce18db1839df1c24a61a5e04e27b556838
    • Instruction ID: f6f10136ef0684f1217b742d86daf5ceb4152eb14c1d9ebaf895185d4980beee
    • Opcode Fuzzy Hash: 9b49a8ca78cb0b943dc08ec95c75c3ce18db1839df1c24a61a5e04e27b556838
    • Instruction Fuzzy Hash: 57E06D37204304ABCB501BB2BC0CC9A7F69FB48366B244125FB0582260CB3288A1ABA1
    Function 0092B25A Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 312COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _strlen
    • String ID: $*$l
    • API String ID: 4218353326-2827349907
    • Opcode ID: b7e87da564f9ed638a875079c1210d0afa5890d4cae76ec29bf11460722be913
    • Instruction ID: 4550eea15cdefa3e9a53da4a78d2e5a18ac852874cd8c7ddb077a60e3ccf1b97
    • Opcode Fuzzy Hash: b7e87da564f9ed638a875079c1210d0afa5890d4cae76ec29bf11460722be913
    • Instruction Fuzzy Hash: 25A11972D00236D7DB24EE6CF88477D77E5EF65700F28842AE881AB29DE7749E819740
    Function 00921620 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(00000000), ref: 00921781
    • SetEvent.KERNEL32(@RUN=,0095D794,?), ref: 009217A5
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CloseEventHandle
    • String ID: @REP=$@RUN=
    • API String ID: 827626419-4053177835
    • Opcode ID: 9d23d713a8e05df809bccbc89146d213636f71d8346232d4491ece6e8cb8c68f
    • Instruction ID: bbb8a70defd54819a7d300c2aa0993709e8e9a4675847fa25ae82e03a97e0f49
    • Opcode Fuzzy Hash: 9d23d713a8e05df809bccbc89146d213636f71d8346232d4491ece6e8cb8c68f
    • Instruction Fuzzy Hash: D7414271D00129AADB14EFA0EC92EFEB7BCEFA4300F104569E51662199EF306F49DB50
    Function 009268C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82fileCOMMON
    Download Yara Rule
    APIs
    • LockFileEx.KERNEL32(?,00000000,00000000,00000001,00000000,?), ref: 009268FC
    • GetLastError.KERNEL32 ref: 0092690E
    • UnlockFileEx.KERNEL32(?,00000000,00000001,00000000,?), ref: 00926995
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 0092693F
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: File$ErrorLastLockUnlock
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 187685564-1932549541
    • Opcode ID: fdac44c8800a67a8dbc9c8e8e1aa1fb4ff33c541acee3ed7bce438cb9a80a004
    • Instruction ID: 629423afebbddb2727916911888779ebc1d086e87e3c3506cb06fffd315d85cf
    • Opcode Fuzzy Hash: fdac44c8800a67a8dbc9c8e8e1aa1fb4ff33c541acee3ed7bce438cb9a80a004
    • Instruction Fuzzy Hash: B8212974641314BBDF10AF55EC86FAE776DDFC5700F108029B9096E2DACAB08980CBB0
    Function 0092D433 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    • ##(CXError)-Ressource <%u> non charge##, xrefs: 0092D47B
    • ##(CXError)-Ressource <%u> vide. LastError = <%u>##, xrefs: 0092D4CC
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: ##(CXError)-Ressource <%u> non charge##$##(CXError)-Ressource <%u> vide. LastError = <%u>##
    • API String ID: 3519838083-885282050
    • Opcode ID: 743ed00c925ffc45eba1841897ac2632eecc31e27528cae03af59128831d8be1
    • Instruction ID: 142051a00f727df004ff9a9f9ac247c6748f5e8257eb9df8ceaf039dc4da1f2c
    • Opcode Fuzzy Hash: 743ed00c925ffc45eba1841897ac2632eecc31e27528cae03af59128831d8be1
    • Instruction Fuzzy Hash: 3D21A272601229AFDB15FF60EC81DEF77BDFF95354B00882AF81592199DB70AA05CB60
    Function 0092D4F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
    Download Yara Rule
    APIs
    Strings
    • ##(CXError)-Ressource <%u> non charge##, xrefs: 0092D53C
    • ##(CXError)-Ressource <%u> vide. LastError = <%u>##, xrefs: 0092D578
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: ##(CXError)-Ressource <%u> non charge##$##(CXError)-Ressource <%u> vide. LastError = <%u>##
    • API String ID: 3519838083-885282050
    • Opcode ID: 93beec696dd80ce03b511047effc1c93b27c3843485218a4df5e3b24a8d271ef
    • Instruction ID: fc223f8f42edc26290fd70da367a0119b3c401382c081d43d97abecec2e9baf1
    • Opcode Fuzzy Hash: 93beec696dd80ce03b511047effc1c93b27c3843485218a4df5e3b24a8d271ef
    • Instruction Fuzzy Hash: 9A11C172401225ABCB14EF61EC46DEF7BBCEFC1314B00851AF81692189EF70AA04CB60
    Function 0092BA70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 0092BA8C
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,wininet.dll,00000000,00000000,00000000,00000001,?,?,?,?,0092B852,?,?,00970504,00924EAD), ref: 0092BAA5
    • MultiByteToWideChar.KERNEL32(000004E4,00000000,wininet.dll,00000000,?,00000001,?,0092B852,?,?,00970504,00924EAD,?,?), ref: 0092BACC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ByteCharMultiWide$_strlen
    • String ID: wininet.dll
    • API String ID: 1433632580-3354682871
    • Opcode ID: 4c255544097fc86c6c782ab6fba1af563e38e9265c3ba1efce45c703eef11b29
    • Instruction ID: dc4815f561441aef8e116f9cc5f1c9594fe0076289db42f79d225bba692fb6ab
    • Opcode Fuzzy Hash: 4c255544097fc86c6c782ab6fba1af563e38e9265c3ba1efce45c703eef11b29
    • Instruction Fuzzy Hash: AC01F271600222BFE724A799EC82F2E77ECEF84350F20005AF605A32D1EBB01C409665
    Function 009318E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Window$MessageSend
    • String ID: j
    • API String ID: 1496643700-2137352139
    • Opcode ID: e3ad91a3681e705a0be00f88a225c367ccce48a56f23aab154973708b653d8f1
    • Instruction ID: 145cb7e0bdc89b968e9412ade6908fe4f8d32c1daabedcc40b1387c0d876482d
    • Opcode Fuzzy Hash: e3ad91a3681e705a0be00f88a225c367ccce48a56f23aab154973708b653d8f1
    • Instruction Fuzzy Hash: A8E0923221632DABDB111F91AC44BEB375CEF0A756F044021F921D9120C3B58C51AB95
    Function 009474D9 Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 074d50a25136c2e1a6e121cf3adcf37d6ab67ca1ceea4fe1253b772bb2cdd08b
    • Instruction ID: d54982bf7ba1ca3422ca6fa13bee54503a013dc6756bb9c9e3a0035d5b1a4c14
    • Opcode Fuzzy Hash: 074d50a25136c2e1a6e121cf3adcf37d6ab67ca1ceea4fe1253b772bb2cdd08b
    • Instruction Fuzzy Hash: B0B138719086499FDB11CFA8C881FBEFBEAEF45340F254569E845EB241E3349D01CBA1
    Function 0093EB74 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: d975e746056b5223cc1ce789ce88e967cc922c9bde99e192bab6afb282a9fa23
    • Instruction ID: b838f3103a0101dd2ad1278f49ddc7bce068c94ad1ebe2652bbb7a49653d647f
    • Opcode Fuzzy Hash: d975e746056b5223cc1ce789ce88e967cc922c9bde99e192bab6afb282a9fa23
    • Instruction Fuzzy Hash: 6D51E17260520AAFDB298F15D951BBEB7B9EF80311F14452DE882872D1E731ED81CF90
    Function 0092C544 Relevance: 6.1, APIs: 4, Instructions: 124timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,0092C6CF,00000001,00000000,00000000,?,0092C747,00000001), ref: 0092C59C
    • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,?,0092C6CF,00000001,00000000,00000000,?,0092C747), ref: 0092C627
    • FileTimeToSystemTime.KERNEL32(0092C6CF,?,?,?,?,?,0092C6CF,00000001,00000000,00000000,?,0092C747), ref: 0092C690
    • SetLastError.KERNEL32(00000057,?,00000000,?,?,?,?,?,0092C6CF,00000001,00000000,00000000,?,0092C747,00000001,00926F65), ref: 0092C6AA
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: Time$FileSystem$ErrorLast
    • String ID:
    • API String ID: 2998303600-0
    • Opcode ID: ac9d9908be121742318f0bf1df6a839beab98e678248227748c049424d6431a6
    • Instruction ID: b50baecdba8a1a03e1a2fd478db758ac2c86b08416a3745ac01f4e83c8ba2c6c
    • Opcode Fuzzy Hash: ac9d9908be121742318f0bf1df6a839beab98e678248227748c049424d6431a6
    • Instruction Fuzzy Hash: F841C6B591072A9FCF14EFA8E880AEEB7F8FF48310F10452AE555E3284D7709985CB90
    Function 0092E1F2 Relevance: 6.1, APIs: 4, Instructions: 114processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0092E11F: GetVersionExW.KERNEL32(?,00000000), ref: 0092E0E8
    • __alloca_probe_16.LIBCMT ref: 0092E273
    • __alloca_probe_16.LIBCMT ref: 0092E2B6
    • CreateProcessW.KERNEL32(00000000,0092E318,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0092E2EA
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0092E2F9
      • Part of subcall function 0092E18A: GetDesktopWindow.USER32 ref: 0092E1A4
      • Part of subcall function 0092E18A: ShellExecuteExW.SHELL32(0000003C), ref: 0092E1DC
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: __alloca_probe_16$CloseCreateDesktopExecuteHandleProcessShellVersionWindow
    • String ID:
    • API String ID: 4144049301-0
    • Opcode ID: 6a89955bf98dab19cc7d8f35e0ab6fc76f57477ea95bdaec3f659a0e9b12591c
    • Instruction ID: 36dacbd30d1770c6c6add70968e13b997b7c9085e2cbae02a51310a1b245df34
    • Opcode Fuzzy Hash: 6a89955bf98dab19cc7d8f35e0ab6fc76f57477ea95bdaec3f659a0e9b12591c
    • Instruction Fuzzy Hash: 7531CF72D04229ABCB11ABA5EC86FEF7BBCEF84710F000026F911A7145EA709A4587E1
    Function 00923FD2 Relevance: 6.1, APIs: 4, Instructions: 96networkfileCOMMON
    Download Yara Rule
    APIs
    • FtpOpenFileW.WININET(?,?,80000000,?,00000000), ref: 00923FF7
    • FtpGetFileSize.WININET(00000000,?), ref: 0092402B
    • InternetReadFile.WININET(00000000,00000000,0000FA00,?), ref: 0092407D
    • InternetCloseHandle.WININET(00000000), ref: 0092409D
      • Part of subcall function 00923843: GetLastError.KERNEL32(00000000), ref: 0092385F
      • Part of subcall function 00923843: InternetGetLastResponseInfoW.WININET(?,?,00000000), ref: 009238A8
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: FileInternet$Last$CloseErrorHandleInfoOpenReadResponseSize
    • String ID:
    • API String ID: 291595817-0
    • Opcode ID: 09b45502451684eb3abe9cbd45077782d6c5b5cd497d8a9a04b87b43150b847d
    • Instruction ID: 90d70d1d230aa4d39d9f67010da4a6ea90856ffdbbecf3c87225375cdc89c061
    • Opcode Fuzzy Hash: 09b45502451684eb3abe9cbd45077782d6c5b5cd497d8a9a04b87b43150b847d
    • Instruction Fuzzy Hash: 293103B2600215BFDB209F64EC05EAB3BADFF88710F004029FA0597151D7B4CA60DBA0
    Function 0094C6EA Relevance: 6.1, APIs: 4, Instructions: 86COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00943E27: _free.LIBCMT ref: 00943E35
      • Part of subcall function 0094D6D4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00951F13,0000FDE9,00000000,?,?,?,00951C8C,0000FDE9,00000000,?), ref: 0094D780
    • GetLastError.KERNEL32 ref: 0094C752
    • __dosmaperr.LIBCMT ref: 0094C759
    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0094C798
    • __dosmaperr.LIBCMT ref: 0094C79F
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
    • String ID:
    • API String ID: 167067550-0
    • Opcode ID: effcc7b737ec3effc0f96a678a7d9630a04085343dd4a5abb3c106a6ee25a994
    • Instruction ID: 835b68e53c875cc6e5993becaf94815b5bacdffa179e40a2c519cdd0b930019b
    • Opcode Fuzzy Hash: effcc7b737ec3effc0f96a678a7d9630a04085343dd4a5abb3c106a6ee25a994
    • Instruction Fuzzy Hash: 4821C5F1601605AFDB60AF758CC0D6BB7ACFF413687108515F91997250E734ED409BA0
    Function 0094727F Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000002,?,?,00946A49,00946AD4,?,?,00925A50,00000002,?,?), ref: 00947284
    • _free.LIBCMT ref: 009472E1
    • _free.LIBCMT ref: 00947317
    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00946A49,00946AD4,?,?,00925A50,00000002,?,?), ref: 00947322
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: b2664ed84e957e5dd003c9f3dee7a75c38a10ea6a3c5ec88a4873c1035a65021
    • Instruction ID: fd2ce82cd9d04f1f676e0feeb5f358f389fd88c297d0e0ecb14a3663b557c9dc
    • Opcode Fuzzy Hash: b2664ed84e957e5dd003c9f3dee7a75c38a10ea6a3c5ec88a4873c1035a65021
    • Instruction Fuzzy Hash: 2F11087220D205ABE7112BF9BDC6E2B625D8BC3774B350238F534962D2DFE58C056121
    Function 0094928A Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,00000000,?,00000000,009493EF,00000000,?,0095016C,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 009492A0
    • GetLastError.KERNEL32(?,0095016C,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,009493EF,00000000,00000104,?), ref: 009492AA
    • __dosmaperr.LIBCMT ref: 009492B1
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorFullLastNamePath__dosmaperr
    • String ID:
    • API String ID: 2398240785-0
    • Opcode ID: 2e302640e0d4680bf88fa69c5d5320c9beb8e859fec48c9b2fe42de8dc257c06
    • Instruction ID: cb5327f6090f3509cdebf2d20d44617e734ed66e51a87fa433c595e6b34e30be
    • Opcode Fuzzy Hash: 2e302640e0d4680bf88fa69c5d5320c9beb8e859fec48c9b2fe42de8dc257c06
    • Instruction Fuzzy Hash: 3BF06932204615BB8F206FA2CC08D5BBFAAFF867A43108515F529C6520D771E861EBE0
    Function 009492F3 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,00000000,?,00000000,009493EF,00000000,?,009500F7,00000000,00000000,009493EF,?,?,00000000,00000000,00000001), ref: 00949309
    • GetLastError.KERNEL32(?,009500F7,00000000,00000000,009493EF,?,?,00000000,00000000,00000001,00000000,00000000,?,009493EF,00000000,00000104), ref: 00949313
    • __dosmaperr.LIBCMT ref: 0094931A
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorFullLastNamePath__dosmaperr
    • String ID:
    • API String ID: 2398240785-0
    • Opcode ID: 933cdcc640802357e02208f0e458f916fe76ac0c9d34113a87b7387225122881
    • Instruction ID: 0c5b30eff55e3782317e142ab42e51e3843c07d5fe12d6630166defd667d84d3
    • Opcode Fuzzy Hash: 933cdcc640802357e02208f0e458f916fe76ac0c9d34113a87b7387225122881
    • Instruction Fuzzy Hash: 58F06932604215BB8B206FB7DC08D4BBFAAFF863B43148514F518C61A0CB31E861EBE0
    Function 00952A2A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,009527D1,00000000,00000001,00000000,00000000,?,00951962,?,?,00000000), ref: 00952A41
    • GetLastError.KERNEL32(?,009527D1,00000000,00000001,00000000,00000000,?,00951962,?,?,00000000,?,00000000,?,00951EAE,00000020), ref: 00952A4D
      • Part of subcall function 00952A13: CloseHandle.KERNEL32(FFFFFFFE,00952A5D,?,009527D1,00000000,00000001,00000000,00000000,?,00951962,?,?,00000000,?,00000000), ref: 00952A23
    • ___initconout.LIBCMT ref: 00952A5D
      • Part of subcall function 009529D5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00952A04,009527BE,00000000,?,00951962,?,?,00000000,?), ref: 009529E8
    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,009527D1,00000000,00000001,00000000,00000000,?,00951962,?,?,00000000,?), ref: 00952A72
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: ff39a6d3676701e22a9212a8c4f36ada21cbe00814dd3cbaf8db5a95c811cbc9
    • Instruction ID: 829f719772fd180c070d5eb561553667cf91f63bf14f97602e363ffe25898e26
    • Opcode Fuzzy Hash: ff39a6d3676701e22a9212a8c4f36ada21cbe00814dd3cbaf8db5a95c811cbc9
    • Instruction Fuzzy Hash: EFF01C36414254BFCF225FD2DC08A893F26FB5A3A6F044410FE0D95160DB3288A0ABD0
    Function 009215E3 Relevance: 6.0, APIs: 4, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    • UnmapViewOfFile.KERNEL32(00000000,009215C8), ref: 009215ED
    • CloseHandle.KERNEL32(00000000,?,009215C8), ref: 00921604
    • CloseHandle.KERNEL32(00000000,?,009215C8), ref: 00921610
    • CloseHandle.KERNEL32(00000000,?,009215C8), ref: 0092161C
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: CloseHandle$FileUnmapView
    • String ID:
    • API String ID: 260491571-0
    • Opcode ID: 6a6d7aad63421a28586d173ae5b1d46b272cc46a68c53747dfb77a754da563b2
    • Instruction ID: 52fc17844ee9b356eb3ec4529fb38bc24cb999020512bbc13df33f03c9c5793d
    • Opcode Fuzzy Hash: 6a6d7aad63421a28586d173ae5b1d46b272cc46a68c53747dfb77a754da563b2
    • Instruction Fuzzy Hash: 67E0B672B2C335DB9A509BBABD44A1A37DCAFA46813080816B444D3264DAA4DCD0EBA0
    Function 00946313 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0094631C
      • Part of subcall function 00946A57: RtlFreeHeap.NTDLL(00000000,00000000,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?), ref: 00946A6D
      • Part of subcall function 00946A57: GetLastError.KERNEL32(?,?,0094E580,?,00000000,?,?,?,0094E5A7,?,00000007,?,?,0094E989,?,?), ref: 00946A7F
    • _free.LIBCMT ref: 0094632F
    • _free.LIBCMT ref: 00946340
    • _free.LIBCMT ref: 00946351
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 4561834d46590c2319cca271b8782201170068d76ba382d3ac19e09f01ebae6a
    • Instruction ID: 6e7a73d201399505d3797f170896fef94f40ea8c6285b2b7a739d97f508ec378
    • Opcode Fuzzy Hash: 4561834d46590c2319cca271b8782201170068d76ba382d3ac19e09f01ebae6a
    • Instruction Fuzzy Hash: D6E04FF2838560DA8A01AF50BC119093BA5B7CE700B411019F10436232D7F55091BA8A
    Function 00932FE2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 297COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: H_prolog__alloca_probe_16
    • String ID: -
    • API String ID: 1445763376-2547889144
    • Opcode ID: 82df0afa7c702aa763dd246107ba34738b89cdf14cafd94056f8b72e5c0351f0
    • Instruction ID: 67a33b250367aced9f9c389c80c82f1f3b8571277d8f4bfaf8f92f372bab212d
    • Opcode Fuzzy Hash: 82df0afa7c702aa763dd246107ba34738b89cdf14cafd94056f8b72e5c0351f0
    • Instruction Fuzzy Hash: 99C17E71A40209AFDF14CFA9C884AAEB7F9FF84310F54C569E815AB251DB34AE44CF60
    Function 0094B84D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
    Download Yara Rule
    APIs
    • __startOneArgErrorHandling.LIBCMT ref: 0094B8DD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorHandling__start
    • String ID: pow
    • API String ID: 3213639722-2276729525
    • Opcode ID: 6f0958a5208f7a8518afc5d7c5401743b2192fdf02a02532ba7f2427ba693ecd
    • Instruction ID: d23ad3c9bbec7245ef0ff27c56aaea87708b9495537716cf41c907739cf58406
    • Opcode Fuzzy Hash: 6f0958a5208f7a8518afc5d7c5401743b2192fdf02a02532ba7f2427ba693ecd
    • Instruction Fuzzy Hash: 3C517D61A1C201C6DB26BB16D94177E6BACDBC0702F304D58FCD5422E9EB39CCD9AB46
    Function 00945844 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID:
    • String ID: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
    • API String ID: 0-2717945903
    • Opcode ID: f6dea31c334628cdbac5d1ec237da0c908e744b2df7011cb6320545dccf061cc
    • Instruction ID: 911d2f414b8a8be0d5f1645f055e0ab0bb699b61df3635859a53ca3b268585bc
    • Opcode Fuzzy Hash: f6dea31c334628cdbac5d1ec237da0c908e744b2df7011cb6320545dccf061cc
    • Instruction Fuzzy Hash: F3416EB1E04A54EBCB25DF999C81EAEBBBCEBC5310F114066F504E7262EB709E40DB50
    Function 0093F175 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0093F19A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: EncodePointer
    • String ID: MOC$RCC
    • API String ID: 2118026453-2084237596
    • Opcode ID: 930392bff0b22a60eff30b2e7ae57939e1ee013dbb9957d167bb81b86863b27a
    • Instruction ID: d98bd086f33ab342e47b27cfa1b932d791d23026d08d631fc45b429e951e357a
    • Opcode Fuzzy Hash: 930392bff0b22a60eff30b2e7ae57939e1ee013dbb9957d167bb81b86863b27a
    • Instruction Fuzzy Hash: EA417672D00209EFDF15CF98D891AAEBBB9FF48300F188069F924A6261D3359E50DF51
    Function 00926ACE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00926B4D
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: ErrorFileLast
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 734332943-1932549541
    • Opcode ID: a6f64b97c0ea2179b09fd34580b4476c529984f257f5e52536810368eb3290b5
    • Instruction ID: f3b6168d88fc432f7914c2bdc2cabad4e1d16bff69dc630a53f0a738ec5c4ad5
    • Opcode Fuzzy Hash: a6f64b97c0ea2179b09fd34580b4476c529984f257f5e52536810368eb3290b5
    • Instruction Fuzzy Hash: 3D115231345225BFE7006B21FC42F7AB71AEF84300F108424F51A866A9DB61EC61E690
    Function 00926A37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?,00000001), ref: 00926A4A
    • GetLastError.KERNEL32 ref: 00926A56
      • Part of subcall function 0092D909: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,00000000,?,?,00923886,00000000,?,?,?,?), ref: 0092D934
      • Part of subcall function 0092D909: LocalFree.KERNEL32(00000000,?,00923886,00000000,?,?,?), ref: 0092D952
    Strings
    • ##(IXStream)-Handle=<%p>##, xrefs: 00926A88
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: BuffersErrorFileFlushFormatFreeLastLocalMessage
    • String ID: ##(IXStream)-Handle=<%p>##
    • API String ID: 1721071265-1932549541
    • Opcode ID: 5983e96062aa84218eac44391fd50543724ae34625c924631f721a7bf975e29c
    • Instruction ID: b31fef307655edac6fdc6c3e5663a7065242a84003d6db4386ffaef4d650fe10
    • Opcode Fuzzy Hash: 5983e96062aa84218eac44391fd50543724ae34625c924631f721a7bf975e29c
    • Instruction Fuzzy Hash: 2001FC313556117FE704BB61FC82F79B32AEFC4300F004524F51A966AADF61ACA2A290
    Function 0092E18A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 0092E1A4
    • ShellExecuteExW.SHELL32(0000003C), ref: 0092E1DC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1770978115.0000000000921000.00000020.00000001.01000000.00000006.sdmp, Offset: 00920000, based on PE: true
    • Associated: 00000001.00000002.1770948696.0000000000920000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771013309.0000000000954000.00000002.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771036650.000000000096E000.00000004.00000001.01000000.00000006.sdmpDownload File
    • Associated: 00000001.00000002.1771052211.0000000000971000.00000002.00000001.01000000.00000006.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_920000_INSTALL.jbxd
    Similarity
    • API ID: DesktopExecuteShellWindow
    • String ID: <
    • API String ID: 2449286647-4251816714
    • Opcode ID: f935e9bd416ab7e4cb9cc5af8685458983d5175abf29d67dd9506ca966e91156
    • Instruction ID: 8f297c5cf10708019ce0f1084ebb8309d99fa529e57974b555a1a54b2239544d
    • Opcode Fuzzy Hash: f935e9bd416ab7e4cb9cc5af8685458983d5175abf29d67dd9506ca966e91156
    • Instruction Fuzzy Hash: 8501E2B1D042189BCB04DFAAE5809DEBBF8AF88304F11816AF818A3310D77499408F54