Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1545527
MD5:dc4f97df9369351e44f2f87ea7e5abd2
SHA1:b433ec49f9e2b35c0763218b38c1fee4a19e2cb0
SHA256:5ed1397e6c4496239f1c865c19df8f4ea4821fd148d3380baa5dedb6b8d710fc
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: DC4F97DF9369351E44F2F87EA7E5ABD2)
    • Setup.tmp (PID: 7544 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe" MD5: 21BBD416AD06BFBA595FD3C2FED9B612)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe", ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 7524, ParentProcessName: Setup.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe" , ProcessId: 7544, ProcessName: Setup.tmp

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpFile created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2024-10-30 #001.txtJump to behavior
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: {app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb:| source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\UpdateService\RemObjects.SDK.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ,{app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '{app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3{app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb:h source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,3_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,3_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,3_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00453238 FindFirstFileA,GetLastError,3_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,3_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,3_2_00463B44
Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 200.163.202.172.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://license.ooinc.com/Download/FlexAPI
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://license.openoptionsinc.com/LicenseFile?HaspKey=%s&Product=FULIC
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC&Username=%s&Password=%s
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/Windows2003x64/WindowsServer2003.WindowsXP
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/WindowsXPx64/WindowsServer2003.WindowsXP-K
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/WindowsXPx86/WindowsXP-KB926139-v2-x86-ENU
Source: Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.drString found in binary or memory: http://www.innosetup.com/
Source: Setup.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Setup.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ooaccess.com
Source: Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ooaccess.com&
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openoptionsinc.com
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
Source: Setup.exe, 00000001.00000002.2582294440.0000000002038000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ooaccess.com/v7
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0B
Source: Setup.exe, Setup.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00424014 NtdllDefWindowProc_A,3_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00412A68 NtdllDefWindowProc_A,3_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0047AC34 NtdllDefWindowProc_A,3_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042FA00 NtdllDefWindowProc_A,3_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,3_2_00457E24
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,3_2_0042EDC4
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_00455E14
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_004088C01_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00482CD83_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004357B83_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004720903_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004521943_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0043E2403_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004908303_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0043083C3_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004688B83_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0046A9743_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004449B83_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00434AB43_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00444F603_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0048908C3_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004313C83_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004456583_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0045F9543_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00445A643_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0045BA043_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00489FEC3_2_00489FEC
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: String function: 00407D84 appears 43 times
Source: Setup.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Setup.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean5.winEXE@3/3@2/0
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_00455E14
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,3_2_0045663C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00456E68 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,3_2_00456E68
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,1_2_0040A10C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmpJump to behavior
Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: Setup.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: Setup.exeString found in binary or memory: /LOADINF="filename"
Source: Setup.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpWindow found: window name: TEditJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: {app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb:| source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\UpdateService\RemObjects.SDK.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ,{app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '{app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3{app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: {app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb:h source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00450A28
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00406A50 push 00406A8Dh; ret 1_2_00406A85
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_004040B5 push eax; ret 1_2_004040F1
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00404185 push 00404391h; ret 1_2_00404389
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00404206 push 00404391h; ret 1_2_00404389
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_004042E8 push 00404391h; ret 1_2_00404389
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00404283 push 00404391h; ret 1_2_00404389
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_004093EC push 0040941Fh; ret 1_2_00409417
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_004085B8 push ecx; mov dword ptr [esp], eax1_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00409DDC push 00409E19h; ret 3_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0041A0B8 push ecx; mov dword ptr [esp], ecx3_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00452194 push ecx; mov dword ptr [esp], eax3_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004062CC push ecx; mov dword ptr [esp], eax3_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0040A2DF push ds; ret 3_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004605AC push ecx; mov dword ptr [esp], ecx3_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00458848 push 00458880h; ret 3_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00410970 push ecx; mov dword ptr [esp], edx3_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00412DB8 push 00412E1Bh; ret 3_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0040D2C8 push ecx; mov dword ptr [esp], edx3_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0040546D push eax; ret 3_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0040553D push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004055BE push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0040563B push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004056A0 push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0040F828 push ecx; mov dword ptr [esp], edx3_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00443930 push ecx; mov dword ptr [esp], ecx3_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00487AF0 push ecx; mov dword ptr [esp], ecx3_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00459B60 push 00459BA4h; ret 3_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00497B18 push ecx; mov dword ptr [esp], ecx3_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00479C7C push ecx; mov dword ptr [esp], edx3_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00451FD0 push 00452003h; ret 3_2_00451FFB
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpFile created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2024-10-30 #001.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,3_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,3_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,3_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,3_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0041815E IsIconic,SetWindowPos,3_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042466C IsIconic,SetActiveWindow,SetFocus,3_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00424624 IsIconic,SetActiveWindow,3_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00417A28 IsIconic,GetCapture,3_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,3_2_00485CFC
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,3_2_0041F5A8
Source: C:\Users\user\Desktop\Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-5924
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,3_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,3_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,3_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00453238 FindFirstFileA,GetLastError,3_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,3_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,3_2_00463B44
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,1_2_0040A050
Source: C:\Users\user\Desktop\Setup.exeAPI call chain: ExitProcess graph end nodegraph_1-6944
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00450A28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,3_2_0047A678
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,3_2_0042F294
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,3_2_0042E52C
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,1_2_00405694
Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,1_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: GetLocaleInfoA,3_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: GetLocaleInfoA,3_2_00408A44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,3_2_00458E58
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_004026C4 GetSystemTime,1_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmpCode function: 3_2_00455DCC GetUserNameA,3_2_00455DCC
Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,1_2_00404654
Source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: {app}\Tools\procexp.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
Access Token Manipulation		1
Access Token Manipulation		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Process Injection		2
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets3
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync15
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545527 Sample: Setup.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 5 16 200.163.202.172.in-addr.arpa 2->16 18 15.164.165.52.in-addr.arpa 2->18 6 Setup.exe 2 2->6         started        process3 file4 12 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 6->12 dropped 9 Setup.tmp 3 12 6->9         started        process5 file6 14 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->14 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup.exe4%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.innosetup.com/0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://www.remobjects.com/psU0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
15.164.165.52.in-addr.arpa
unknown
unknownfalse
    		unknown
    200.163.202.172.in-addr.arpa
    		unknown
    		unknownfalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.innosetup.com/Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tSetup.exe, Setup.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      http://www.remobjects.com/psUSetup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      http://ocsp.sectigo.com0Setup.exe, Setup.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      https://sectigo.com/CPS0BSetup.exe, Setup.tmp.1.drfalse
        		unknown
        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Setup.exe, Setup.tmp.1.drfalse
        • URL Reputation: safe
        		unknown
        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSetup.exefalse
          		unknown
          http://www.ooaccess.comSetup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
            		unknown
            http://www.ooaccess.com&Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
              		unknown
              https://sectigo.com/CPS0DSetup.exe, Setup.tmp.1.drfalse
                		unknown
                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetup.exefalse
                  		unknown
                  http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rSetup.exe, Setup.tmp.1.drfalse
                    		unknown
                    http://license.openoptionsinc.com/LicenseFile?HaspKey=%s&Product=FULICSetup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.remobjects.com/psSetup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.openoptionsinc.comSetup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        https://ooaccess.com/v7Setup.exe, 00000001.00000002.2582294440.0000000002038000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC&Username=%s&Password=%sSetup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#Setup.exe, Setup.tmp.1.drfalse
                              		unknown
                              http://license.ooinc.com/Download/FlexAPISetup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULICSetup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1545527
                                  Start date and time:2024-10-30 16:43:54 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 11s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Setup.exe
                                  Detection:CLEAN
                                  Classification:clean5.winEXE@3/3@2/0
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 95%
                                  • Number of executed functions: 102
                                  • Number of non-executed functions: 191
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • VT rate limit hit for: Setup.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmpSetup_DigiSignerOne_x86.exeGet hashmaliciousHavocBrowse
                                    XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                      Reminder.exeGet hashmaliciousAmadeyBrowse
                                        Reminder.exeGet hashmaliciousAmadeyBrowse
                                          Reminder.exeGet hashmaliciousAmadeyBrowse
                                            yM3BrI8G1EGet hashmaliciousUnknownBrowse
                                              MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zipGet hashmaliciousXmrigBrowse
                                                Reminder.exeGet hashmaliciousAmadeyBrowse
                                                  Reminder.exeGet hashmaliciousAmadeyBrowse
                                                    file.exeGet hashmaliciousUnknownBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):6505
                                                      Entropy (8bit):4.863388771804084
                                                      Encrypted:false
                                                      SSDEEP:48:r/MiXMsmrpvOBbABgW9QS/9ZBucc3fnrsZkrrPEUJnUbEUJn27EUJns10EUJnDLn:zb58QD9a9jKs0
                                                      MD5:FC313555D872779C40513D98AE67FCE0
                                                      SHA1:5B6C9EAA3880DBD1FB57873064CED18CD051C5FE
                                                      SHA-256:F8658D26A2043A3A0AAD2B0CF429E611ABBBFE69782429332C58A2FF40726B10
                                                      SHA-512:570F19578D517CB73091FD5201647BB438420BB93BE6689B6AEE6DC7BAF864694C5421CBCEF6F8D3E09D2DA7A087623266480BD058BBFAAFA620E705BEC5A8EB
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:2024-10-30 11:44:54.717 Log opened. (Time zone: UTC-04:00)..2024-10-30 11:44:54.717 Setup version: Inno Setup version 5.6.1 (a)..2024-10-30 11:44:54.717 Original Setup EXE: C:\Users\user\Desktop\Setup.exe..2024-10-30 11:44:54.717 Setup command line: /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe" ..2024-10-30 11:44:54.717 Windows version: 10.0.19045 (NT platform: Yes)..2024-10-30 11:44:54.717 64-bit Windows: Yes..2024-10-30 11:44:54.717 Processor architecture: x64..2024-10-30 11:44:54.717 User privileges: Administrative..2024-10-30 11:44:54.748 64-bit install mode: No..2024-10-30 11:44:54.763 Created temporary directory: C:\Users\user~1\AppData\Local\Temp\is-8Q1AL.tmp..2024-10-30 11:44:54.779 -- DLL function import --..2024-10-30 11:44:54.779 Function name: LoadSkin..2024-10-30 11:44:54.779 DLL name: files:isskin.dll..2024-10-30 11:44:54.779 Extracting temporary file: C:\Users\user~1\AppData\Local\Temp\is-8Q1AL.tmp\isskin.dll..2024-10-30

                                                      C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Setup.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:modified
                                                      Size (bytes):763464
                                                      Entropy (8bit):6.573126941840791
                                                      Encrypted:false
                                                      SSDEEP:12288:3qIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPul8yx9z:6IZg+uiirPO37fzH4A6haDbcUZEbdT9K
                                                      MD5:21BBD416AD06BFBA595FD3C2FED9B612
                                                      SHA1:CDC6BCF1D7B44B91E128F2FCB6A760E2AC8B6AEE
                                                      SHA-256:B7015BC1AA95FFC541F5BFF11463AC6DE3DDD4FA5A367E1FCD3EB3F944909475
                                                      SHA-512:5979431C79706EA8838A13E86CD936FFA07965F89EFAC644D918AB8E4B27FE21891F896D136B7E2CCAA30B274B4E75645E8A0E2A59CA432F609A5D503D562277
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                      Reputation:low
                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..........................`......+.....@......@..............................2&.......v...........f..H@...P...............................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc....v.......x..................@..P....................................@..P........................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):6144
                                                      Entropy (8bit):4.720366600008286
                                                      Encrypted:false
                                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: Setup_DigiSignerOne_x86.exe, Detection: malicious, Browse
                                                      • Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse
                                                      • Filename: Reminder.exe, Detection: malicious, Browse
                                                      • Filename: Reminder.exe, Detection: malicious, Browse
                                                      • Filename: Reminder.exe, Detection: malicious, Browse
                                                      • Filename: yM3BrI8G1E, Detection: malicious, Browse
                                                      • Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse
                                                      • Filename: Reminder.exe, Detection: malicious, Browse
                                                      • Filename: Reminder.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      Reputation:high, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.608859172172792
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 98.86%
                                                      • Inno Setup installer (109748/4) 1.08%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      File name:Setup.exe
                                                      File size:502'656 bytes
                                                      MD5:dc4f97df9369351e44f2f87ea7e5abd2
                                                      SHA1:b433ec49f9e2b35c0763218b38c1fee4a19e2cb0
                                                      SHA256:5ed1397e6c4496239f1c865c19df8f4ea4821fd148d3380baa5dedb6b8d710fc
                                                      SHA512:da7772af52892e780aedfb372ba4ffefa442141745ff77afadba6af24644ce6d7b5a58bd9d6846962287e0cc2ec2a4b8de1afa834c907662b337e84568094ea1
                                                      SSDEEP:12288:fyIF3IUpcSgjqV+35JixitvKkbj31tR+z:fyIiocq4j7BbT6
                                                      TLSH:20B4F115FFE20CB1C44147B4CDFA43527B32BDDA7E201705714EA7683E6639AAACA346
                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                      File Icon

                                                      Icon Hash:336d9692964c290f

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x40aad0
                                                      Entrypoint Section:CODE
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:1
                                                      OS Version Minor:0
                                                      File Version Major:1
                                                      File Version Minor:0
                                                      Subsystem Version Major:1
                                                      Subsystem Version Minor:0
                                                      Import Hash:2fb819a19fe4dee5c03e8c6a79342f79

                                                      Authenticode Signature

                                                      Signature Valid:true
                                                      Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                      Signature Validation Error:The operation completed successfully
                                                      Error Number:0
                                                      Not Before, Not After
                                                      • 09/07/2017 20:00:00 10/07/2021 19:59:59
                                                      Subject Chain
                                                      • CN="Open Options, LP.", O="Open Options, LP.", STREET=16650 Westgrove, STREET=Suite 150, L=Addison, S=TX, PostalCode=75001, C=US
                                                      Version:3
                                                      Thumbprint MD5:0C8D2C62F782C4BC0A7CE5A63A4FAAF4
                                                      Thumbprint SHA-1:D345CBF7A4152CFE38688E5C55A8B6D981F23C8F
                                                      Thumbprint SHA-256:E2AE83B704C26A1D9BD32A103776F943FA22D158BA971F0CBA7D6117388DE118
                                                      Serial:008D3265F40AE7E5258A6FFBE6011B2E51

                                                      Entrypoint Preview

                                                      Instruction
                                                      push ebp
                                                      mov ebp, esp
                                                      add esp, FFFFFFC4h
                                                      push ebx
                                                      push esi
                                                      push edi
                                                      xor eax, eax
                                                      mov dword ptr [ebp-10h], eax
                                                      mov dword ptr [ebp-24h], eax
                                                      call 00007F0F3914F47Bh
                                                      call 00007F0F39150682h
                                                      call 00007F0F391509E9h
                                                      call 00007F0F39150E3Ch
                                                      call 00007F0F39152DDBh
                                                      call 00007F0F39155772h
                                                      call 00007F0F391558D9h
                                                      xor eax, eax
                                                      push ebp
                                                      push 0040B1A1h
                                                      push dword ptr fs:[eax]
                                                      mov dword ptr fs:[eax], esp
                                                      xor edx, edx
                                                      push ebp
                                                      push 0040B16Ah
                                                      push dword ptr fs:[edx]
                                                      mov dword ptr fs:[edx], esp
                                                      mov eax, dword ptr [0040D014h]
                                                      call 00007F0F391563ABh
                                                      call 00007F0F39155F96h
                                                      cmp byte ptr [0040C234h], 00000000h
                                                      je 00007F0F39156E8Eh
                                                      call 00007F0F391564A8h
                                                      xor eax, eax
                                                      call 00007F0F39150171h
                                                      lea edx, dword ptr [ebp-10h]
                                                      xor eax, eax
                                                      call 00007F0F391533EBh
                                                      mov edx, dword ptr [ebp-10h]
                                                      mov eax, 0040DE30h
                                                      call 00007F0F3914F512h
                                                      push 00000002h
                                                      push 00000000h
                                                      push 00000001h
                                                      mov ecx, dword ptr [0040DE30h]
                                                      mov dl, 01h
                                                      mov eax, 00407840h
                                                      call 00007F0F39153CA6h
                                                      mov dword ptr [0040DE34h], eax
                                                      xor edx, edx
                                                      push ebp
                                                      push 0040B122h
                                                      push dword ptr fs:[edx]
                                                      mov dword ptr fs:[edx], esp
                                                      call 00007F0F39156406h
                                                      mov dword ptr [0040DE3Ch], eax
                                                      mov eax, dword ptr [0040DE3Ch]
                                                      cmp dword ptr [eax+0Ch], 00000000h

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe0000x97c.idata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x965c.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x76b380x4048
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x110000x0.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x100000x18.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      CODE0x10000xa2080xa40049513e676dadfb3919c4b137dd7c6d66False0.5959413109756098data6.6016742350943245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      DATA0xc0000x2500x4000a7b48e75f6b6ef4a087528fee0d185cFalse0.30859375data2.771347682604831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      BSS0xd0000xe940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .idata0xe0000x97c0xa00df5f31e62e05c787fd29eed7071bf556False0.41796875data4.486076246232586IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .tls0xf0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rdata0x100000x180x20014dfa4128117e7f94fe2f8d7dea374a0False0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                      .reloc0x110000x9200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                      .rsrc0x120000x965c0x98007b061d397143dd243ad751d13962b702False0.49028577302631576data5.7282145698532165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x123540x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4456778460085026
                                                      RT_ICON0x1657c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.55
                                                      RT_ICON0x18b240x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6545497185741088
                                                      RT_ICON0x19bcc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8457446808510638
                                                      RT_STRING0x1a0340x2f2data0.35543766578249336
                                                      RT_STRING0x1a3280x30cdata0.3871794871794872
                                                      RT_STRING0x1a6340x2cedata0.42618384401114207
                                                      RT_STRING0x1a9040x68data0.75
                                                      RT_STRING0x1a96c0xb4data0.6277777777777778
                                                      RT_STRING0x1aa200xaedata0.5344827586206896
                                                      RT_RCDATA0x1aad00x2cdata1.1590909090909092
                                                      RT_GROUP_ICON0x1aafc0x3edataEnglishUnited States0.8225806451612904
                                                      RT_VERSION0x1ab3c0x4f4dataEnglishUnited States0.305993690851735
                                                      RT_MANIFEST0x1b0300x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                      Imports

                                                      DLLImport
                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                      user32.dllMessageBoxA
                                                      oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                      kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                      user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                      comctl32.dllInitCommonControls
                                                      advapi32.dllAdjustTokenPrivileges

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Network Port Distribution

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 30, 2024 16:45:29.406951904 CET5356494162.159.36.2192.168.2.7
                                                      Oct 30, 2024 16:45:30.029361963 CET5989453192.168.2.71.1.1.1
                                                      Oct 30, 2024 16:45:30.064718962 CET53598941.1.1.1192.168.2.7
                                                      Oct 30, 2024 16:45:31.269414902 CET6416253192.168.2.71.1.1.1
                                                      Oct 30, 2024 16:45:31.277282953 CET53641621.1.1.1192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 30, 2024 16:45:30.029361963 CET192.168.2.71.1.1.10x8312Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                      Oct 30, 2024 16:45:31.269414902 CET192.168.2.71.1.1.10xd95aStandard query (0)200.163.202.172.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 30, 2024 16:45:30.064718962 CET1.1.1.1192.168.2.70x8312Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                      Oct 30, 2024 16:45:31.277282953 CET1.1.1.1192.168.2.70xd95aName error (3)200.163.202.172.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:1
                                                      Start time:11:44:54
                                                      Start date:30/10/2024
                                                      Path:C:\Users\user\Desktop\Setup.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                      Imagebase:0x400000
                                                      File size:502'656 bytes
                                                      MD5 hash:DC4F97DF9369351E44F2F87EA7E5ABD2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:3
                                                      Start time:11:44:54
                                                      Start date:30/10/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"
                                                      Imagebase:0x400000
                                                      File size:763'464 bytes
                                                      MD5 hash:21BBD416AD06BFBA595FD3C2FED9B612
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 4%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:22.3%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:8%
                                                        Total number of Nodes:1571
                                                        Total number of Limit Nodes:17
                                                        execution_graph 6774 408344 6775 40836c VirtualFree 6774->6775 6776 408351 6775->6776 6787 402b48 RaiseException 6788 40294a 6789 402952 6788->6789 6790 403554 4 API calls 6789->6790 6791 402967 6789->6791 6790->6789 6792 403f4a 6793 403f53 6792->6793 6795 403f5c 6792->6795 6796 403f07 6793->6796 6803 403f09 6796->6803 6797 403f3c 6797->6795 6799 403154 4 API calls 6799->6803 6800 403ef2 6805 402674 4 API calls 6800->6805 6801 403e9c 6801->6797 6801->6800 6808 403ea9 6801->6808 6810 403e8e 6801->6810 6802 403ecf 6802->6795 6803->6799 6803->6801 6806 403f3d 6803->6806 6819 403e9c 6803->6819 6805->6802 6806->6795 6808->6802 6809 402674 4 API calls 6808->6809 6809->6802 6811 403e4c 6810->6811 6812 403e67 6811->6812 6813 403e62 6811->6813 6814 403e7b 6811->6814 6817 403e78 6812->6817 6818 402674 4 API calls 6812->6818 6815 403cc8 4 API calls 6813->6815 6816 402674 4 API calls 6814->6816 6815->6812 6816->6817 6817->6800 6817->6808 6818->6817 6820 403ed7 6819->6820 6826 403ea9 6819->6826 6821 403ef2 6820->6821 6823 403e8e 4 API calls 6820->6823 6824 402674 4 API calls 6821->6824 6822 403ecf 6822->6803 6825 403ee6 6823->6825 6824->6822 6825->6821 6825->6826 6826->6822 6827 402674 4 API calls 6826->6827 6827->6822 6411 403a52 6412 403a5a WriteFile 6411->6412 6414 403a74 6411->6414 6413 403a78 GetLastError 6412->6413 6412->6414 6413->6414 6415 402654 6416 403154 4 API calls 6415->6416 6417 402614 6416->6417 6418 402632 6417->6418 6419 403154 4 API calls 6417->6419 6418->6418 6419->6418 6420 409258 6421 40927c 6420->6421 6422 409134 18 API calls 6421->6422 6423 409285 6422->6423 6832 405f5c 6833 405f64 6832->6833 6834 405f6c 6832->6834 6835 405f73 6833->6835 6836 405f6a 6833->6836 6837 405dc8 19 API calls 6835->6837 6839 405ed4 6836->6839 6837->6834 6840 405edc 6839->6840 6841 405ef6 6840->6841 6842 403154 4 API calls 6840->6842 6843 405f12 6841->6843 6844 405efb 6841->6844 6842->6840 6846 403154 4 API calls 6843->6846 6845 405dc8 19 API calls 6844->6845 6847 405f0e 6845->6847 6848 405f17 6846->6848 6850 403154 4 API calls 6847->6850 6849 405e38 33 API calls 6848->6849 6849->6847 6851 405f40 6850->6851 6852 403154 4 API calls 6851->6852 6853 405f4e 6852->6853 6853->6834 6424 402e64 6425 402e69 6424->6425 6426 402e7a RtlUnwind 6425->6426 6427 402e5e 6425->6427 6428 402e9d 6426->6428 6854 40b16f 6863 409bd4 6854->6863 6857 402f24 5 API calls 6858 40b179 6857->6858 6859 403198 4 API calls 6858->6859 6860 40b198 6859->6860 6861 403198 4 API calls 6860->6861 6862 40b1a0 6861->6862 6872 405b34 6863->6872 6865 409c1d 6868 403198 4 API calls 6865->6868 6866 409bef 6866->6865 6878 4076c0 6866->6878 6870 409c32 6868->6870 6869 409c0d 6871 409c15 MessageBoxA 6869->6871 6870->6857 6871->6865 6873 403154 4 API calls 6872->6873 6874 405b39 6873->6874 6875 405b51 6874->6875 6876 403154 4 API calls 6874->6876 6875->6866 6877 405b47 6876->6877 6877->6866 6879 405b34 4 API calls 6878->6879 6880 4076cf 6879->6880 6881 4076e3 6880->6881 6882 4076d5 6880->6882 6885 4076f3 6881->6885 6886 4076ff 6881->6886 6883 40322c 4 API calls 6882->6883 6884 4076e1 6883->6884 6884->6869 6889 407684 6885->6889 6896 4032b8 6886->6896 6890 40322c 4 API calls 6889->6890 6891 407693 6890->6891 6892 4076b0 6891->6892 6893 406dd8 CharPrevA 6891->6893 6892->6884 6894 40769f 6893->6894 6894->6892 6895 4032fc 18 API calls 6894->6895 6895->6892 6897 403278 18 API calls 6896->6897 6898 4032c2 6897->6898 6898->6884 6222 407a78 SetFilePointer 6223 407aab 6222->6223 6224 407a9b GetLastError 6222->6224 6224->6223 6225 407aa4 6224->6225 6226 407940 35 API calls 6225->6226 6226->6223 6903 40af7a 6904 40afaa 6903->6904 6905 40afb4 CreateWindowExA SetWindowLongA 6904->6905 6906 40561c 33 API calls 6905->6906 6907 40b037 6906->6907 6908 4032fc 18 API calls 6907->6908 6909 40b045 6908->6909 6910 4032fc 18 API calls 6909->6910 6911 40b052 6910->6911 6912 407004 19 API calls 6911->6912 6913 40b05e 6912->6913 6914 4032fc 18 API calls 6913->6914 6915 40b067 6914->6915 6916 409ec4 43 API calls 6915->6916 6917 40b079 6916->6917 6918 409da4 19 API calls 6917->6918 6920 40b08c 6917->6920 6918->6920 6919 40b0c5 6922 40b0de 6919->6922 6925 40b0d8 RemoveDirectoryA 6919->6925 6920->6919 6921 4099b0 9 API calls 6920->6921 6921->6919 6923 40b0f2 6922->6923 6924 40b0e7 DestroyWindow 6922->6924 6926 40b11a 6923->6926 6927 40357c 4 API calls 6923->6927 6924->6923 6925->6922 6928 40b110 6927->6928 6929 4025ac 4 API calls 6928->6929 6929->6926 6930 407b7c WriteFile 6931 407ba3 6930->6931 6932 407b9c 6930->6932 6934 407bb4 6931->6934 6935 4078a0 34 API calls 6931->6935 6933 407940 35 API calls 6932->6933 6933->6931 6935->6934 6936 403f7d 6937 403fa2 6936->6937 6938 403f84 6936->6938 6937->6938 6940 403e8e 4 API calls 6937->6940 6939 403f8c 6938->6939 6941 402674 4 API calls 6938->6941 6940->6938 6942 403fca 6941->6942 6943 403d02 6945 403d12 6943->6945 6944 403ddf ExitProcess 6945->6944 6946 403db8 6945->6946 6949 403dea 6945->6949 6952 403da4 6945->6952 6953 403d8f MessageBoxA 6945->6953 6947 403cc8 4 API calls 6946->6947 6948 403dc2 6947->6948 6950 403cc8 4 API calls 6948->6950 6951 403dcc 6950->6951 6963 4019dc 6951->6963 6959 403fe4 6952->6959 6953->6946 6955 403dd1 6955->6944 6955->6949 6960 403fe8 6959->6960 6961 403f07 4 API calls 6960->6961 6962 404006 6961->6962 6964 401abb 6963->6964 6965 4019ed 6963->6965 6964->6955 6966 401a04 RtlEnterCriticalSection 6965->6966 6967 401a0e LocalFree 6965->6967 6966->6967 6968 401a41 6967->6968 6969 401a2f VirtualFree 6968->6969 6970 401a49 6968->6970 6969->6968 6971 401a70 LocalFree 6970->6971 6972 401a87 6970->6972 6971->6971 6971->6972 6973 401aa9 RtlDeleteCriticalSection 6972->6973 6974 401a9f RtlLeaveCriticalSection 6972->6974 6973->6955 6974->6973 6975 406b04 IsDBCSLeadByte 6976 406b1c 6975->6976 6437 404206 6438 40420a 6437->6438 6439 4041cc 6437->6439 6440 404282 6438->6440 6441 403154 4 API calls 6438->6441 6442 404323 6441->6442 5882 40ad07 5883 409fc0 18 API calls 5882->5883 5884 40ad0c 5883->5884 5885 40ad11 5884->5885 5960 402f24 5884->5960 5919 409e14 5885->5919 5888 40ad69 5924 4026c4 GetSystemTime 5888->5924 5890 40ad16 5890->5888 5965 40928c 5890->5965 5891 40ad6e 5925 409808 5891->5925 5895 4031e8 18 API calls 5897 40ad83 5895->5897 5896 40ad45 5899 40ad4d MessageBoxA 5896->5899 5943 406db0 5897->5943 5899->5888 5901 40ad5a 5899->5901 5968 405cec 5901->5968 5905 406ac0 19 API calls 5906 40adb1 5905->5906 5907 403340 18 API calls 5906->5907 5908 40adbf 5907->5908 5909 4031e8 18 API calls 5908->5909 5910 40adcf 5909->5910 5911 407994 37 API calls 5910->5911 5912 40ae0e 5911->5912 5913 402594 18 API calls 5912->5913 5914 40ae2e 5913->5914 5915 407edc 19 API calls 5914->5915 5916 40ae70 5915->5916 5917 40816c 35 API calls 5916->5917 5918 40ae97 5917->5918 5972 409a14 5919->5972 5924->5891 5928 409828 5925->5928 5929 40984d CreateDirectoryA 5928->5929 5934 40928c 18 API calls 5928->5934 5939 407738 19 API calls 5928->5939 5942 405d18 18 API calls 5928->5942 6050 4071a8 5928->6050 6073 4096fc 5928->6073 6092 40511c 5928->6092 6095 40925c 5928->6095 5930 4098c5 5929->5930 5931 409857 GetLastError 5929->5931 5932 40322c 4 API calls 5930->5932 5931->5928 5933 4098cf 5932->5933 5935 4031b8 4 API calls 5933->5935 5934->5928 5937 4098e9 5935->5937 5938 4031b8 4 API calls 5937->5938 5940 4098f6 5938->5940 5939->5928 5940->5895 5942->5928 6208 406ca8 5943->6208 5946 403454 18 API calls 5947 406dd2 5946->5947 5948 406b48 5947->5948 6213 406d6c 5948->6213 5951 406b86 5954 403454 18 API calls 5951->5954 5952 406b78 5953 403340 18 API calls 5952->5953 5956 406b84 5953->5956 5955 406b99 5954->5955 5957 403340 18 API calls 5955->5957 5958 403198 4 API calls 5956->5958 5957->5956 5959 406bbb 5958->5959 5959->5905 5961 403154 4 API calls 5960->5961 5962 402f29 5961->5962 6219 402bcc 5962->6219 5964 402f51 5964->5964 5966 40925c 18 API calls 5965->5966 5967 4092a8 5966->5967 5967->5896 5969 405cf1 5968->5969 5970 405dc8 19 API calls 5969->5970 5971 405d03 5970->5971 5971->5971 5978 409a33 5972->5978 5973 409a68 5975 409a75 GetUserDefaultLangID 5973->5975 5980 409a6a 5973->5980 5974 409a6c 5990 4074d8 GetModuleHandleA GetProcAddress 5974->5990 5975->5980 5978->5973 5978->5974 5979 409a47 5978->5979 5984 409da4 5979->5984 5980->5979 5981 409aa3 GetACP 5980->5981 5982 409ac7 5980->5982 5981->5979 5981->5980 5982->5979 5983 409aed GetACP 5982->5983 5983->5979 5983->5982 5985 409de6 5984->5985 5986 409dac 5984->5986 5985->5890 5986->5985 5987 403420 18 API calls 5986->5987 5988 409de0 5987->5988 6034 409334 5988->6034 5991 407512 5990->5991 5992 40751b 5990->5992 6000 403198 4 API calls 5991->6000 5993 407524 5992->5993 5994 40755c 5992->5994 6011 40741c 5993->6011 5995 40741c RegOpenKeyExA 5994->5995 5997 407575 5995->5997 5999 407592 5997->5999 6001 407410 20 API calls 5997->6001 5998 40753d 5998->5999 6014 407410 5998->6014 6002 40322c 4 API calls 5999->6002 6005 4075d4 6000->6005 6006 407589 RegCloseKey 6001->6006 6007 40759f 6002->6007 6008 403198 4 API calls 6005->6008 6006->5999 6009 4032fc 18 API calls 6007->6009 6010 4075dc 6008->6010 6009->5991 6010->5980 6012 407427 6011->6012 6013 40742d RegOpenKeyExA 6011->6013 6012->6013 6013->5998 6017 4072c4 6014->6017 6018 4072ea RegQueryValueExA 6017->6018 6019 40730d 6018->6019 6024 40732f 6018->6024 6021 407327 6019->6021 6019->6024 6025 403278 18 API calls 6019->6025 6026 403420 18 API calls 6019->6026 6020 403198 4 API calls 6022 4073fb RegCloseKey 6020->6022 6023 403198 4 API calls 6021->6023 6022->5999 6023->6024 6024->6020 6025->6019 6027 407364 RegQueryValueExA 6026->6027 6027->6018 6028 407380 6027->6028 6028->6024 6029 4034f0 18 API calls 6028->6029 6030 4073c2 6029->6030 6031 4073d4 6030->6031 6033 403420 18 API calls 6030->6033 6032 4031e8 18 API calls 6031->6032 6032->6024 6033->6031 6035 409342 6034->6035 6037 40935a 6035->6037 6047 4092cc 6035->6047 6038 4092cc 18 API calls 6037->6038 6039 40937e 6037->6039 6038->6039 6040 407dcc InterlockedExchange 6039->6040 6041 409399 6040->6041 6042 4092cc 18 API calls 6041->6042 6044 4093ac 6041->6044 6042->6044 6043 4092cc 18 API calls 6043->6044 6044->6043 6045 403278 18 API calls 6044->6045 6046 4093db 6044->6046 6045->6044 6046->5985 6048 405d18 18 API calls 6047->6048 6049 4092dd 6048->6049 6049->6037 6099 406ee0 6050->6099 6053 4071da 6055 406ee0 19 API calls 6053->6055 6057 407226 6053->6057 6056 4071ea 6055->6056 6058 4071f6 6056->6058 6060 406ebc 21 API calls 6056->6060 6107 406d10 6057->6107 6058->6057 6063 406ee0 19 API calls 6058->6063 6070 40721b 6058->6070 6060->6058 6065 40720f 6063->6065 6064 406ac0 19 API calls 6066 40723b 6064->6066 6068 406ebc 21 API calls 6065->6068 6065->6070 6067 40322c 4 API calls 6066->6067 6069 407245 6067->6069 6068->6070 6071 4031b8 4 API calls 6069->6071 6070->6057 6119 407150 GetWindowsDirectoryA 6070->6119 6072 40725f 6071->6072 6072->5928 6074 40971c 6073->6074 6075 406ac0 19 API calls 6074->6075 6076 409735 6075->6076 6077 40322c 4 API calls 6076->6077 6078 409740 6077->6078 6079 406e00 20 API calls 6078->6079 6081 40928c 18 API calls 6078->6081 6082 4033b4 18 API calls 6078->6082 6084 405d18 18 API calls 6078->6084 6085 4097bc 6078->6085 6160 409688 6078->6160 6168 4094e8 6078->6168 6079->6078 6081->6078 6082->6078 6084->6078 6086 40322c 4 API calls 6085->6086 6087 4097c7 6086->6087 6088 4031b8 4 API calls 6087->6088 6089 4097e1 6088->6089 6090 403198 4 API calls 6089->6090 6091 4097e9 6090->6091 6091->5928 6093 405630 33 API calls 6092->6093 6094 40513a 6093->6094 6094->5928 6096 40927c 6095->6096 6196 409134 6096->6196 6100 4034f0 18 API calls 6099->6100 6101 406ef3 6100->6101 6102 406f0a GetEnvironmentVariableA 6101->6102 6106 406f1d 6101->6106 6122 4072a0 6101->6122 6102->6101 6103 406f16 6102->6103 6104 403198 4 API calls 6103->6104 6104->6106 6106->6053 6116 406ebc 6106->6116 6108 403414 6107->6108 6109 406d33 GetFullPathNameA 6108->6109 6110 406d56 6109->6110 6111 406d3f 6109->6111 6112 40322c 4 API calls 6110->6112 6111->6110 6113 406d47 6111->6113 6114 406d54 6112->6114 6115 403278 18 API calls 6113->6115 6114->6064 6115->6114 6126 406e64 6116->6126 6120 405268 18 API calls 6119->6120 6121 407171 6120->6121 6121->6057 6123 4072ae 6122->6123 6124 4034f0 18 API calls 6123->6124 6125 4072bc 6124->6125 6125->6101 6133 406e00 6126->6133 6128 406e86 6129 406e8e GetFileAttributesA 6128->6129 6130 406ea3 6129->6130 6131 403198 4 API calls 6130->6131 6132 406eab 6131->6132 6132->6053 6143 406bcc 6133->6143 6135 406e38 6138 406e43 6135->6138 6139 406e4e 6135->6139 6137 406e11 6137->6135 6150 406df8 CharPrevA 6137->6150 6140 40322c 4 API calls 6138->6140 6151 403454 6139->6151 6142 406e4c 6140->6142 6142->6128 6146 406bdd 6143->6146 6144 406c41 6145 406b08 IsDBCSLeadByte 6144->6145 6148 406c3c 6144->6148 6145->6148 6146->6144 6147 406bfb 6146->6147 6147->6148 6158 406b08 IsDBCSLeadByte 6147->6158 6148->6137 6150->6137 6152 403486 6151->6152 6153 403459 6151->6153 6154 403198 4 API calls 6152->6154 6153->6152 6156 40346d 6153->6156 6155 40347c 6154->6155 6155->6142 6157 403278 18 API calls 6156->6157 6157->6155 6159 406b1c 6158->6159 6159->6147 6161 403198 4 API calls 6160->6161 6163 4096a9 6161->6163 6165 4096d6 6163->6165 6177 4032a8 6163->6177 6180 403494 6163->6180 6166 403198 4 API calls 6165->6166 6167 4096eb 6166->6167 6167->6078 6184 409424 6168->6184 6170 4094fe 6171 409502 6170->6171 6190 406ed0 6170->6190 6171->6078 6174 409535 6193 409460 6174->6193 6178 403278 18 API calls 6177->6178 6179 4032b5 6178->6179 6179->6163 6181 403498 6180->6181 6183 4034c3 6180->6183 6182 4034f0 18 API calls 6181->6182 6182->6183 6183->6163 6185 409432 6184->6185 6186 40942e 6184->6186 6187 409454 SetLastError 6185->6187 6188 40943b Wow64DisableWow64FsRedirection 6185->6188 6186->6170 6189 40944f 6187->6189 6188->6189 6189->6170 6191 406e64 21 API calls 6190->6191 6192 406eda GetLastError 6191->6192 6192->6174 6194 409465 Wow64RevertWow64FsRedirection 6193->6194 6195 40946f 6193->6195 6194->6195 6195->6078 6197 403198 4 API calls 6196->6197 6207 409165 6196->6207 6197->6207 6198 4031b8 4 API calls 6200 40921d 6198->6200 6199 40917c 6201 4032c4 18 API calls 6199->6201 6200->5928 6202 409186 6201->6202 6204 4032fc 18 API calls 6202->6204 6203 403278 18 API calls 6203->6207 6205 409190 6204->6205 6205->6198 6206 4032fc 18 API calls 6206->6207 6207->6199 6207->6203 6207->6205 6207->6206 6209 406bcc IsDBCSLeadByte 6208->6209 6211 406cbd 6209->6211 6210 406d07 6210->5946 6211->6210 6212 406b08 IsDBCSLeadByte 6211->6212 6212->6211 6214 406d7b 6213->6214 6215 406ca8 IsDBCSLeadByte 6214->6215 6217 406d86 6215->6217 6216 406b72 6216->5951 6216->5952 6217->6216 6218 406b08 IsDBCSLeadByte 6217->6218 6218->6217 6220 402bd5 RaiseException 6219->6220 6221 402be6 6219->6221 6220->6221 6221->5964 6443 402c08 6446 402c82 6443->6446 6447 402c19 6443->6447 6444 402c56 RtlUnwind 6445 403154 4 API calls 6444->6445 6445->6446 6447->6444 6447->6446 6450 402b28 6447->6450 6451 402b31 RaiseException 6450->6451 6452 402b47 6450->6452 6451->6452 6452->6444 6453 403018 6454 403070 6453->6454 6455 403025 6453->6455 6456 40302a RtlUnwind 6455->6456 6457 40304e 6456->6457 6459 402f78 6457->6459 6460 402be8 6457->6460 6461 402bf1 RaiseException 6460->6461 6462 402c04 6460->6462 6461->6462 6462->6454 6989 40b127 6991 40b099 6989->6991 6990 40b0c5 6993 40b0de 6990->6993 6996 40b0d8 RemoveDirectoryA 6990->6996 6991->6990 6992 4099b0 9 API calls 6991->6992 6992->6990 6994 40b0f2 6993->6994 6995 40b0e7 DestroyWindow 6993->6995 6997 40b11a 6994->6997 6998 40357c 4 API calls 6994->6998 6995->6994 6996->6993 6999 40b110 6998->6999 7000 4025ac 4 API calls 6999->7000 7000->6997 6475 403a28 ReadFile 6476 403a46 6475->6476 6477 403a49 GetLastError 6475->6477 6478 40602a 6479 40602c 6478->6479 6480 406068 6479->6480 6481 406062 6479->6481 6482 40607f 6479->6482 6483 405dc8 19 API calls 6480->6483 6481->6480 6484 4060d4 6481->6484 6487 405164 19 API calls 6482->6487 6485 40607b 6483->6485 6486 405e38 33 API calls 6484->6486 6489 403198 4 API calls 6485->6489 6486->6485 6488 4060a8 6487->6488 6490 405e38 33 API calls 6488->6490 6491 40610e 6489->6491 6490->6485 6492 40462b 6493 404638 SetErrorMode 6492->6493 7001 40b12c 7002 40b135 7001->7002 7005 40b160 7001->7005 7011 409920 7002->7011 7004 40b13a 7004->7005 7009 40b158 MessageBoxA 7004->7009 7006 403198 4 API calls 7005->7006 7007 40b198 7006->7007 7008 403198 4 API calls 7007->7008 7010 40b1a0 7008->7010 7009->7005 7012 409987 ExitWindowsEx 7011->7012 7013 40992c GetCurrentProcess OpenProcessToken 7011->7013 7015 40993e 7012->7015 7014 409942 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 7013->7014 7013->7015 7014->7012 7014->7015 7015->7004 7020 403932 7021 403924 7020->7021 7024 40374c 7021->7024 7023 40392c 7025 403766 7024->7025 7026 403759 7024->7026 7025->7023 7026->7025 7027 403779 VariantClear 7026->7027 7027->7023 6508 409e36 6509 409e38 6508->6509 6510 409e76 CallWindowProcA 6509->6510 6511 409e5a 6509->6511 6510->6511 6516 409e38 6517 409e5a 6516->6517 6519 409e47 6516->6519 6518 409e76 CallWindowProcA 6518->6517 6519->6517 6519->6518 6520 4090c4 6521 4090cb 6520->6521 6522 403198 4 API calls 6521->6522 6532 409165 6522->6532 6523 409190 6524 4031b8 4 API calls 6523->6524 6526 40921d 6524->6526 6525 40917c 6527 4032c4 18 API calls 6525->6527 6528 409186 6527->6528 6530 4032fc 18 API calls 6528->6530 6529 403278 18 API calls 6529->6532 6530->6523 6531 4032fc 18 API calls 6531->6532 6532->6523 6532->6525 6532->6529 6532->6531 6273 4074cb 6274 4074bc SetErrorMode 6273->6274 6533 402ccc 6536 402cfe 6533->6536 6537 402cdd 6533->6537 6534 402d88 RtlUnwind 6535 403154 4 API calls 6534->6535 6535->6536 6537->6534 6537->6536 6538 402b28 RaiseException 6537->6538 6539 402d7f 6538->6539 6539->6534 7038 403fcd 7039 403f07 4 API calls 7038->7039 7040 403fd6 7039->7040 7041 403e9c 4 API calls 7040->7041 7042 403fe2 7041->7042 5127 40aad0 5170 4030dc 5127->5170 5129 40aae6 5173 4042e8 5129->5173 5131 40aaeb 5176 404654 GetModuleHandleA GetVersion 5131->5176 5135 40aaf5 5273 406a50 5135->5273 5137 40aafa 5282 409558 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5137->5282 5144 40ab3d 5310 4070b4 5144->5310 5156 40abe8 5350 407954 5156->5350 5158 40abaa 5158->5156 5390 409fc0 5158->5390 5159 40ac0e 5160 40ac29 5159->5160 5161 409fc0 18 API calls 5159->5161 5354 407edc 5160->5354 5161->5160 5163 40ac4e 5364 408fbc 5163->5364 5167 40ac94 5168 408fbc 35 API calls 5167->5168 5169 40accd 5167->5169 5168->5167 5400 403094 5170->5400 5172 4030e1 GetModuleHandleA GetCommandLineA 5172->5129 5175 404323 5173->5175 5401 403154 5173->5401 5175->5131 5177 4046a5 5176->5177 5178 404685 GetProcAddress 5176->5178 5180 4048d2 GetProcAddress 5177->5180 5181 4046ad GetProcAddress 5177->5181 5178->5177 5179 404696 5178->5179 5179->5177 5182 4048e1 5180->5182 5183 4048e8 GetProcAddress 5180->5183 5184 4046bc 5181->5184 5182->5183 5186 4048f7 SetProcessDEPPolicy 5183->5186 5187 4048fb 5183->5187 5418 4045a0 GetSystemDirectoryA 5184->5418 5186->5187 5414 403198 5187->5414 5189 4031e8 18 API calls 5192 4046d8 5189->5192 5192->5180 5193 40470b 5192->5193 5421 4032fc 5192->5421 5435 40322c 5193->5435 5197 4032fc 18 API calls 5198 404726 5197->5198 5439 4045cc SetErrorMode 5198->5439 5201 40322c 4 API calls 5202 40473c 5201->5202 5203 4032fc 18 API calls 5202->5203 5204 404749 5203->5204 5205 4045cc 2 API calls 5204->5205 5206 404751 5205->5206 5207 40322c 4 API calls 5206->5207 5208 40475f 5207->5208 5209 4032fc 18 API calls 5208->5209 5210 40476c 5209->5210 5211 4045cc 2 API calls 5210->5211 5212 404774 5211->5212 5213 40322c 4 API calls 5212->5213 5214 404782 5213->5214 5215 4032fc 18 API calls 5214->5215 5216 40478f 5215->5216 5217 4045cc 2 API calls 5216->5217 5218 404797 5217->5218 5219 40322c 4 API calls 5218->5219 5220 4047a5 5219->5220 5221 4032fc 18 API calls 5220->5221 5222 4047b2 5221->5222 5223 4045cc 2 API calls 5222->5223 5224 4047ba 5223->5224 5225 40322c 4 API calls 5224->5225 5226 4047c8 5225->5226 5227 4032fc 18 API calls 5226->5227 5228 4047d5 5227->5228 5229 4045cc 2 API calls 5228->5229 5230 4047dd 5229->5230 5231 40322c 4 API calls 5230->5231 5232 4047eb 5231->5232 5233 4032fc 18 API calls 5232->5233 5234 4047f8 5233->5234 5235 4045cc 2 API calls 5234->5235 5236 404800 5235->5236 5237 40322c 4 API calls 5236->5237 5238 40480e 5237->5238 5239 4032fc 18 API calls 5238->5239 5240 40481b 5239->5240 5241 4045cc 2 API calls 5240->5241 5242 404823 5241->5242 5243 40322c 4 API calls 5242->5243 5244 404831 5243->5244 5245 4032fc 18 API calls 5244->5245 5246 40483e 5245->5246 5247 4045cc 2 API calls 5246->5247 5248 404846 5247->5248 5249 40322c 4 API calls 5248->5249 5250 404854 5249->5250 5251 4032fc 18 API calls 5250->5251 5252 404861 5251->5252 5253 4045cc 2 API calls 5252->5253 5254 404869 5253->5254 5255 40322c 4 API calls 5254->5255 5256 404877 5255->5256 5257 4032fc 18 API calls 5256->5257 5258 404884 5257->5258 5259 4045cc 2 API calls 5258->5259 5260 40488c 5259->5260 5261 40322c 4 API calls 5260->5261 5262 40489a 5261->5262 5263 4032fc 18 API calls 5262->5263 5264 4048a7 5263->5264 5265 4045cc 2 API calls 5264->5265 5266 4048af 5265->5266 5267 40322c 4 API calls 5266->5267 5268 4048bd 5267->5268 5269 4032fc 18 API calls 5268->5269 5270 4048ca 5269->5270 5271 4045cc 2 API calls 5270->5271 5271->5180 5272 404aac 6FDA1CD0 5272->5135 5545 406130 5273->5545 5283 4095ad 5282->5283 5651 40717c GetSystemDirectoryA 5283->5651 5287 4095d4 5288 4032fc 18 API calls 5287->5288 5289 4095e1 5288->5289 5664 407454 SetErrorMode 5289->5664 5294 4031b8 4 API calls 5295 409615 5294->5295 5296 40a050 GetSystemInfo VirtualQuery 5295->5296 5297 40a104 5296->5297 5300 40a07a 5296->5300 5302 409c40 5297->5302 5298 40a0e5 VirtualQuery 5298->5297 5298->5300 5299 40a0a4 VirtualProtect 5299->5300 5300->5297 5300->5298 5300->5299 5301 40a0d3 VirtualProtect 5300->5301 5301->5298 5696 407058 GetCommandLineA 5302->5696 5304 409d28 5306 4031b8 4 API calls 5304->5306 5305 4070b4 20 API calls 5309 409c5d 5305->5309 5307 409d42 5306->5307 5307->5144 5380 40a160 5307->5380 5308 403454 18 API calls 5308->5309 5309->5304 5309->5305 5309->5308 5311 4070db GetModuleFileNameA 5310->5311 5312 4070ff GetCommandLineA 5310->5312 5313 403278 18 API calls 5311->5313 5314 407104 5312->5314 5315 4070fd 5313->5315 5316 407109 5314->5316 5317 406f78 18 API calls 5314->5317 5320 407111 5314->5320 5318 40712c 5315->5318 5319 403198 4 API calls 5316->5319 5317->5314 5321 403198 4 API calls 5318->5321 5319->5320 5322 40322c 4 API calls 5320->5322 5323 407141 5321->5323 5322->5318 5324 4031e8 5323->5324 5325 4031ec 5324->5325 5328 4031fc 5324->5328 5327 403254 18 API calls 5325->5327 5325->5328 5326 403228 5330 407994 5326->5330 5327->5328 5328->5326 5329 4025ac 4 API calls 5328->5329 5329->5326 5331 40799e 5330->5331 5717 407a2a 5331->5717 5720 407a2c 5331->5720 5332 4079ca 5333 4079de 5332->5333 5723 407940 GetLastError 5332->5723 5337 40a10c FindResourceA 5333->5337 5338 40a121 5337->5338 5339 40a126 SizeofResource 5337->5339 5340 409fc0 18 API calls 5338->5340 5341 40a133 5339->5341 5342 40a138 LoadResource 5339->5342 5340->5339 5343 409fc0 18 API calls 5341->5343 5344 40a146 5342->5344 5345 40a14b LockResource 5342->5345 5343->5342 5346 409fc0 18 API calls 5344->5346 5347 40a157 5345->5347 5348 40a15c 5345->5348 5346->5345 5349 409fc0 18 API calls 5347->5349 5348->5158 5387 407dcc 5348->5387 5349->5348 5351 407968 5350->5351 5352 407978 5351->5352 5353 4078a0 34 API calls 5351->5353 5352->5159 5353->5352 5355 407ee9 5354->5355 5356 405d18 18 API calls 5355->5356 5357 407f3d 5355->5357 5356->5357 5358 407dcc InterlockedExchange 5357->5358 5359 407f4f 5358->5359 5360 405d18 18 API calls 5359->5360 5361 407f65 5359->5361 5360->5361 5362 407fa8 5361->5362 5363 405d18 18 API calls 5361->5363 5362->5163 5363->5362 5368 409036 5364->5368 5371 408fed 5364->5371 5365 409081 5822 40816c 5365->5822 5367 409098 5372 4031b8 4 API calls 5367->5372 5368->5365 5370 4034f0 18 API calls 5368->5370 5376 4031e8 18 API calls 5368->5376 5377 403420 18 API calls 5368->5377 5379 40816c 35 API calls 5368->5379 5369 4034f0 18 API calls 5369->5371 5370->5368 5371->5368 5371->5369 5373 403420 18 API calls 5371->5373 5375 4031e8 18 API calls 5371->5375 5378 40816c 35 API calls 5371->5378 5374 4090b2 5372->5374 5373->5371 5397 4050a8 5374->5397 5375->5371 5376->5368 5377->5368 5378->5371 5379->5368 5381 40322c 4 API calls 5380->5381 5382 40a183 5381->5382 5383 40a192 MessageBoxA 5382->5383 5384 40a1a7 5383->5384 5385 403198 4 API calls 5384->5385 5386 40a1af 5385->5386 5386->5144 5844 407d78 5387->5844 5391 409fe1 5390->5391 5392 409fc9 5390->5392 5394 405d18 18 API calls 5391->5394 5393 405d18 18 API calls 5392->5393 5395 409fdb 5393->5395 5396 409ff2 5394->5396 5395->5156 5396->5156 5398 402594 18 API calls 5397->5398 5399 4050b3 5398->5399 5399->5167 5400->5172 5402 403164 5401->5402 5403 40318c TlsGetValue 5401->5403 5402->5175 5404 403196 5403->5404 5405 40316f 5403->5405 5404->5175 5409 40310c 5405->5409 5407 403174 TlsGetValue 5408 403184 5407->5408 5408->5175 5410 403120 LocalAlloc 5409->5410 5411 403116 5409->5411 5412 40313e TlsSetValue 5410->5412 5413 403132 5410->5413 5411->5410 5412->5413 5413->5407 5415 4031b7 5414->5415 5416 40319e 5414->5416 5415->5272 5416->5415 5443 4025ac 5416->5443 5447 40458c 5418->5447 5422 403300 5421->5422 5423 40333f 5421->5423 5424 4031e8 5422->5424 5425 40330a 5422->5425 5423->5193 5429 4031fc 5424->5429 5432 403254 18 API calls 5424->5432 5426 403334 5425->5426 5427 40331d 5425->5427 5428 4034f0 18 API calls 5426->5428 5530 4034f0 5427->5530 5434 403322 5428->5434 5430 403228 5429->5430 5433 4025ac 4 API calls 5429->5433 5430->5193 5432->5429 5433->5430 5434->5193 5437 403230 5435->5437 5436 403252 5436->5197 5437->5436 5438 4025ac 4 API calls 5437->5438 5438->5436 5543 403414 5439->5543 5442 40461e 5442->5201 5444 4025ba 5443->5444 5445 4025b0 5443->5445 5444->5415 5444->5444 5445->5444 5446 403154 4 API calls 5445->5446 5446->5444 5450 4032c4 5447->5450 5453 403278 5450->5453 5452 403288 5454 403198 4 API calls 5452->5454 5456 403254 5453->5456 5455 4032a0 5454->5455 5455->5189 5457 403274 5456->5457 5458 403258 5456->5458 5457->5452 5461 402594 5458->5461 5460 403261 5460->5452 5462 402598 5461->5462 5464 4025a2 5461->5464 5467 401fd4 5462->5467 5463 40259e 5463->5464 5465 403154 4 API calls 5463->5465 5464->5460 5464->5464 5465->5464 5468 401fe8 5467->5468 5469 401fed 5467->5469 5478 401918 RtlInitializeCriticalSection 5468->5478 5471 402012 RtlEnterCriticalSection 5469->5471 5472 40201c 5469->5472 5477 401ff1 5469->5477 5471->5472 5472->5477 5485 401ee0 5472->5485 5475 402147 5475->5463 5476 40213d RtlLeaveCriticalSection 5476->5475 5477->5463 5479 40193c RtlEnterCriticalSection 5478->5479 5480 401946 5478->5480 5479->5480 5481 401964 LocalAlloc 5480->5481 5482 40197e 5481->5482 5483 4019c3 RtlLeaveCriticalSection 5482->5483 5484 4019cd 5482->5484 5483->5484 5484->5469 5488 401ef0 5485->5488 5486 401f1c 5490 401f40 5486->5490 5496 401d00 5486->5496 5488->5486 5488->5490 5491 401e58 5488->5491 5490->5475 5490->5476 5500 4016d8 5491->5500 5495 401e75 5495->5488 5497 401d4e 5496->5497 5498 401d1e 5496->5498 5497->5498 5517 401c68 5497->5517 5498->5490 5503 4016f4 5500->5503 5501 401430 LocalAlloc VirtualAlloc VirtualFree 5501->5503 5502 4016fe 5504 4015c4 VirtualAlloc 5502->5504 5503->5501 5503->5502 5505 40175b 5503->5505 5506 40132c LocalAlloc 5503->5506 5507 40174f 5503->5507 5508 40170a 5504->5508 5505->5495 5510 401dcc 5505->5510 5506->5503 5509 40150c VirtualFree 5507->5509 5508->5505 5509->5505 5511 401d80 9 API calls 5510->5511 5512 401de0 5511->5512 5513 40132c LocalAlloc 5512->5513 5514 401df0 5513->5514 5515 401b44 9 API calls 5514->5515 5516 401df8 5514->5516 5515->5516 5516->5495 5518 401c7a 5517->5518 5519 401c9d 5518->5519 5520 401caf 5518->5520 5521 40188c LocalAlloc VirtualFree VirtualFree 5519->5521 5522 40188c LocalAlloc VirtualFree VirtualFree 5520->5522 5523 401cad 5521->5523 5522->5523 5524 401cc5 5523->5524 5525 401b44 9 API calls 5523->5525 5524->5498 5526 401cd4 5525->5526 5527 401cee 5526->5527 5528 401b98 9 API calls 5526->5528 5529 4013a0 LocalAlloc 5527->5529 5528->5527 5529->5524 5531 4034fd 5530->5531 5538 40352d 5530->5538 5532 403526 5531->5532 5535 403509 5531->5535 5536 403254 18 API calls 5532->5536 5533 403198 4 API calls 5534 403517 5533->5534 5534->5434 5539 4025c4 5535->5539 5536->5538 5538->5533 5540 4025ca 5539->5540 5541 4025dc 5540->5541 5542 403154 4 API calls 5540->5542 5541->5534 5542->5541 5544 403418 LoadLibraryA 5543->5544 5544->5442 5617 405dc8 5545->5617 5548 405708 GetSystemDefaultLCID 5549 40573e 5548->5549 5550 4031e8 18 API calls 5549->5550 5551 405164 19 API calls 5549->5551 5552 405694 19 API calls 5549->5552 5555 4057a0 5549->5555 5550->5549 5551->5549 5552->5549 5553 405164 19 API calls 5553->5555 5554 405694 19 API calls 5554->5555 5555->5553 5555->5554 5556 4031e8 18 API calls 5555->5556 5557 405823 5555->5557 5556->5555 5633 4031b8 5557->5633 5560 40584c GetSystemDefaultLCID 5637 405694 GetLocaleInfoA 5560->5637 5563 4031e8 18 API calls 5564 40588c 5563->5564 5565 405694 19 API calls 5564->5565 5566 4058a1 5565->5566 5567 405694 19 API calls 5566->5567 5568 4058c5 5567->5568 5643 4056e0 GetLocaleInfoA 5568->5643 5571 4056e0 GetLocaleInfoA 5572 4058f5 5571->5572 5573 405694 19 API calls 5572->5573 5574 40590f 5573->5574 5575 4056e0 GetLocaleInfoA 5574->5575 5576 40592c 5575->5576 5577 405694 19 API calls 5576->5577 5578 405946 5577->5578 5579 4031e8 18 API calls 5578->5579 5580 405953 5579->5580 5581 405694 19 API calls 5580->5581 5582 405968 5581->5582 5583 4031e8 18 API calls 5582->5583 5584 405975 5583->5584 5585 4056e0 GetLocaleInfoA 5584->5585 5586 405983 5585->5586 5587 405694 19 API calls 5586->5587 5588 40599d 5587->5588 5589 4031e8 18 API calls 5588->5589 5590 4059aa 5589->5590 5591 405694 19 API calls 5590->5591 5592 4059bf 5591->5592 5593 4031e8 18 API calls 5592->5593 5594 4059cc 5593->5594 5595 405694 19 API calls 5594->5595 5596 4059e1 5595->5596 5597 4059fe 5596->5597 5598 4059ef 5596->5598 5600 40322c 4 API calls 5597->5600 5599 40322c 4 API calls 5598->5599 5601 4059fc 5599->5601 5600->5601 5602 405694 19 API calls 5601->5602 5603 405a20 5602->5603 5604 405a3d 5603->5604 5605 405a2e 5603->5605 5607 403198 4 API calls 5604->5607 5606 40322c 4 API calls 5605->5606 5608 405a3b 5606->5608 5607->5608 5645 4033b4 5608->5645 5610 405a5f 5611 4033b4 18 API calls 5610->5611 5612 405a79 5611->5612 5613 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5612->5613 5614 405a93 5613->5614 5615 40617c GetVersionExA 5614->5615 5616 406193 5615->5616 5616->5137 5618 405dd4 5617->5618 5625 405164 LoadStringA 5618->5625 5621 4031e8 18 API calls 5622 405e05 5621->5622 5623 403198 4 API calls 5622->5623 5624 405e1a 5623->5624 5624->5548 5628 403278 5625->5628 5629 403254 18 API calls 5628->5629 5630 403288 5629->5630 5631 403198 4 API calls 5630->5631 5632 4032a0 5631->5632 5632->5621 5634 4031be 5633->5634 5635 4031e3 5634->5635 5636 4025ac 4 API calls 5634->5636 5635->5560 5636->5634 5638 4056bb 5637->5638 5639 4056cd 5637->5639 5641 403278 18 API calls 5638->5641 5640 40322c 4 API calls 5639->5640 5642 4056cb 5640->5642 5641->5642 5642->5563 5644 4056fc 5643->5644 5644->5571 5646 4033bc 5645->5646 5647 403254 18 API calls 5646->5647 5648 4033cf 5647->5648 5649 4031e8 18 API calls 5648->5649 5650 4033f7 5649->5650 5672 405268 5651->5672 5654 406ac0 5655 406aca 5654->5655 5656 406aed 5654->5656 5675 406dd8 5655->5675 5657 40322c 4 API calls 5656->5657 5659 406af6 5657->5659 5659->5287 5660 406ad1 5660->5656 5661 406adc 5660->5661 5680 403340 5661->5680 5663 406aea 5663->5287 5665 403414 5664->5665 5666 40748c LoadLibraryA 5665->5666 5667 4074a2 5666->5667 5668 407738 FormatMessageA 5667->5668 5669 40775e 5668->5669 5670 403278 18 API calls 5669->5670 5671 40777b 5670->5671 5671->5294 5673 4032c4 18 API calls 5672->5673 5674 405277 5673->5674 5674->5654 5676 406de3 5675->5676 5677 406ddf 5675->5677 5695 406df8 CharPrevA 5676->5695 5677->5660 5679 406df4 5679->5660 5681 403344 5680->5681 5682 4033a5 5680->5682 5683 4031e8 5681->5683 5684 40334c 5681->5684 5685 4031fc 5683->5685 5688 403254 18 API calls 5683->5688 5684->5682 5686 40335b 5684->5686 5689 4031e8 18 API calls 5684->5689 5687 403228 5685->5687 5691 4025ac 4 API calls 5685->5691 5690 403254 18 API calls 5686->5690 5687->5663 5688->5685 5689->5686 5692 403375 5690->5692 5691->5687 5693 4031e8 18 API calls 5692->5693 5694 4033a1 5693->5694 5694->5663 5695->5679 5703 406f78 5696->5703 5698 40707b 5699 40708d 5698->5699 5700 406f78 18 API calls 5698->5700 5701 403198 4 API calls 5699->5701 5700->5698 5702 4070a2 5701->5702 5702->5309 5704 406fa4 5703->5704 5705 403278 18 API calls 5704->5705 5706 406fb1 5705->5706 5713 403420 5706->5713 5708 406fb9 5709 4031e8 18 API calls 5708->5709 5710 406fd1 5709->5710 5711 403198 4 API calls 5710->5711 5712 406ff3 5711->5712 5712->5698 5714 403426 5713->5714 5716 403437 5713->5716 5715 403254 18 API calls 5714->5715 5714->5716 5715->5716 5716->5708 5718 407a2c 5717->5718 5719 407a6b CreateFileA 5718->5719 5719->5332 5721 403414 5720->5721 5722 407a6b CreateFileA 5721->5722 5722->5332 5726 4078a0 5723->5726 5727 407738 19 API calls 5726->5727 5728 4078c8 5727->5728 5729 4078e8 5728->5729 5735 40561c 5728->5735 5738 405d18 5729->5738 5732 4078f7 5733 403198 4 API calls 5732->5733 5734 407914 5733->5734 5734->5333 5742 405630 5735->5742 5739 405d1f 5738->5739 5740 4031e8 18 API calls 5739->5740 5741 405d37 5740->5741 5741->5732 5743 40564d 5742->5743 5750 4052e0 5743->5750 5746 405679 5748 403278 18 API calls 5746->5748 5749 40562b 5748->5749 5749->5729 5752 4052fb 5750->5752 5751 40530d 5751->5746 5755 40506c 5751->5755 5752->5751 5758 405402 5752->5758 5765 4052d4 5752->5765 5756 405dc8 19 API calls 5755->5756 5757 40507d 5756->5757 5757->5746 5759 405413 5758->5759 5761 405461 5758->5761 5759->5761 5762 4054e7 5759->5762 5764 40547f 5761->5764 5768 40527c 5761->5768 5762->5764 5772 4052c0 5762->5772 5764->5752 5766 403198 4 API calls 5765->5766 5767 4052de 5766->5767 5767->5752 5769 40528a 5768->5769 5775 405084 5769->5775 5771 4052b8 5771->5761 5788 4039a4 5772->5788 5778 405e38 5775->5778 5777 40509d 5777->5771 5779 405e46 5778->5779 5780 405164 19 API calls 5779->5780 5781 405e70 5780->5781 5782 40561c 33 API calls 5781->5782 5783 405e7e 5782->5783 5784 4031e8 18 API calls 5783->5784 5785 405e89 5784->5785 5786 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5785->5786 5787 405ea3 5786->5787 5787->5777 5789 4039ab 5788->5789 5794 4038b4 5789->5794 5791 4039cb 5792 403198 4 API calls 5791->5792 5793 4039d2 5792->5793 5793->5764 5795 4038d5 5794->5795 5796 4038c8 5794->5796 5798 403934 5795->5798 5799 4038db 5795->5799 5797 403780 6 API calls 5796->5797 5812 4038d0 5797->5812 5800 403993 5798->5800 5801 40393b 5798->5801 5802 4038e1 5799->5802 5803 4038ee 5799->5803 5804 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5800->5804 5805 403941 5801->5805 5806 40394b 5801->5806 5807 403894 6 API calls 5802->5807 5808 403894 6 API calls 5803->5808 5804->5812 5810 403864 23 API calls 5805->5810 5811 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5806->5811 5807->5812 5809 4038fc 5808->5809 5813 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5809->5813 5810->5812 5814 40395d 5811->5814 5812->5791 5815 403917 5813->5815 5816 403864 23 API calls 5814->5816 5818 40374c VariantClear 5815->5818 5817 403976 5816->5817 5819 40374c VariantClear 5817->5819 5820 40392c 5818->5820 5821 40398b 5819->5821 5820->5791 5821->5791 5823 408187 5822->5823 5824 40817c 5822->5824 5828 408110 5823->5828 5824->5367 5827 405d18 18 API calls 5827->5824 5829 408163 5828->5829 5830 408124 5828->5830 5829->5824 5829->5827 5830->5829 5832 408060 5830->5832 5833 40806b 5832->5833 5836 40807c 5832->5836 5834 405d18 18 API calls 5833->5834 5834->5836 5835 407954 34 API calls 5837 408090 5835->5837 5836->5835 5838 407954 34 API calls 5837->5838 5839 4080b1 5838->5839 5840 407dcc InterlockedExchange 5839->5840 5841 4080c6 5840->5841 5842 4080dc 5841->5842 5843 405d18 18 API calls 5841->5843 5842->5830 5843->5842 5845 407d8a 5844->5845 5846 407d9b 5844->5846 5847 407d8f InterlockedExchange 5845->5847 5846->5158 5847->5846 6540 4024d0 6541 4024e4 6540->6541 6545 4024e9 6540->6545 6542 401918 4 API calls 6541->6542 6542->6545 6543 402518 6555 402300 6543->6555 6544 40250e RtlEnterCriticalSection 6544->6543 6545->6543 6545->6544 6547 4024ed 6545->6547 6549 402525 6551 402581 6549->6551 6552 402577 RtlLeaveCriticalSection 6549->6552 6550 401fd4 14 API calls 6553 402531 6550->6553 6552->6551 6553->6549 6565 40215c 6553->6565 6556 402314 6555->6556 6557 402335 6556->6557 6558 4023b8 6556->6558 6563 402344 6557->6563 6579 401b74 6557->6579 6560 402455 6558->6560 6558->6563 6582 401d80 6558->6582 6586 401e84 6558->6586 6560->6563 6564 401d00 9 API calls 6560->6564 6563->6549 6563->6550 6564->6563 6566 40217a 6565->6566 6567 402175 6565->6567 6569 4021ab RtlEnterCriticalSection 6566->6569 6570 40217e 6566->6570 6577 4021b5 6566->6577 6568 401918 4 API calls 6567->6568 6568->6566 6569->6577 6570->6549 6571 4021c1 6573 4022e3 RtlLeaveCriticalSection 6571->6573 6574 4022ed 6571->6574 6572 402244 6572->6570 6575 401d80 7 API calls 6572->6575 6573->6574 6574->6549 6575->6570 6576 402270 6576->6571 6578 401d00 7 API calls 6576->6578 6577->6571 6577->6572 6577->6576 6578->6571 6580 40215c 9 API calls 6579->6580 6581 401b95 6580->6581 6581->6563 6583 401d92 6582->6583 6584 401d89 6582->6584 6583->6558 6584->6583 6585 401b74 9 API calls 6584->6585 6585->6583 6591 401768 6586->6591 6588 401e99 6589 401dcc 9 API calls 6588->6589 6590 401ea6 6588->6590 6589->6590 6590->6558 6593 401787 6591->6593 6592 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6592->6593 6593->6592 6594 40183b 6593->6594 6595 40132c LocalAlloc 6593->6595 6597 401821 6593->6597 6599 4017d6 6593->6599 6600 4017e7 6594->6600 6606 4015c4 6594->6606 6595->6593 6598 40150c VirtualFree 6597->6598 6598->6600 6602 40150c 6599->6602 6600->6588 6603 40153b 6602->6603 6604 401594 6603->6604 6605 401568 VirtualFree 6603->6605 6604->6600 6605->6603 6607 40160a 6606->6607 6608 40163a 6607->6608 6609 401626 VirtualAlloc 6607->6609 6608->6600 6609->6607 6609->6608 6610 4028d2 6613 4028da 6610->6613 6611 403554 4 API calls 6611->6613 6612 4028ef 6614 4025ac 4 API calls 6612->6614 6613->6611 6613->6612 6615 4028f4 6614->6615 6616 4094d2 6617 4094c4 6616->6617 6618 409460 Wow64RevertWow64FsRedirection 6617->6618 6619 4094cc 6618->6619 7043 4019d3 7044 4019ba 7043->7044 7045 4019c3 RtlLeaveCriticalSection 7044->7045 7046 4019cd 7044->7046 7045->7046 6620 4094d4 SetLastError 6621 4094dd 6620->6621 5873 407bd6 5875 407bd8 5873->5875 5874 407b90 WriteFile 5876 407ba3 5874->5876 5877 407b9c 5874->5877 5875->5874 5881 407c94 5875->5881 5879 407bb4 5876->5879 5880 4078a0 34 API calls 5876->5880 5878 407940 35 API calls 5877->5878 5878->5876 5880->5879 5848 407ae0 ReadFile 5849 407b00 5848->5849 5850 407b17 5848->5850 5851 407b10 5849->5851 5852 407b06 GetLastError 5849->5852 5853 407940 35 API calls 5851->5853 5852->5850 5852->5851 5853->5850 7050 4075e2 7051 4075cc 7050->7051 7052 403198 4 API calls 7051->7052 7053 4075d4 7052->7053 7054 403198 4 API calls 7053->7054 7055 4075dc 7054->7055 7056 4093e4 7059 4092b0 7056->7059 7060 4092b9 7059->7060 7061 403198 4 API calls 7060->7061 7062 4092c7 7060->7062 7061->7060 7063 4055e8 7064 4055fb 7063->7064 7065 4052e0 33 API calls 7064->7065 7066 40560f 7065->7066 7067 402be9 RaiseException 7068 402c04 7067->7068 6622 40acec 6623 40ad11 6622->6623 6624 409e14 29 API calls 6623->6624 6627 40ad16 6624->6627 6625 40ad69 6656 4026c4 GetSystemTime 6625->6656 6627->6625 6630 40928c 18 API calls 6627->6630 6628 40ad6e 6629 409808 46 API calls 6628->6629 6631 40ad76 6629->6631 6633 40ad45 6630->6633 6632 4031e8 18 API calls 6631->6632 6634 40ad83 6632->6634 6636 40ad4d MessageBoxA 6633->6636 6635 406db0 19 API calls 6634->6635 6637 40ad90 6635->6637 6636->6625 6638 40ad5a 6636->6638 6639 406b48 19 API calls 6637->6639 6640 405cec 19 API calls 6638->6640 6641 40ada0 6639->6641 6640->6625 6642 406ac0 19 API calls 6641->6642 6643 40adb1 6642->6643 6644 403340 18 API calls 6643->6644 6645 40adbf 6644->6645 6646 4031e8 18 API calls 6645->6646 6647 40adcf 6646->6647 6648 407994 37 API calls 6647->6648 6649 40ae0e 6648->6649 6650 402594 18 API calls 6649->6650 6651 40ae2e 6650->6651 6652 407edc 19 API calls 6651->6652 6653 40ae70 6652->6653 6654 40816c 35 API calls 6653->6654 6655 40ae97 6654->6655 6656->6628 6661 402af2 6662 402afe 6661->6662 6665 402ed0 6662->6665 6666 403154 4 API calls 6665->6666 6668 402ee0 6666->6668 6667 402b03 6668->6667 6670 402b0c 6668->6670 6671 402b25 6670->6671 6672 402b15 RaiseException 6670->6672 6671->6667 6672->6671 7079 402dfa 7080 402e26 7079->7080 7081 402e0d 7079->7081 7083 402ba4 7081->7083 7084 402bc9 7083->7084 7085 402bad 7083->7085 7084->7080 7086 402bb5 RaiseException 7085->7086 7086->7084 6275 4079fc 6276 407a08 CloseHandle 6275->6276 6277 407a11 6275->6277 6276->6277 6683 403a80 CloseHandle 6684 403a90 6683->6684 6685 403a91 GetLastError 6683->6685 6686 404283 6687 4042c3 6686->6687 6688 403154 4 API calls 6687->6688 6689 404323 6688->6689 7087 404185 7088 4041ff 7087->7088 7089 4041cc 7088->7089 7090 403154 4 API calls 7088->7090 7091 404323 7090->7091 6690 403e87 6691 403e4c 6690->6691 6692 403e62 6691->6692 6693 403e7b 6691->6693 6695 403e67 6691->6695 6699 403cc8 6692->6699 6696 402674 4 API calls 6693->6696 6697 403e78 6695->6697 6703 402674 6695->6703 6696->6697 6701 403cd6 6699->6701 6700 403ceb 6700->6695 6701->6700 6702 402674 4 API calls 6701->6702 6702->6700 6704 403154 4 API calls 6703->6704 6705 40267a 6704->6705 6705->6697 6227 408488 6228 40849a 6227->6228 6230 4084a1 6227->6230 6238 4083c4 6228->6238 6231 4084c9 6230->6231 6232 4084cb 6230->6232 6236 4084d5 6230->6236 6252 4082e0 6231->6252 6249 408230 6232->6249 6233 408502 6235 408230 33 API calls 6235->6233 6236->6233 6236->6235 6239 4083d9 6238->6239 6240 408230 33 API calls 6239->6240 6241 4083e8 6239->6241 6240->6241 6242 408422 6241->6242 6243 408230 33 API calls 6241->6243 6244 408436 6242->6244 6245 408230 33 API calls 6242->6245 6243->6242 6248 408462 6244->6248 6259 40836c 6244->6259 6245->6244 6248->6230 6262 405d4c 6249->6262 6251 408252 6251->6236 6253 40561c 33 API calls 6252->6253 6254 40830b 6253->6254 6270 408298 6254->6270 6256 408313 6257 403198 4 API calls 6256->6257 6258 408328 6257->6258 6258->6236 6260 40837b VirtualFree 6259->6260 6261 40838d VirtualAlloc 6259->6261 6260->6261 6261->6248 6263 405d58 6262->6263 6264 40561c 33 API calls 6263->6264 6265 405d85 6264->6265 6266 4031e8 18 API calls 6265->6266 6267 405d90 6266->6267 6268 403198 4 API calls 6267->6268 6269 405da5 6268->6269 6269->6251 6271 405d4c 33 API calls 6270->6271 6272 4082ba 6271->6272 6272->6256 6278 40af8d 6279 40af90 SetLastError 6278->6279 6310 409b20 GetLastError 6279->6310 6282 40afaa 6284 40afb4 CreateWindowExA SetWindowLongA 6282->6284 6283 402f24 5 API calls 6283->6282 6285 40561c 33 API calls 6284->6285 6286 40b037 6285->6286 6287 4032fc 18 API calls 6286->6287 6288 40b045 6287->6288 6289 4032fc 18 API calls 6288->6289 6290 40b052 6289->6290 6323 407004 GetCommandLineA 6290->6323 6293 4032fc 18 API calls 6294 40b067 6293->6294 6330 409ec4 6294->6330 6297 409da4 19 API calls 6298 40b08c 6297->6298 6299 40b0c5 6298->6299 6300 40b0ac 6298->6300 6302 40b0de 6299->6302 6305 40b0d8 RemoveDirectoryA 6299->6305 6346 4099b0 6300->6346 6303 40b0f2 6302->6303 6304 40b0e7 DestroyWindow 6302->6304 6306 40b11a 6303->6306 6354 40357c 6303->6354 6304->6303 6305->6302 6308 40b110 6309 4025ac 4 API calls 6308->6309 6309->6306 6311 40511c 33 API calls 6310->6311 6312 409b67 6311->6312 6313 407738 19 API calls 6312->6313 6314 409b77 6313->6314 6315 40925c 18 API calls 6314->6315 6316 409b8c 6315->6316 6317 405d18 18 API calls 6316->6317 6318 409b9b 6317->6318 6319 4031b8 4 API calls 6318->6319 6320 409bba 6319->6320 6321 403198 4 API calls 6320->6321 6322 409bc2 6321->6322 6322->6282 6322->6283 6324 406f78 18 API calls 6323->6324 6325 407029 6324->6325 6326 4032c4 18 API calls 6325->6326 6327 407032 6326->6327 6328 403198 4 API calls 6327->6328 6329 407047 6328->6329 6329->6293 6331 4033b4 18 API calls 6330->6331 6332 409eff 6331->6332 6333 409f31 CreateProcessA 6332->6333 6334 409f44 CloseHandle 6333->6334 6335 409f3d 6333->6335 6337 409f4d 6334->6337 6336 409b20 35 API calls 6335->6336 6336->6334 6367 409e98 6337->6367 6340 409f69 6341 409e98 3 API calls 6340->6341 6342 409f6e GetExitCodeProcess CloseHandle 6341->6342 6343 409f8e 6342->6343 6344 403198 4 API calls 6343->6344 6345 409f96 6344->6345 6345->6297 6345->6298 6347 409a0a 6346->6347 6349 4099c3 6346->6349 6347->6299 6348 4099cb Sleep 6348->6349 6349->6347 6349->6348 6350 4099db Sleep 6349->6350 6352 4099f2 GetLastError 6349->6352 6371 409470 6349->6371 6350->6349 6352->6347 6353 4099fc GetLastError 6352->6353 6353->6347 6353->6349 6355 403591 6354->6355 6356 4035a0 6354->6356 6357 4035b6 6355->6357 6360 4035d0 6355->6360 6361 40359b 6355->6361 6358 4035b1 6356->6358 6359 4035b8 6356->6359 6357->6308 6362 403198 4 API calls 6358->6362 6363 4031b8 4 API calls 6359->6363 6360->6357 6364 40357c 4 API calls 6360->6364 6361->6356 6366 4035ec 6361->6366 6362->6357 6363->6357 6364->6360 6366->6357 6379 403554 6366->6379 6368 409eac PeekMessageA 6367->6368 6369 409ea0 TranslateMessage DispatchMessageA 6368->6369 6370 409ebe MsgWaitForMultipleObjects 6368->6370 6369->6368 6370->6337 6370->6340 6372 409424 2 API calls 6371->6372 6373 409486 6372->6373 6374 40948a 6373->6374 6375 4094a6 DeleteFileA GetLastError 6373->6375 6374->6349 6376 4094c4 6375->6376 6377 409460 Wow64RevertWow64FsRedirection 6376->6377 6378 4094cc 6377->6378 6378->6349 6380 403566 6379->6380 6382 403578 6380->6382 6383 403604 6380->6383 6382->6366 6384 40357c 6383->6384 6387 4035d0 6384->6387 6388 40359b 6384->6388 6391 4035a0 6384->6391 6393 4035b6 6384->6393 6385 4035b1 6389 403198 4 API calls 6385->6389 6386 4035b8 6390 4031b8 4 API calls 6386->6390 6387->6393 6394 40357c 4 API calls 6387->6394 6388->6391 6392 4035ec 6388->6392 6389->6393 6390->6393 6391->6385 6391->6386 6392->6393 6395 403554 4 API calls 6392->6395 6393->6380 6394->6387 6395->6392 7096 403991 7097 403983 7096->7097 7098 40374c VariantClear 7097->7098 7099 40398b 7098->7099 6706 403e95 6708 403e4c 6706->6708 6707 403e67 6713 403e78 6707->6713 6714 402674 4 API calls 6707->6714 6708->6707 6709 403e62 6708->6709 6710 403e7b 6708->6710 6711 403cc8 4 API calls 6709->6711 6712 402674 4 API calls 6710->6712 6711->6707 6712->6713 6714->6713 6715 403a97 6716 403aac 6715->6716 6717 403bbc GetStdHandle 6716->6717 6718 403b0e CreateFileA 6716->6718 6728 403ab2 6716->6728 6719 403c17 GetLastError 6717->6719 6723 403bba 6717->6723 6718->6719 6720 403b2c 6718->6720 6719->6728 6722 403b3b GetFileSize 6720->6722 6720->6723 6722->6719 6724 403b4e SetFilePointer 6722->6724 6725 403be7 GetFileType 6723->6725 6723->6728 6724->6719 6729 403b6a ReadFile 6724->6729 6727 403c02 CloseHandle 6725->6727 6725->6728 6727->6728 6729->6719 6730 403b8c 6729->6730 6730->6723 6731 403b9f SetFilePointer 6730->6731 6731->6719 6732 403bb0 SetEndOfFile 6731->6732 6732->6719 6732->6723 6745 402caa 6746 403154 4 API calls 6745->6746 6747 402caf 6746->6747 6748 4028ac 6749 402594 18 API calls 6748->6749 6750 4028b6 6749->6750 6751 407aae GetFileSize 6752 407ada 6751->6752 6753 407aca GetLastError 6751->6753 6753->6752 6754 407ad3 6753->6754 6755 407940 35 API calls 6754->6755 6755->6752 5859 40aeb6 5860 40aedb 5859->5860 5861 407dcc InterlockedExchange 5860->5861 5862 40af05 5861->5862 5863 409fc0 18 API calls 5862->5863 5864 40af15 5862->5864 5863->5864 5869 407b60 SetEndOfFile 5864->5869 5866 40af31 5867 4025ac 4 API calls 5866->5867 5868 40af68 5867->5868 5870 407b70 5869->5870 5871 407b77 5869->5871 5872 407940 35 API calls 5870->5872 5871->5866 5872->5871 6766 401ab9 6767 401a96 6766->6767 6768 401aa9 RtlDeleteCriticalSection 6767->6768 6769 401a9f RtlLeaveCriticalSection 6767->6769 6769->6768

                                                        Executed Functions

                                                        Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
                                                        • GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
                                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
                                                        • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                        • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                        • API String ID: 3297890031-1119018034
                                                        • Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
                                                        • Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
                                                        • Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
                                                        • Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D
                                                        Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 218 40a050-40a074 GetSystemInfo VirtualQuery 219 40a104-40a10b 218->219 220 40a07a 218->220 221 40a0f9-40a0fe 220->221 221->219 222 40a07c-40a083 221->222 223 40a0e5-40a0f7 VirtualQuery 222->223 224 40a085-40a089 222->224 223->219 223->221 224->223 225 40a08b-40a093 224->225 226 40a0a4-40a0b5 VirtualProtect 225->226 227 40a095-40a098 225->227 229 40a0b7 226->229 230 40a0b9-40a0bb 226->230 227->226 228 40a09a-40a09d 227->228 228->226 232 40a09f-40a0a2 228->232 229->230 231 40a0ca-40a0cd 230->231 233 40a0bd-40a0c6 call 40a048 231->233 234 40a0cf-40a0d1 231->234 232->226 232->230 233->231 234->223 236 40a0d3-40a0e0 VirtualProtect 234->236 236->223
                                                        APIs
                                                        • GetSystemInfo.KERNEL32(?), ref: 0040A062
                                                        • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
                                                        • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
                                                        • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ProtectQuery$InfoSystem
                                                        • String ID:
                                                        • API String ID: 2441996862-0
                                                        • Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
                                                        • Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
                                                        • Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
                                                        • Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A
                                                        Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
                                                        • Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
                                                        • Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
                                                        • Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED
                                                        Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • SetLastError.KERNEL32 ref: 0040AF99
                                                          • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,02022C48), ref: 00409B44
                                                        • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
                                                        • SetWindowLongA.USER32(00020422,000000FC,00409E38), ref: 0040AFED
                                                        • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
                                                        • DestroyWindow.USER32(00020422,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                        • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                        • API String ID: 3757039580-3001827809
                                                        • Opcode ID: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
                                                        • Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
                                                        • Opcode Fuzzy Hash: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
                                                        • Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D
                                                        Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                        • API String ID: 1646373207-2130885113
                                                        • Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
                                                        • Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
                                                        • Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
                                                        • Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D
                                                        Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
                                                        • SetWindowLongA.USER32(00020422,000000FC,00409E38), ref: 0040AFED
                                                          • Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?), ref: 0040701C
                                                          • Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02022C48,00409FB0,00000000,00409F97), ref: 00409F34
                                                          • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02022C48,00409FB0,00000000), ref: 00409F48
                                                          • Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
                                                          • Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
                                                          • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02022C48,00409FB0), ref: 00409F7C
                                                        • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
                                                        • DestroyWindow.USER32(00020422,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                        • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                        • API String ID: 3586484885-3001827809
                                                        • Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
                                                        • Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
                                                        • Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
                                                        • Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C
                                                        Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02022C48,00409FB0,00000000,00409F97), ref: 00409F34
                                                        • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02022C48,00409FB0,00000000), ref: 00409F48
                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
                                                        • GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02022C48,00409FB0), ref: 00409F7C
                                                          • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,02022C48), ref: 00409B44
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                        • String ID: D
                                                        • API String ID: 3356880605-2746444292
                                                        • Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
                                                        • Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
                                                        • Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
                                                        • Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669
                                                        Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 238 401918-40193a RtlInitializeCriticalSection 239 401946-40197c call 4012dc * 3 LocalAlloc 238->239 240 40193c-401941 RtlEnterCriticalSection 238->240 247 4019ad-4019c1 239->247 248 40197e 239->248 240->239 252 4019c3-4019c8 RtlLeaveCriticalSection 247->252 253 4019cd 247->253 249 401983-401995 248->249 249->249 251 401997-4019a6 249->251 251->247 252->253
                                                        APIs
                                                        • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                        • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                        • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                        • String ID:
                                                        • API String ID: 730355536-0
                                                        • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                        • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
                                                        • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                        • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
                                                        Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: .tmp$xz@
                                                        • API String ID: 2030045667-184514067
                                                        • Opcode ID: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
                                                        • Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
                                                        • Opcode Fuzzy Hash: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
                                                        • Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD
                                                        Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: .tmp$xz@
                                                        • API String ID: 2030045667-184514067
                                                        • Opcode ID: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
                                                        • Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
                                                        • Opcode Fuzzy Hash: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
                                                        • Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD
                                                        Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectoryErrorLast
                                                        • String ID: .tmp
                                                        • API String ID: 1375471231-2986845003
                                                        • Opcode ID: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
                                                        • Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
                                                        • Opcode Fuzzy Hash: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
                                                        • Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9
                                                        Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 444 401fd4-401fe6 445 401fe8 call 401918 444->445 446 401ffb-402010 444->446 452 401fed-401fef 445->452 448 402012-402017 RtlEnterCriticalSection 446->448 449 40201c-402025 446->449 448->449 450 402027 449->450 451 40202c-402032 449->451 450->451 453 402038-40203c 451->453 454 4020cb-4020d1 451->454 452->446 455 401ff1-401ff6 452->455 458 402041-402050 453->458 459 40203e 453->459 456 4020d3-4020e0 454->456 457 40211d-40211f call 401ee0 454->457 460 40214f-402158 455->460 461 4020e2-4020ea 456->461 462 4020ef-40211b call 402f54 456->462 468 402124-40213b 457->468 458->454 463 402052-402060 458->463 459->458 461->462 462->460 466 402062-402066 463->466 467 40207c-402080 463->467 470 402068 466->470 471 40206b-40207a 466->471 473 402082 467->473 474 402085-4020a0 467->474 475 402147 468->475 476 40213d-402142 RtlLeaveCriticalSection 468->476 470->471 477 4020a2-4020c6 call 402f54 471->477 473->474 474->477 476->475 477->460
                                                        APIs
                                                        • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
                                                          • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                          • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                          • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                          • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                        • String ID:
                                                        • API String ID: 296031713-0
                                                        • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                        • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
                                                        • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                        • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
                                                        Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 480 407454-4074a7 SetErrorMode call 403414 LoadLibraryA
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00008000), ref: 0040745E
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLibraryLoadMode
                                                        • String ID:
                                                        • API String ID: 2987862817-0
                                                        • Opcode ID: 4793b56485230e99785aeb9e6ac2a80ce95304a0516f2feb538f0725514c6551
                                                        • Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
                                                        • Opcode Fuzzy Hash: 4793b56485230e99785aeb9e6ac2a80ce95304a0516f2feb538f0725514c6551
                                                        • Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569
                                                        Function 00407AE0 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 484 407ae0-407afe ReadFile 485 407b00-407b04 484->485 486 407b17-407b1e 484->486 487 407b10-407b12 call 407940 485->487 488 407b06-407b0e GetLastError 485->488 487->486 488->486 488->487
                                                        APIs
                                                        • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407AF7
                                                        • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407B06
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastRead
                                                        • String ID:
                                                        • API String ID: 1948546556-0
                                                        • Opcode ID: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
                                                        • Instruction ID: e6678645df70ceda1296de0698669a3f17118b423087409050d1bdfb176b5629
                                                        • Opcode Fuzzy Hash: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
                                                        • Instruction Fuzzy Hash: 33E092B17081106AEB20A65E9884F6767ECCBC5368F04457BF608DB286D678EC008377
                                                        Function 00407B20 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 490 407b20-407b45 SetFilePointer 491 407b57-407b5c 490->491 492 407b47-407b4e GetLastError 490->492 492->491 493 407b50-407b52 call 407940 492->493 493->491
                                                        APIs
                                                        • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B3F
                                                        • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B47
                                                          • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020203AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$FilePointer
                                                        • String ID:
                                                        • API String ID: 1156039329-0
                                                        • Opcode ID: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
                                                        • Instruction ID: e41e806bfeb234626b87b501edff7cf6b7d3219fcc40cd55b05b53632260e4a9
                                                        • Opcode Fuzzy Hash: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
                                                        • Instruction Fuzzy Hash: BDE092767082005BD610E55EC881F9B33DCDFC5368F004137B658EB1D1DA75A8008366
                                                        Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A8F
                                                        • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A9B
                                                          • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020203AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$FilePointer
                                                        • String ID:
                                                        • API String ID: 1156039329-0
                                                        • Opcode ID: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
                                                        • Instruction ID: 5d7889b2766bb560f48239758183442fe2ff1acd2572488175a49b0c159bb46e
                                                        • Opcode Fuzzy Hash: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
                                                        • Instruction Fuzzy Hash: 57E04FB16002109FEB20EEB98981B5673D89F44364F048576E614DF2C6D378DC008B66
                                                        Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocFree
                                                        • String ID:
                                                        • API String ID: 2087232378-0
                                                        • Opcode ID: 1019e1cfc114c1811683628efa18df00737f836a0960651e9d73a3ee1452311a
                                                        • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
                                                        • Opcode Fuzzy Hash: 1019e1cfc114c1811683628efa18df00737f836a0960651e9d73a3ee1452311a
                                                        • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
                                                        Function 00407BD6 Relevance: 1.8, APIs: 1, Instructions: 279fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
                                                        • Instruction ID: 1ffe8940fb0bba7a1c466ab1a63027f62bf18732910125c6c2e91df4c90979d7
                                                        • Opcode Fuzzy Hash: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
                                                        • Instruction Fuzzy Hash: 7351B12084E2910FDB125B7459A85A13FA1FF5331532A52FBC4D2AB1E3D27CA847835F
                                                        Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727
                                                          • Part of subcall function 00405164: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405181
                                                          • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DefaultInfoLoadLocaleStringSystem
                                                        • String ID:
                                                        • API String ID: 1658689577-0
                                                        • Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
                                                        • Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
                                                        • Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
                                                        • Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94
                                                        Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
                                                        • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
                                                        • Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
                                                        • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
                                                        Function 00406E64 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00406EAC,?,?,?,?,00000000,?,00406EC1,0040721B,00000000,00407260,?,?,?), ref: 00406E8F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
                                                        • Instruction ID: 7ab40f028fd3c5f14a353e55118c7c81c89abefc65ec3810316971f178424404
                                                        • Opcode Fuzzy Hash: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
                                                        • Instruction Fuzzy Hash: 21E06D35204704BFD701EEA2DD52A5ABBACDB89B04BA24476F501A6682D6796E1084A8
                                                        Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
                                                        • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
                                                        • Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
                                                        • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
                                                        Function 00407B7C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93
                                                          • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020203AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID:
                                                        • API String ID: 442123175-0
                                                        • Opcode ID: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
                                                        • Instruction ID: 9cacba7c6654c632647ec303d4b17c56949909c1fcff6adca1bc3dcca5067dcb
                                                        • Opcode Fuzzy Hash: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
                                                        • Instruction Fuzzy Hash: 52E0ED726081106BEB10E65A9984E9777ECDFC5364F00407BB648DB241D578AC058676
                                                        Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FormatMessage
                                                        • String ID:
                                                        • API String ID: 1306739567-0
                                                        • Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
                                                        • Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
                                                        • Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
                                                        • Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F
                                                        Function 00407B60 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEndOfFile.KERNEL32(?,02260004,0040AF31,00000000), ref: 00407B67
                                                          • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,020203AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLast
                                                        • String ID:
                                                        • API String ID: 734332943-0
                                                        • Opcode ID: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
                                                        • Instruction ID: 97af4fe43c66ae010506ec3d7cd84cb65660405db9abbaf149828d557edbb573
                                                        • Opcode Fuzzy Hash: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
                                                        • Instruction Fuzzy Hash: F3C04CB160410057DB00A6AE85C1E1672D85A4825830040B6B604DB257D678E8108719
                                                        Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
                                                        • Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
                                                        • Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
                                                        • Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519
                                                        Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
                                                        • Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
                                                        • Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
                                                        • Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B
                                                        Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CharPrev
                                                        • String ID:
                                                        • API String ID: 122130370-0
                                                        • Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
                                                        • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
                                                        • Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
                                                        • Instruction Fuzzy Hash:
                                                        Function 0040150C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401570
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FreeVirtual
                                                        • String ID:
                                                        • API String ID: 1263568516-0
                                                        • Opcode ID: aa92942ecb50d866b70c44cc6147264c5baa39c8187bf4e8357453622c40a3ad
                                                        • Instruction ID: ed4d65520c00d96bd64096adec8f86249eaccd310614155879460d3c6a05d2ca
                                                        • Opcode Fuzzy Hash: aa92942ecb50d866b70c44cc6147264c5baa39c8187bf4e8357453622c40a3ad
                                                        • Instruction Fuzzy Hash: EC21F970608711AFC700DF19C880A5AB7E0EFC4760F14C96AE899AB3A1D374EC45CB9A
                                                        Function 004083C4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00408454
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
                                                        • Instruction ID: f6409c4485ca7bd338f5543af8cc2530bb3769743075a02b7f3240cefa60082b
                                                        • Opcode Fuzzy Hash: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
                                                        • Instruction Fuzzy Hash: 3E1181716006059BDB00EF69C981B4B7794EF84359F04847EF998AB2C6DF38DC058B6A
                                                        Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FreeVirtual
                                                        • String ID:
                                                        • API String ID: 1263568516-0
                                                        • Opcode ID: 94d053d0c3743bff5dc438ce53a4c6e7cb02053c2ce333ba5c6edfdb2e0f1eae
                                                        • Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
                                                        • Opcode Fuzzy Hash: 94d053d0c3743bff5dc438ce53a4c6e7cb02053c2ce333ba5c6edfdb2e0f1eae
                                                        • Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8
                                                        Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle
                                                        • String ID:
                                                        • API String ID: 2962429428-0
                                                        • Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
                                                        • Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
                                                        • Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
                                                        • Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389
                                                        Function 0040836C Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00408351), ref: 00408383
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FreeVirtual
                                                        • String ID:
                                                        • API String ID: 1263568516-0
                                                        • Opcode ID: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
                                                        • Instruction ID: c3f7fe7f71c209b7548f3f70eea4568eea5cceda8148a565dbcaceff9471b988
                                                        • Opcode Fuzzy Hash: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
                                                        • Instruction Fuzzy Hash: 9CD002B1755304AFDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6E775D8108B14

                                                        Non-executed Functions

                                                        Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
                                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
                                                        • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 0040998B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                        • String ID: SeShutdownPrivilege
                                                        • API String ID: 107509674-3733053543
                                                        • Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
                                                        • Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
                                                        • Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
                                                        • Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F
                                                        Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
                                                        • SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
                                                        • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
                                                        • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Resource$FindLoadLockSizeof
                                                        • String ID:
                                                        • API String ID: 3473537107-0
                                                        • Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
                                                        • Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
                                                        • Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
                                                        • Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE
                                                        Function 004056E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
                                                        • Instruction ID: d144edb85d9c502d4ea0939edf991ab5ce3f28f90927345f3a95d007e4e99129
                                                        • Opcode Fuzzy Hash: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
                                                        • Instruction Fuzzy Hash: DCD0A7AA31E250BAE310519B2D85EBB4BDCCBC57B4F14443FFA48D7242D2248C06A7B6
                                                        Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: SystemTime
                                                        • String ID:
                                                        • API String ID: 2656138-0
                                                        • Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                        • Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
                                                        • Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                        • Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748
                                                        Function 004088C0 Relevance: .5, Instructions: 545COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                        • Instruction ID: 3b27ac6c5e0f9a5810868b706c98a54019571903b6d877547466b603179570a7
                                                        • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                        • Instruction Fuzzy Hash: 9E32D674E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF55
                                                        Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressCloseHandleModuleProc
                                                        • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                        • API String ID: 4190037839-2401316094
                                                        • Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
                                                        • Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
                                                        • Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
                                                        • Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E
                                                        Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                        • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                        • String ID:
                                                        • API String ID: 1694776339-0
                                                        • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                        • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                        • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                        • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                        Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866
                                                          • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
                                                          • Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale$DefaultSystem
                                                        • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                        • API String ID: 1044490935-665933166
                                                        • Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
                                                        • Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
                                                        • Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
                                                        • Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C
                                                        Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
                                                        • LocalFree.KERNEL32(004B0620,00000000,00401AB4), ref: 00401A1B
                                                        • VirtualFree.KERNEL32(?,00000000,00008000,004B0620,00000000,00401AB4), ref: 00401A3A
                                                        • LocalFree.KERNEL32(004B1620,?,00000000,00008000,004B0620,00000000,00401AB4), ref: 00401A79
                                                        • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
                                                        • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                        • String ID:
                                                        • API String ID: 3782394904-0
                                                        • Opcode ID: cd16023abb96cb21e403ebb25ca28ee2789d023fd43f0fa3de37ec6181e386dc
                                                        • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
                                                        • Opcode Fuzzy Hash: cd16023abb96cb21e403ebb25ca28ee2789d023fd43f0fa3de37ec6181e386dc
                                                        • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
                                                        Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                        • ExitProcess.KERNEL32 ref: 00403DE5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ExitMessageProcess
                                                        • String ID: Error$Runtime error at 00000000$9@
                                                        • API String ID: 1220098344-1503883590
                                                        • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                        • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
                                                        • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                        • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
                                                        Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                        • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                        • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocString
                                                        • String ID:
                                                        • API String ID: 262959230-0
                                                        • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                        • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                        • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                        • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                        Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Unwind
                                                        • String ID: a@$,`@
                                                        • API String ID: 3419175465-3299659662
                                                        • Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
                                                        • Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
                                                        • Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
                                                        • Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769
                                                        Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A195
                                                        Strings
                                                        • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179
                                                        • Setup, xrefs: 0040A185
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                        • API String ID: 2030045667-3271211647
                                                        • Opcode ID: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
                                                        • Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
                                                        • Opcode Fuzzy Hash: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
                                                        • Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D
                                                        Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
                                                        • GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CommandHandleLineModule
                                                        • String ID: U1hd.@
                                                        • API String ID: 2123368496-2904493091
                                                        • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                        • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
                                                        • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                        • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD
                                                        Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
                                                        • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099DF
                                                        • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
                                                        • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2582015431.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000001.00000002.2581988057.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582041291.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000001.00000002.2582059812.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastSleep
                                                        • String ID:
                                                        • API String ID: 1458359878-0
                                                        • Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
                                                        • Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
                                                        • Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
                                                        • Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9

                                                        Execution Graph

                                                        Execution Coverage:7.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:9.2%
                                                        Total number of Nodes:1428
                                                        Total number of Limit Nodes:62
                                                        execution_graph 50743 40d0c4 50746 4073a0 WriteFile 50743->50746 50747 4073bd 50746->50747 50748 402584 50749 402598 50748->50749 50750 4025ab 50748->50750 50778 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50749->50778 50752 4025c2 RtlEnterCriticalSection 50750->50752 50753 4025cc 50750->50753 50752->50753 50764 4023b4 13 API calls 50753->50764 50754 40259d 50754->50750 50756 4025a1 50754->50756 50757 4025d5 50758 4025d9 50757->50758 50765 402088 50757->50765 50760 402635 50758->50760 50761 40262b RtlLeaveCriticalSection 50758->50761 50761->50760 50762 4025e5 50762->50758 50779 402210 9 API calls 50762->50779 50764->50757 50766 40209c 50765->50766 50767 4020af 50765->50767 50786 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50766->50786 50769 4020c6 RtlEnterCriticalSection 50767->50769 50772 4020d0 50767->50772 50769->50772 50770 4020a1 50770->50767 50771 4020a5 50770->50771 50775 402106 50771->50775 50772->50775 50780 401f94 50772->50780 50775->50762 50776 4021f1 RtlLeaveCriticalSection 50777 4021fb 50776->50777 50777->50762 50778->50754 50779->50758 50781 401fa4 50780->50781 50782 401fd0 50781->50782 50785 401ff4 50781->50785 50787 401f0c 50781->50787 50782->50785 50792 401db4 50782->50792 50785->50776 50785->50777 50786->50770 50796 40178c 50787->50796 50790 401f29 50790->50781 50793 401e02 50792->50793 50794 401dd2 50792->50794 50793->50794 50824 401d1c 50793->50824 50794->50785 50797 4017a8 50796->50797 50799 4017b2 50797->50799 50803 401803 50797->50803 50805 40180f 50797->50805 50807 4014e4 50797->50807 50816 4013e0 LocalAlloc 50797->50816 50815 401678 VirtualAlloc 50799->50815 50802 4017be 50802->50805 50817 4015c0 VirtualFree 50803->50817 50805->50790 50806 401e80 9 API calls 50805->50806 50806->50790 50808 4014f3 VirtualAlloc 50807->50808 50810 401520 50808->50810 50811 401543 50808->50811 50818 401398 50810->50818 50811->50797 50814 401530 VirtualFree 50814->50811 50815->50802 50816->50797 50817->50805 50821 401340 50818->50821 50822 40134c LocalAlloc 50821->50822 50823 40135e 50821->50823 50822->50823 50823->50811 50823->50814 50825 401d2e 50824->50825 50826 401d51 50825->50826 50827 401d63 50825->50827 50837 401940 50826->50837 50828 401940 3 API calls 50827->50828 50830 401d61 50828->50830 50831 401d79 50830->50831 50847 401bf8 9 API calls 50830->50847 50831->50794 50833 401d88 50834 401da2 50833->50834 50848 401c4c 9 API calls 50833->50848 50849 401454 LocalAlloc 50834->50849 50838 401966 50837->50838 50846 4019bf 50837->50846 50850 40170c 50838->50850 50842 401983 50844 40199a 50842->50844 50855 4015c0 VirtualFree 50842->50855 50844->50846 50856 401454 LocalAlloc 50844->50856 50846->50830 50847->50833 50848->50834 50849->50831 50853 401743 50850->50853 50851 401783 50854 4013e0 LocalAlloc 50851->50854 50852 40175d VirtualFree 50852->50853 50853->50851 50853->50852 50854->50842 50855->50844 50856->50846 50857 49ba2c 50913 403344 50857->50913 50859 49ba3a 50916 4056a0 50859->50916 50861 49ba3f 50919 4063fc GetModuleHandleA GetVersion 50861->50919 50865 49ba49 51016 409ddc 50865->51016 51310 4032fc 50913->51310 50915 403349 GetModuleHandleA GetCommandLineA 50915->50859 50918 4056db 50916->50918 51311 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50916->51311 50918->50861 50920 40644d 50919->50920 50921 40642d GetProcAddress 50919->50921 50922 406455 GetProcAddress 50920->50922 50923 40667a GetProcAddress 50920->50923 50921->50920 50924 40643e 50921->50924 50925 406464 50922->50925 50926 406690 GetProcAddress 50923->50926 50927 406689 50923->50927 50924->50920 51316 406348 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetSystemDirectoryA 50925->51316 50928 4066a3 50926->50928 50929 40669f SetProcessDEPPolicy 50926->50929 50927->50926 51312 403400 50928->51312 50929->50928 50931 406473 51317 403450 50931->51317 50935 406480 50935->50923 50936 4064b3 50935->50936 51323 40357c 50935->51323 51337 403494 50936->51337 50940 40357c 4 API calls 50941 4064ce 50940->50941 51341 406374 SetErrorMode LoadLibraryA 50941->51341 50943 4064d6 50944 403494 4 API calls 50943->50944 50945 4064e4 50944->50945 50946 40357c 4 API calls 50945->50946 50947 4064f1 50946->50947 51342 406374 SetErrorMode LoadLibraryA 50947->51342 50949 4064f9 50950 403494 4 API calls 50949->50950 50951 406507 50950->50951 50952 40357c 4 API calls 50951->50952 50953 406514 50952->50953 51343 406374 SetErrorMode LoadLibraryA 50953->51343 50955 40651c 50956 403494 4 API calls 50955->50956 50957 40652a 50956->50957 50958 40357c 4 API calls 50957->50958 50959 406537 50958->50959 51344 406374 SetErrorMode LoadLibraryA 50959->51344 50961 40653f 50962 403494 4 API calls 50961->50962 50963 40654d 50962->50963 50964 40357c 4 API calls 50963->50964 50965 40655a 50964->50965 51345 406374 SetErrorMode LoadLibraryA 50965->51345 50967 406562 50968 403494 4 API calls 50967->50968 50969 406570 50968->50969 50970 40357c 4 API calls 50969->50970 50971 40657d 50970->50971 51346 406374 SetErrorMode LoadLibraryA 50971->51346 50973 406585 50974 403494 4 API calls 50973->50974 50975 406593 50974->50975 50976 40357c 4 API calls 50975->50976 50977 4065a0 50976->50977 51347 406374 SetErrorMode LoadLibraryA 50977->51347 50979 4065a8 50980 403494 4 API calls 50979->50980 50981 4065b6 50980->50981 50982 40357c 4 API calls 50981->50982 50983 4065c3 50982->50983 51348 406374 SetErrorMode LoadLibraryA 50983->51348 50985 4065cb 50986 403494 4 API calls 50985->50986 50987 4065d9 50986->50987 50988 40357c 4 API calls 50987->50988 50989 4065e6 50988->50989 51349 406374 SetErrorMode LoadLibraryA 50989->51349 50991 4065ee 50992 403494 4 API calls 50991->50992 50993 4065fc 50992->50993 50994 40357c 4 API calls 50993->50994 50995 406609 50994->50995 51350 406374 SetErrorMode LoadLibraryA 50995->51350 50997 406611 50998 403494 4 API calls 50997->50998 50999 40661f 50998->50999 51000 40357c 4 API calls 50999->51000 51001 40662c 51000->51001 51351 406374 SetErrorMode LoadLibraryA 51001->51351 51003 406634 51004 403494 4 API calls 51003->51004 51005 406642 51004->51005 51006 40357c 4 API calls 51005->51006 51007 40664f 51006->51007 51352 406374 SetErrorMode LoadLibraryA 51007->51352 51009 406657 51010 403494 4 API calls 51009->51010 51011 406665 51010->51011 51012 40357c 4 API calls 51011->51012 51013 406672 51012->51013 51353 406374 SetErrorMode LoadLibraryA 51013->51353 51015 406854 6FDA1CD0 51015->50865 51379 4094b4 51016->51379 51310->50915 51311->50918 51313 403406 51312->51313 51314 40341f 51312->51314 51313->51314 51354 402660 51313->51354 51314->51015 51316->50931 51318 403454 51317->51318 51321 403464 51317->51321 51318->51321 51359 4034bc 51318->51359 51319 403490 51319->50935 51321->51319 51322 402660 4 API calls 51321->51322 51322->51319 51324 403580 51323->51324 51325 4035bf 51323->51325 51326 40358a 51324->51326 51329 403450 51324->51329 51325->50936 51327 4035b4 51326->51327 51328 40359d 51326->51328 51332 4038a4 4 API calls 51327->51332 51369 4038a4 51328->51369 51333 4034bc 4 API calls 51329->51333 51334 403464 51329->51334 51330 403490 51330->50936 51336 4035a2 51332->51336 51333->51334 51334->51330 51335 402660 4 API calls 51334->51335 51335->51330 51336->50936 51339 403498 51337->51339 51338 4034ba 51338->50940 51339->51338 51340 402660 4 API calls 51339->51340 51340->51338 51341->50943 51342->50949 51343->50955 51344->50961 51345->50967 51346->50973 51347->50979 51348->50985 51349->50991 51350->50997 51351->51003 51352->51009 51353->50923 51355 402664 51354->51355 51356 40266e 51354->51356 51355->51356 51358 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51355->51358 51356->51314 51356->51356 51358->51356 51360 4034c0 51359->51360 51361 4034dc 51359->51361 51364 402648 51360->51364 51361->51321 51363 4034c9 51363->51321 51365 40264c 51364->51365 51366 402656 51364->51366 51365->51366 51368 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51365->51368 51366->51363 51366->51366 51368->51366 51370 4038b1 51369->51370 51377 4038e1 51369->51377 51371 4038da 51370->51371 51373 4038bd 51370->51373 51374 4034bc 4 API calls 51371->51374 51372 403400 4 API calls 51375 4038cb 51372->51375 51378 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51373->51378 51374->51377 51375->51336 51377->51372 51378->51375 51451 40914c 51379->51451 51382 408a6c GetSystemDefaultLCID 51386 408aa2 51382->51386 51383 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51383->51386 51384 40727c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51384->51386 51385 4089f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 51385->51386 51386->51383 51386->51384 51386->51385 51389 408b04 51386->51389 51387 40727c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51387->51389 51388 4089f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 51388->51389 51389->51387 51389->51388 51390 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51389->51390 51391 408b87 51389->51391 51390->51389 51467 403420 51391->51467 51394 408bb0 GetSystemDefaultLCID 51471 4089f8 GetLocaleInfoA 51394->51471 51397 403450 4 API calls 51398 408bf0 51397->51398 51399 4089f8 5 API calls 51398->51399 51400 408c05 51399->51400 51401 4089f8 5 API calls 51400->51401 51402 408c29 51401->51402 51477 408a44 GetLocaleInfoA 51402->51477 51405 408a44 GetLocaleInfoA 51406 408c59 51405->51406 51407 4089f8 5 API calls 51406->51407 51408 408c73 51407->51408 51409 408a44 GetLocaleInfoA 51408->51409 51410 408c90 51409->51410 51411 4089f8 5 API calls 51410->51411 51412 408caa 51411->51412 51413 403450 4 API calls 51412->51413 51414 408cb7 51413->51414 51415 4089f8 5 API calls 51414->51415 51416 408ccc 51415->51416 51417 403450 4 API calls 51416->51417 51418 408cd9 51417->51418 51419 408a44 GetLocaleInfoA 51418->51419 51420 408ce7 51419->51420 51421 4089f8 5 API calls 51420->51421 51422 408d01 51421->51422 51423 403450 4 API calls 51422->51423 51424 408d0e 51423->51424 51425 4089f8 5 API calls 51424->51425 51426 408d23 51425->51426 51427 403450 4 API calls 51426->51427 51428 408d30 51427->51428 51429 4089f8 5 API calls 51428->51429 51430 408d45 51429->51430 51431 408d62 51430->51431 51432 408d53 51430->51432 51434 403494 4 API calls 51431->51434 51433 403494 4 API calls 51432->51433 51435 408d60 51433->51435 51434->51435 51436 4089f8 5 API calls 51435->51436 51437 408d84 51436->51437 51438 408da1 51437->51438 51439 408d92 51437->51439 51441 403400 4 API calls 51438->51441 51440 403494 4 API calls 51439->51440 51442 408d9f 51440->51442 51441->51442 51479 403634 51442->51479 51452 409158 51451->51452 51459 40727c LoadStringA 51452->51459 51455 403450 4 API calls 51456 409189 51455->51456 51457 403400 4 API calls 51456->51457 51458 40919e 51457->51458 51458->51382 51462 4034e0 51459->51462 51463 4034bc 4 API calls 51462->51463 51464 4034f0 51463->51464 51465 403400 4 API calls 51464->51465 51466 403508 51465->51466 51466->51455 51469 403426 51467->51469 51468 40344b 51468->51394 51469->51468 51470 402660 4 API calls 51469->51470 51470->51469 51472 408a31 51471->51472 51473 408a1f 51471->51473 51475 403494 4 API calls 51472->51475 51474 4034e0 4 API calls 51473->51474 51476 408a2f 51474->51476 51475->51476 51476->51397 51478 408a60 51477->51478 51478->51405 51480 40363c 51479->51480 51481 4034bc 4 API calls 51480->51481 51482 40364f 51481->51482 51483 403450 4 API calls 51482->51483 51484 403677 51483->51484 52438 41f2e4 52439 41f2f3 IsWindowVisible 52438->52439 52440 41f329 52438->52440 52439->52440 52441 41f2fd IsWindowEnabled 52439->52441 52441->52440 52442 41f307 52441->52442 52443 402648 4 API calls 52442->52443 52444 41f311 EnableWindow 52443->52444 52444->52440 52445 41ffe8 52446 41fff1 52445->52446 52449 42028c 52446->52449 52448 41fffe 52450 42037e 52449->52450 52451 4202a3 52449->52451 52450->52448 52451->52450 52470 41fe4c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 52451->52470 52453 4202d9 52454 420303 52453->52454 52455 4202dd 52453->52455 52480 41fe4c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 52454->52480 52471 42002c 52455->52471 52459 420311 52460 420315 52459->52460 52461 42033b 52459->52461 52463 42002c 10 API calls 52460->52463 52464 42002c 10 API calls 52461->52464 52462 42002c 10 API calls 52465 420301 52462->52465 52466 420327 52463->52466 52467 42034d 52464->52467 52465->52448 52468 42002c 10 API calls 52466->52468 52469 42002c 10 API calls 52467->52469 52468->52465 52469->52465 52470->52453 52472 420047 52471->52472 52473 42005d 52472->52473 52474 41fdcc 4 API calls 52472->52474 52481 41fdcc 52473->52481 52474->52473 52476 4200a5 52477 4200c8 SetScrollInfo 52476->52477 52489 41ff2c 52477->52489 52480->52459 52500 418670 52481->52500 52483 41fde9 GetWindowLongA 52484 41fe26 52483->52484 52485 41fe06 52483->52485 52503 41fd58 GetWindowLongA GetSystemMetrics GetSystemMetrics 52484->52503 52502 41fd58 GetWindowLongA GetSystemMetrics GetSystemMetrics 52485->52502 52488 41fe12 52488->52476 52490 41ff3a 52489->52490 52491 41ff42 52489->52491 52490->52462 52492 41ff7f 52491->52492 52493 41ff81 52491->52493 52494 41ff71 52491->52494 52497 41ffc1 GetScrollPos 52492->52497 52505 4182d8 IsWindowVisible ScrollWindow SetWindowPos 52493->52505 52504 4182d8 IsWindowVisible ScrollWindow SetWindowPos 52494->52504 52497->52490 52498 41ffcc 52497->52498 52499 41ffdb SetScrollPos 52498->52499 52499->52490 52501 41867a 52500->52501 52501->52483 52502->52488 52503->52488 52504->52492 52505->52492 52506 420a28 52507 420a3b 52506->52507 52527 415fc0 52507->52527 52509 420b82 52510 420b99 52509->52510 52534 414b64 KiUserCallbackDispatcher 52509->52534 52514 420bb0 52510->52514 52535 414ba8 KiUserCallbackDispatcher 52510->52535 52511 420ae1 52532 420cd8 20 API calls 52511->52532 52512 420a76 52512->52509 52512->52511 52520 420ad2 MulDiv 52512->52520 52517 420bd2 52514->52517 52536 4204f0 12 API calls 52514->52536 52519 420afa 52519->52509 52533 4204f0 12 API calls 52519->52533 52531 41a794 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 52520->52531 52523 420b17 52524 420b33 MulDiv 52523->52524 52525 420b56 52523->52525 52524->52525 52525->52509 52526 420b5f MulDiv 52525->52526 52526->52509 52528 415fd2 52527->52528 52537 414900 52528->52537 52530 415fea 52530->52512 52531->52511 52532->52519 52533->52523 52534->52510 52535->52514 52536->52517 52538 41491a 52537->52538 52541 4108e8 52538->52541 52540 414930 52540->52530 52544 40e134 52541->52544 52543 4108ee 52543->52540 52545 40e196 52544->52545 52546 40e147 52544->52546 52547 40e1a4 19 API calls 52545->52547 52551 40e1a4 52546->52551 52548 40e1a0 52547->52548 52548->52543 52550 40e171 52550->52543 52552 40e1b4 52551->52552 52554 40e1ca 52552->52554 52563 40da70 52552->52563 52583 40e52c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52552->52583 52566 40e3dc 52554->52566 52557 40e1d2 52558 40da70 5 API calls 52557->52558 52559 40e23e 52557->52559 52569 40dff0 52557->52569 52558->52557 52561 40e3dc 5 API calls 52559->52561 52562 40e246 52561->52562 52562->52550 52584 40ee98 52563->52584 52592 40d94c 52566->52592 52601 40e3e4 52569->52601 52574 40edfc 5 API calls 52575 40e039 52574->52575 52576 40e054 52575->52576 52577 40e04b 52575->52577 52582 40e051 52575->52582 52617 40de68 52576->52617 52620 40df58 19 API calls 52577->52620 52580 403420 4 API calls 52581 40e11f 52580->52581 52581->52557 52582->52580 52583->52552 52587 40dc10 52584->52587 52590 40dc1b 52587->52590 52588 40da7a 52588->52552 52590->52588 52591 40dc5c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52590->52591 52591->52590 52593 40ee98 5 API calls 52592->52593 52594 40d959 52593->52594 52595 40d96c 52594->52595 52599 40ef9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52594->52599 52595->52557 52597 40d967 52600 40d8e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52597->52600 52599->52597 52600->52595 52621 40dbf4 52601->52621 52604 40e023 52608 40edfc 52604->52608 52605 40ee98 5 API calls 52606 40e408 52605->52606 52606->52604 52624 40e368 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52606->52624 52609 40dc10 5 API calls 52608->52609 52610 40ee11 52609->52610 52611 4034e0 4 API calls 52610->52611 52612 40ee1f 52611->52612 52613 403744 4 API calls 52612->52613 52614 40ee26 52613->52614 52615 40dc10 5 API calls 52614->52615 52616 40e02e 52615->52616 52616->52574 52625 40b00c 19 API calls 52617->52625 52619 40de90 52619->52582 52620->52582 52622 40ee98 5 API calls 52621->52622 52623 40dbfe 52622->52623 52623->52604 52623->52605 52624->52604 52625->52619 52626 413acc SetWindowLongA GetWindowLongA 52627 413b29 SetPropA SetPropA 52626->52627 52628 413b0b GetWindowLongA 52626->52628 52632 41f82c KiUserCallbackDispatcher 52627->52632 52628->52627 52629 413b1a SetWindowLongA 52628->52629 52629->52627 52630 413b79 52632->52630 52633 416eac 52634 416ebf 52633->52634 52638 416ed7 52633->52638 52635 416ec1 52634->52635 52636 416f2a 52634->52636 52643 416ef4 52635->52643 52644 416ec6 52635->52644 52650 415700 52636->52650 52640 416ed2 52638->52640 52658 416e20 PtInRect GetCapture 52638->52658 52641 415700 59 API calls 52640->52641 52642 416f61 52640->52642 52641->52642 52643->52640 52649 421f7c 6 API calls 52643->52649 52644->52640 52646 416f91 GetCapture 52644->52646 52646->52640 52647 416f33 52647->52642 52657 416d60 PtInRect 52647->52657 52649->52640 52651 41570d 52650->52651 52652 415773 52651->52652 52653 415768 52651->52653 52656 415771 52651->52656 52659 42501c 13 API calls 52652->52659 52653->52656 52660 4154ec 46 API calls 52653->52660 52656->52647 52657->52642 52658->52640 52659->52656 52660->52656 52661 414b0c KiUserCallbackDispatcher 52662 422cec 52663 422d1c 52662->52663 52664 422cff 52662->52664 52666 422f31 52663->52666 52667 422d56 52663->52667 52671 422f8f 52663->52671 52664->52663 52665 40914c 5 API calls 52664->52665 52665->52663 52668 422f83 52666->52668 52669 422f79 52666->52669 52690 422dad 52667->52690 52702 423638 GetSystemMetrics 52667->52702 52668->52671 52677 422fc7 52668->52677 52678 422fa8 52668->52678 52706 4222bc 11 API calls 52669->52706 52672 422e59 52674 422e65 52672->52674 52675 422e9b 52672->52675 52673 422f0c 52680 422f26 ShowWindow 52673->52680 52681 422e6f SendMessageA 52674->52681 52682 422eb5 ShowWindow 52675->52682 52684 422fd1 GetActiveWindow 52677->52684 52683 422fbf SetWindowPos 52678->52683 52679 422df1 52703 423630 GetSystemMetrics 52679->52703 52680->52671 52687 418670 52681->52687 52689 418670 52682->52689 52683->52671 52685 422fdc 52684->52685 52686 422ffb 52684->52686 52695 422fe4 IsIconic 52685->52695 52692 423001 52686->52692 52693 423026 52686->52693 52691 422e93 ShowWindow 52687->52691 52694 422ed7 CallWindowProcA 52689->52694 52690->52672 52690->52673 52696 422eea SendMessageA 52691->52696 52699 423018 SetWindowPos SetActiveWindow 52692->52699 52700 423030 ShowWindow 52693->52700 52704 415154 52694->52704 52695->52686 52698 422fee 52695->52698 52696->52671 52707 41f484 GetCurrentThreadId EnumThreadWindows 52698->52707 52699->52671 52700->52671 52702->52679 52703->52690 52705 415165 52704->52705 52705->52696 52706->52668 52707->52686 52708 482cd8 52709 482ce1 52708->52709 52710 482d0b 52709->52710 52711 482ced 52709->52711 52713 481580 24 API calls 52710->52713 52712 482d02 52711->52712 53010 481750 43 API calls 52711->53010 53011 481580 52712->53011 52716 482d09 52713->52716 52717 482d38 52716->52717 52718 482d46 52716->52718 53014 478dc4 206 API calls 52717->53014 52719 482d85 52718->52719 53016 4816e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52718->53016 52720 482da9 52719->52720 52723 482d9c 52719->52723 52724 482d9e 52719->52724 52726 482dbb 52720->52726 52727 482dc1 52720->52727 52734 48172c 43 API calls 52723->52734 53018 4817c0 43 API calls 52724->53018 52725 482d3d 52725->52718 53015 409070 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52725->53015 52730 482dbf 52726->52730 52736 48172c 43 API calls 52726->52736 52727->52730 52735 48172c 43 API calls 52727->52735 52728 482d78 53017 481750 43 API calls 52728->53017 52844 47e8a8 52730->52844 52734->52720 52735->52730 52736->52730 52737 482de8 52918 47edd0 52737->52918 52742 482e02 52744 482e12 52742->52744 53020 481b24 27 API calls 52742->53020 52746 482e69 52744->52746 52996 450a28 52744->52996 53022 481ec4 6 API calls 52746->53022 52749 482e6e 52750 482e7b 52749->52750 52751 482fd6 52749->52751 53023 4979bc 7 API calls 52750->53023 53030 481de0 18 API calls 52751->53030 52753 482e33 52753->52746 53021 4319e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52753->53021 52755 482e87 53024 497a74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52755->53024 52756 482fd4 53031 47e4a8 52756->53031 52758 482ef8 52760 482f10 52758->52760 53025 497afc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52758->53025 53026 481de0 18 API calls 52760->53026 52763 403450 4 API calls 52766 483005 52763->52766 52768 48300e 52766->52768 52769 483030 52766->52769 52767 482f1f 52770 482f3c 52767->52770 53027 497afc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52767->53027 52771 47e4a8 43 API calls 52768->52771 53034 47c1f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52769->53034 53028 497c0c 18 API calls 52770->53028 52775 48301e 52771->52775 52778 403450 4 API calls 52775->52778 52776 48303d 52779 48304e 52776->52779 52781 403494 4 API calls 52776->52781 52777 482f9c 52777->52756 52785 4585a0 24 API calls 52777->52785 52780 48302e 52778->52780 52782 47e4a8 43 API calls 52779->52782 52784 47e4a8 43 API calls 52780->52784 52781->52779 52783 483070 52782->52783 53035 451ad8 52783->53035 52786 4830b6 52784->52786 52787 482fcf 52785->52787 52789 403450 4 API calls 52786->52789 53029 409070 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52787->53029 52792 4830c6 52789->52792 52794 47e4a8 43 API calls 52792->52794 52793 403450 4 API calls 52793->52780 52795 4830d6 52794->52795 52796 403450 4 API calls 52795->52796 52797 4830e6 52796->52797 52798 47e4a8 43 API calls 52797->52798 52799 4830f3 52798->52799 53047 451c30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52799->53047 52801 483106 52802 42ef38 5 API calls 52801->52802 52808 483119 52802->52808 52806 481214 43 API calls 52806->52808 52807 48319f 53054 455cd0 10 API calls 52807->53054 52808->52806 52813 48315d 52808->52813 53048 451c30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52808->53048 53049 409070 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52808->53049 53050 455cc8 10 API calls 52808->53050 52812 481214 43 API calls 52812->52813 52813->52807 52813->52812 53051 451c30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52813->53051 53052 409070 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52813->53052 53053 455cc8 10 API calls 52813->53053 52816 4831a7 52818 483227 52816->52818 53055 47b7d4 19 API calls 52816->53055 53056 478ac4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52816->53056 52817 4835c3 52820 403420 4 API calls 52817->52820 52834 4832e7 52818->52834 53057 47b7d4 19 API calls 52818->53057 53058 478ac4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52818->53058 52819 4834f8 52833 483549 52819->52833 53062 47f6cc 19 API calls 52819->53062 52823 4835ed 52820->52823 52825 403420 4 API calls 52823->52825 52827 4835fa 52825->52827 52828 403400 4 API calls 52827->52828 52832 483602 52828->52832 52829 47e4a8 43 API calls 52842 48341e 52829->52842 52831 42d8dc 6 API calls 52831->52842 52835 403420 4 API calls 52832->52835 52833->52817 53063 47f7b0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52833->53063 52834->52819 52834->52842 52837 48360f 52835->52837 52836 42cdbc 5 API calls 52836->52842 52838 403420 4 API calls 52837->52838 52839 48361c 52838->52839 52842->52829 52842->52831 52842->52834 52842->52836 53059 42cde4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 52842->53059 53060 47ba90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52842->53060 53061 481f4c 13 API calls 52842->53061 52845 42dd28 5 API calls 52844->52845 52846 47e8cc 52845->52846 52847 403450 4 API calls 52846->52847 52848 47e8d9 52847->52848 52849 42dd54 5 API calls 52848->52849 52850 47e8e1 52849->52850 52851 403450 4 API calls 52850->52851 52852 47e8ee 52851->52852 53064 42dd80 52852->53064 52854 47e8f6 52855 403450 4 API calls 52854->52855 52856 47e903 52855->52856 52857 47e90c 52856->52857 52858 47e928 52856->52858 52860 42d698 5 API calls 52857->52860 52859 403400 4 API calls 52858->52859 52862 47e926 52859->52862 52861 47e919 52860->52861 52863 403450 4 API calls 52861->52863 52864 47e96d 52862->52864 53088 42cd5c LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 52862->53088 52863->52862 53068 47e730 52864->53068 52867 47e948 52870 403450 4 API calls 52867->52870 52869 403450 4 API calls 52871 47e989 52869->52871 52872 47e955 52870->52872 52873 47e9a7 52871->52873 52874 4035c0 4 API calls 52871->52874 52872->52864 52876 403450 4 API calls 52872->52876 52875 47e730 8 API calls 52873->52875 52874->52873 52877 47e9b6 52875->52877 52876->52864 52878 403450 4 API calls 52877->52878 52879 47e9c3 52878->52879 52880 47e9eb 52879->52880 52881 42c88c 5 API calls 52879->52881 52882 47ea52 52880->52882 52885 47e730 8 API calls 52880->52885 52883 47e9d9 52881->52883 52884 47eb18 52882->52884 52890 47ea72 SHGetKnownFolderPath 52882->52890 52889 4035c0 4 API calls 52883->52889 52887 47eb42 52884->52887 52888 47eb21 52884->52888 52886 47ea03 52885->52886 52891 403450 4 API calls 52886->52891 52893 42c88c 5 API calls 52887->52893 52892 42c88c 5 API calls 52888->52892 52889->52880 52894 47eac5 SHGetKnownFolderPath 52890->52894 52895 47ea8c 52890->52895 52902 47ea10 52891->52902 52898 47eb2e 52892->52898 52899 47eb4f 52893->52899 52894->52884 52897 47eadf 52894->52897 53091 403ba4 7 API calls 52895->53091 53092 403ba4 7 API calls 52897->53092 52904 4035c0 4 API calls 52898->52904 52905 4035c0 4 API calls 52899->52905 52900 47eaa7 CoTaskMemFree 52900->52737 52901 47ea23 52909 47e730 8 API calls 52901->52909 52902->52901 53089 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52902->53089 52906 47eb40 52904->52906 52905->52906 53079 47e814 52906->53079 52908 47eafa CoTaskMemFree 52908->52737 52911 47ea32 52909->52911 52913 403450 4 API calls 52911->52913 52915 47ea3f 52913->52915 52914 403400 4 API calls 52916 47eb7b 52914->52916 52915->52882 53090 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52915->53090 52916->52737 52919 47edd8 52918->52919 52919->52919 53116 454220 52919->53116 52922 403450 4 API calls 52923 47ee05 52922->52923 52924 403494 4 API calls 52923->52924 52925 47ee12 52924->52925 52926 40357c 4 API calls 52925->52926 52927 47ee20 52926->52927 52928 4585a0 24 API calls 52927->52928 52929 47ee28 52928->52929 52930 47ee3b 52929->52930 53146 457d98 6 API calls 52929->53146 52932 42c88c 5 API calls 52930->52932 52933 47ee48 52932->52933 52934 4035c0 4 API calls 52933->52934 52935 47ee58 52934->52935 52936 47ee62 CreateDirectoryA 52935->52936 52937 47ee6c GetLastError 52936->52937 52959 47eec8 52936->52959 53147 451c30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52937->53147 52940 47eed5 52942 47eefe 52940->52942 52946 4035c0 4 API calls 52940->52946 52941 47ee84 52943 4071f8 19 API calls 52941->52943 52945 403420 4 API calls 52942->52945 52944 47ee94 52943->52944 52947 42ed58 5 API calls 52944->52947 52948 47ef18 52945->52948 52949 47eeeb 52946->52949 52950 47eea4 52947->52950 52951 403420 4 API calls 52948->52951 53141 47ed78 52949->53141 53148 451c00 52950->53148 52954 47ef25 52951->52954 52960 47f0b4 52954->52960 52955 47eef6 53153 458ce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52955->53153 53134 458ca0 52959->53134 52961 42dd54 5 API calls 52960->52961 52962 47f0de 52961->52962 52963 42c88c 5 API calls 52962->52963 52964 47f0e9 52963->52964 52965 4035c0 4 API calls 52964->52965 52966 47f0f9 52965->52966 53248 452db0 52966->53248 52969 47f169 52970 42dd54 5 API calls 52969->52970 52972 47f171 52970->52972 52971 42c88c 5 API calls 52973 47f14c 52971->52973 52975 42c88c 5 API calls 52972->52975 52974 4035c0 4 API calls 52973->52974 52976 47f15c 52974->52976 52977 47f17c 52975->52977 52978 47ed78 25 API calls 52976->52978 52979 40357c 4 API calls 52977->52979 52978->52969 52980 47f189 52979->52980 52981 42e824 2 API calls 52980->52981 52982 47f196 52981->52982 52983 42e824 2 API calls 52982->52983 52984 47f1a3 52983->52984 52985 47f1d6 GetProcAddress 52984->52985 52988 407d84 19 API calls 52984->52988 52986 47f1f2 52985->52986 52987 47f1fc 52985->52987 53252 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52986->53252 52991 403420 4 API calls 52987->52991 52989 47f1ce 52988->52989 53251 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52989->53251 52993 47f216 52991->52993 52994 403400 4 API calls 52993->52994 52995 47f21e 52994->52995 52995->52742 53019 48198c 31 API calls 52995->53019 52997 450b20 52996->52997 52998 450a53 GetVersion 52996->52998 52999 403420 4 API calls 52997->52999 52998->52997 53000 450a66 52998->53000 53001 450b44 52999->53001 53267 4509f8 GetSystemDirectoryA 53000->53267 53001->52753 53004 42c88c 5 API calls 53005 450a79 53004->53005 53006 40357c 4 API calls 53005->53006 53007 450a86 53006->53007 53008 450a8e LoadLibraryA 53007->53008 53008->52997 53009 450aa2 6 API calls 53008->53009 53009->52997 53010->52712 53012 4587ac 24 API calls 53011->53012 53013 4815a7 53012->53013 53013->52716 53014->52725 53016->52728 53017->52719 53018->52720 53019->52742 53020->52744 53021->52746 53022->52749 53023->52755 53024->52758 53025->52760 53026->52767 53027->52770 53028->52777 53030->52756 53270 47e4f0 53031->53270 53034->52776 53036 403400 4 API calls 53035->53036 53040 451b09 53036->53040 53037 451b34 53038 403420 4 API calls 53037->53038 53039 451bc1 53038->53039 53039->52793 53040->53037 53041 451b20 53040->53041 53043 4034e0 4 API calls 53040->53043 53046 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53040->53046 53042 40352c 4 API calls 53041->53042 53044 451b2a 53042->53044 53043->53040 53045 40357c 4 API calls 53044->53045 53045->53037 53046->53040 53047->52801 53048->52808 53050->52808 53051->52813 53053->52813 53054->52816 53055->52816 53056->52816 53057->52818 53058->52818 53059->52842 53060->52842 53061->52842 53062->52819 53063->52833 53065 403400 4 API calls 53064->53065 53066 42dd90 GetModuleHandleA GetProcAddress 53065->53066 53067 42dda9 53066->53067 53067->52854 53093 42e2ac 53068->53093 53070 47e756 53071 47e77c 53070->53071 53072 47e75a 53070->53072 53073 403400 4 API calls 53071->53073 53096 42e1dc 53072->53096 53076 47e783 53073->53076 53076->52869 53077 47e771 RegCloseKey 53077->53076 53078 403400 4 API calls 53078->53077 53080 47e822 53079->53080 53081 42e2ac RegOpenKeyExA 53080->53081 53082 47e84a 53081->53082 53083 47e87b 53082->53083 53084 42e1dc 6 API calls 53082->53084 53083->52914 53085 47e860 53084->53085 53086 42e1dc 6 API calls 53085->53086 53087 47e872 RegCloseKey 53086->53087 53087->53083 53088->52867 53089->52901 53090->52882 53091->52900 53092->52908 53094 42e2b7 53093->53094 53095 42e2bd RegOpenKeyExA 53093->53095 53094->53095 53095->53070 53099 42e090 53096->53099 53100 42e0b6 RegQueryValueExA 53099->53100 53104 42e0d9 53100->53104 53115 42e0fb 53100->53115 53101 403400 4 API calls 53103 42e1c7 53101->53103 53102 42e0f3 53105 403400 4 API calls 53102->53105 53103->53077 53103->53078 53104->53102 53106 4034e0 4 API calls 53104->53106 53107 403744 4 API calls 53104->53107 53104->53115 53105->53115 53106->53104 53108 42e130 RegQueryValueExA 53107->53108 53108->53100 53109 42e14c 53108->53109 53110 4038a4 4 API calls 53109->53110 53109->53115 53111 42e18e 53110->53111 53112 42e1a0 53111->53112 53114 403744 4 API calls 53111->53114 53113 403450 4 API calls 53112->53113 53113->53115 53114->53112 53115->53101 53129 454240 53116->53129 53117 42dea8 10 API calls 53117->53129 53119 454265 CreateDirectoryA 53120 4542dd 53119->53120 53121 45426f GetLastError 53119->53121 53122 403494 4 API calls 53120->53122 53121->53129 53123 4542e7 53122->53123 53125 403420 4 API calls 53123->53125 53126 454301 53125->53126 53128 403420 4 API calls 53126->53128 53127 4071f8 19 API calls 53127->53129 53130 45430e 53128->53130 53129->53117 53129->53119 53129->53127 53131 42ed58 5 API calls 53129->53131 53132 451c00 4 API calls 53129->53132 53154 453fac 53129->53154 53173 451c30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53129->53173 53174 40909c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53129->53174 53130->52922 53131->53129 53132->53129 53135 458cac 53134->53135 53136 458cba 53134->53136 53137 403494 4 API calls 53135->53137 53138 403400 4 API calls 53136->53138 53139 458cb8 53137->53139 53140 458cc1 53138->53140 53139->52940 53140->52940 53201 40d3dc 53141->53201 53145 47edaf 53145->52955 53146->52930 53147->52941 53149 451c20 53148->53149 53150 451ad8 4 API calls 53149->53150 53151 451c29 53150->53151 53152 40909c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53151->53152 53152->52959 53153->52942 53155 453fcc 53154->53155 53156 42c88c 5 API calls 53155->53156 53157 453fe5 53156->53157 53158 403494 4 API calls 53157->53158 53159 453ff0 53158->53159 53160 42d050 6 API calls 53159->53160 53163 403634 4 API calls 53159->53163 53166 45406c 53159->53166 53175 453f38 53159->53175 53183 4531c8 53159->53183 53191 451c30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53159->53191 53192 40909c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53159->53192 53160->53159 53163->53159 53167 403494 4 API calls 53166->53167 53168 454077 53167->53168 53169 403420 4 API calls 53168->53169 53170 454091 53169->53170 53171 403400 4 API calls 53170->53171 53172 454099 53171->53172 53172->53129 53173->53129 53174->53129 53176 403400 4 API calls 53175->53176 53178 453f59 53176->53178 53180 453f86 53178->53180 53193 403510 53178->53193 53196 403800 53178->53196 53181 403400 4 API calls 53180->53181 53182 453f9b 53181->53182 53182->53159 53184 452efc 2 API calls 53183->53184 53185 4531de 53184->53185 53186 4531e2 53185->53186 53187 42d1ec 7 API calls 53185->53187 53186->53159 53188 4531fd GetLastError 53187->53188 53200 452f38 Wow64RevertWow64FsRedirection 53188->53200 53190 45321d 53190->53159 53191->53159 53192->53159 53194 4034e0 4 API calls 53193->53194 53195 40351d 53194->53195 53195->53178 53197 403804 53196->53197 53199 40382f 53196->53199 53198 4038a4 4 API calls 53197->53198 53198->53199 53199->53178 53200->53190 53202 40d3e6 53201->53202 53212 40d4a0 FindResourceA 53202->53212 53204 40d414 53205 47ec9c 53204->53205 53224 40d230 53205->53224 53207 47ecd1 53208 403420 4 API calls 53207->53208 53209 47ed61 53208->53209 53210 403400 4 API calls 53209->53210 53211 47ed69 53210->53211 53211->53145 53213 40d4c5 53212->53213 53214 40d4cc LoadResource 53212->53214 53222 40d42c 19 API calls 53213->53222 53216 40d4e6 SizeofResource LockResource 53214->53216 53217 40d4df 53214->53217 53220 40d504 53216->53220 53223 40d42c 19 API calls 53217->53223 53218 40d4cb 53218->53214 53220->53204 53221 40d4e5 53221->53216 53222->53218 53223->53221 53229 40d0e0 53224->53229 53226 40d24a 53241 40d218 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53226->53241 53228 40d265 53228->53207 53230 40d0ed 53229->53230 53231 40d109 53230->53231 53232 40d13e 53230->53232 53242 407350 53231->53242 53246 407310 CreateFileA 53232->53246 53235 40d110 53240 40d137 53235->53240 53245 4091bc 19 API calls 53235->53245 53236 40d148 53236->53240 53247 4091bc 19 API calls 53236->53247 53239 40d16f 53239->53240 53240->53226 53241->53228 53243 403738 53242->53243 53244 40736c CreateFileA 53243->53244 53244->53235 53245->53240 53246->53236 53247->53239 53249 452dbd 53248->53249 53253 452ce8 53248->53253 53249->52969 53249->52971 53251->52985 53252->52987 53254 403738 53253->53254 53255 452d05 755A1520 53254->53255 53256 452d13 53255->53256 53257 452d8a 53255->53257 53258 402648 4 API calls 53256->53258 53261 452d9d 53257->53261 53266 452b0c 27 API calls 53257->53266 53259 452d1a 755A1500 53258->53259 53262 452d58 53259->53262 53263 452d3e 755A1540 53259->53263 53261->53249 53264 402660 4 API calls 53262->53264 53263->53262 53265 452d82 53264->53265 53265->53249 53266->53261 53268 407974 4 API calls 53267->53268 53269 450a22 53268->53269 53269->53004 53271 403494 4 API calls 53270->53271 53278 47e523 53271->53278 53272 47e635 53273 403420 4 API calls 53272->53273 53274 47e4c5 53273->53274 53274->52763 53276 403778 4 API calls 53276->53278 53278->53272 53278->53276 53279 403800 4 API calls 53278->53279 53281 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53278->53281 53282 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53278->53282 53283 47d33c 43 API calls 53278->53283 53284 42ce0c CharPrevA 53278->53284 53279->53278 53281->53278 53282->53278 53283->53278 53284->53278 53285 435dd0 53287 435de5 53285->53287 53286 435dff 53287->53286 53291 4357b8 53287->53291 53298 435802 53291->53298 53302 4357e8 53291->53302 53292 403400 4 API calls 53293 435c07 53292->53293 53293->53286 53304 435c18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53293->53304 53294 447294 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53294->53302 53295 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53295->53302 53296 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53296->53302 53297 402648 4 API calls 53297->53302 53298->53292 53301 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53301->53302 53302->53294 53302->53295 53302->53296 53302->53297 53302->53298 53302->53301 53305 4348a0 53302->53305 53317 435064 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53302->53317 53318 432190 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53302->53318 53304->53286 53306 43495d 53305->53306 53307 4348cd 53305->53307 53344 434800 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53306->53344 53308 403494 4 API calls 53307->53308 53310 4348db 53308->53310 53312 403778 4 API calls 53310->53312 53311 403400 4 API calls 53313 4349ad 53311->53313 53315 4348fc 53312->53315 53313->53302 53314 43494f 53314->53311 53315->53314 53319 497570 53315->53319 53317->53302 53318->53302 53320 4975b0 53319->53320 53321 403494 4 API calls 53320->53321 53322 4975bb 53321->53322 53341 4975cd 53322->53341 53345 4037b8 53322->53345 53324 403400 4 API calls 53325 497780 53324->53325 53326 403420 4 API calls 53325->53326 53327 49778d 53326->53327 53327->53315 53328 4975e6 53329 403778 4 API calls 53328->53329 53328->53341 53330 497614 53329->53330 53331 4037b8 4 API calls 53330->53331 53332 497623 53331->53332 53333 403778 4 API calls 53332->53333 53332->53341 53334 497651 53333->53334 53336 4976ce 53334->53336 53343 42d1b4 GetFileAttributesA 53334->53343 53350 4804a8 53334->53350 53335 497696 53338 403778 4 API calls 53335->53338 53380 448e58 9 API calls 53336->53380 53339 4976be 53338->53339 53340 403634 4 API calls 53339->53340 53340->53336 53341->53324 53343->53335 53344->53314 53346 403744 4 API calls 53345->53346 53348 4037c6 53346->53348 53347 4037fc 53347->53328 53348->53347 53349 4038a4 4 API calls 53348->53349 53349->53347 53351 4804c6 53350->53351 53352 4804de 53351->53352 53354 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53351->53354 53356 48053a 53351->53356 53357 480518 53351->53357 53353 403400 4 API calls 53352->53353 53355 4804e5 53353->53355 53354->53351 53359 403420 4 API calls 53355->53359 53361 48061b 53356->53361 53362 48054d 53356->53362 53358 403400 4 API calls 53357->53358 53358->53355 53360 480649 53359->53360 53360->53335 53365 47e4a8 43 API calls 53361->53365 53363 480565 53362->53363 53364 480556 53362->53364 53367 403778 4 API calls 53363->53367 53366 403400 4 API calls 53364->53366 53368 480625 53365->53368 53366->53355 53377 48057a 53367->53377 53369 403450 4 API calls 53368->53369 53369->53355 53370 403494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53370->53377 53371 403778 4 API calls 53371->53377 53372 4037b8 4 API calls 53372->53377 53373 47e4a8 43 API calls 53373->53377 53374 42c88c 5 API calls 53374->53377 53375 4035c0 4 API calls 53375->53377 53376 42d1b4 GetFileAttributesA 53376->53377 53377->53355 53377->53370 53377->53371 53377->53372 53377->53373 53377->53374 53377->53375 53377->53376 53379 403450 4 API calls 53377->53379 53381 478744 53377->53381 53379->53377 53380->53341 53394 4786e4 53381->53394 53383 4787d0 53384 407d84 19 API calls 53383->53384 53385 4787ed 53384->53385 53424 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53385->53424 53387 4787ca 53388 403420 4 API calls 53387->53388 53391 47880f 53388->53391 53389 42cdbc 5 API calls 53390 478771 53389->53390 53390->53383 53390->53389 53392 4787af 53390->53392 53391->53377 53399 478520 53392->53399 53395 403494 4 API calls 53394->53395 53397 4786f3 53395->53397 53396 478734 53396->53390 53397->53396 53398 403800 4 API calls 53397->53398 53398->53397 53400 42c88c 5 API calls 53399->53400 53401 478553 53400->53401 53402 4035c0 4 API calls 53401->53402 53403 478560 53402->53403 53404 403494 4 API calls 53403->53404 53405 47856d 53404->53405 53406 40357c 4 API calls 53405->53406 53407 478578 53406->53407 53408 4585a0 24 API calls 53407->53408 53409 478580 53408->53409 53410 4785a4 53409->53410 53443 42cde4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53409->53443 53425 453754 53410->53425 53413 4785bd 53429 46f1ec 53413->53429 53414 478599 53444 456a30 13 API calls 53414->53444 53417 4785ea 53445 46f504 27 API calls 53417->53445 53419 478608 53420 47860e 53419->53420 53421 47861c LocalFileTimeToFileTime 53419->53421 53422 478629 SetFileTime 53420->53422 53421->53422 53423 478652 53422->53423 53423->53387 53424->53387 53426 45375d 53425->53426 53427 450f04 26 API calls 53426->53427 53428 453784 53427->53428 53428->53413 53430 46f212 53429->53430 53431 46f208 53429->53431 53434 46f245 53430->53434 53466 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53430->53466 53465 453b40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53431->53465 53440 46f301 53434->53440 53446 46ee58 53434->53446 53436 46f2aa 53437 46f2e0 53436->53437 53467 46ea70 25 API calls 53436->53467 53439 46f2f5 53437->53439 53468 46ea70 25 API calls 53437->53468 53439->53440 53469 46f06c 25 API calls 53439->53469 53440->53417 53443->53414 53444->53410 53445->53419 53449 46ee81 53446->53449 53456 46ef4f 53446->53456 53447 403400 4 API calls 53448 46ef67 53447->53448 53448->53436 53450 46eea7 53449->53450 53451 46ee99 53449->53451 53453 403494 4 API calls 53450->53453 53470 46ebb0 53451->53470 53454 46eea5 53453->53454 53455 450f04 26 API calls 53454->53455 53457 46eeca 53455->53457 53456->53447 53457->53456 53460 46eef5 53457->53460 53529 46ea70 25 API calls 53457->53529 53459 46ef13 53462 46ef32 53459->53462 53531 46ea70 25 API calls 53459->53531 53460->53459 53530 46ea70 25 API calls 53460->53530 53462->53456 53532 46ea70 25 API calls 53462->53532 53465->53430 53466->53434 53467->53437 53468->53439 53469->53440 53471 42cdbc 5 API calls 53470->53471 53472 46ebea 53471->53472 53473 42c988 5 API calls 53472->53473 53474 46ebf7 53473->53474 53475 46ec12 53474->53475 53476 46ec3b 53474->53476 53477 407d84 19 API calls 53475->53477 53478 407d84 19 API calls 53476->53478 53479 46ec39 53477->53479 53478->53479 53480 407d84 19 API calls 53479->53480 53481 46ec89 53480->53481 53482 4035c0 4 API calls 53481->53482 53483 46ec97 53482->53483 53484 42c88c 5 API calls 53483->53484 53494 46ecc1 53483->53494 53486 46ecad 53484->53486 53485 42c88c 5 API calls 53487 46ecd6 53485->53487 53488 4035c0 4 API calls 53486->53488 53489 4035c0 4 API calls 53487->53489 53490 46ecba 53488->53490 53491 46ece3 53489->53491 53492 42d1b4 GetFileAttributesA 53490->53492 53493 42d1b4 GetFileAttributesA 53491->53493 53492->53494 53495 46ecea 53493->53495 53494->53485 53496 46edb6 53494->53496 53495->53496 53497 46ed24 53495->53497 53499 42c88c 5 API calls 53495->53499 53498 403420 4 API calls 53496->53498 53497->53496 53501 42c88c 5 API calls 53497->53501 53500 46edd7 53498->53500 53502 46ed08 53499->53502 53500->53454 53503 46ed39 53501->53503 53504 40357c 4 API calls 53502->53504 53505 40357c 4 API calls 53503->53505 53506 46ed13 53504->53506 53507 46ed44 53505->53507 53508 42cc94 5 API calls 53506->53508 53509 42cc94 5 API calls 53507->53509 53510 46ed1d 53508->53510 53511 46ed4e 53509->53511 53513 42d1b4 GetFileAttributesA 53510->53513 53512 42d1b4 GetFileAttributesA 53511->53512 53514 46ed55 53512->53514 53513->53497 53514->53496 53515 403494 4 API calls 53514->53515 53516 46ed67 53515->53516 53517 4587ac 24 API calls 53516->53517 53518 46ed80 53517->53518 53533 46e604 53518->53533 53520 46ed8d 53521 46ed91 53520->53521 53522 46edb8 53520->53522 53524 403450 4 API calls 53521->53524 53552 409070 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53522->53552 53525 46ed9e 53524->53525 53526 42c88c 5 API calls 53525->53526 53527 46eda9 53526->53527 53528 4035c0 4 API calls 53527->53528 53528->53496 53529->53460 53530->53459 53531->53462 53532->53456 53534 46e718 93 API calls 53533->53534 53535 46e63b 53534->53535 53536 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53535->53536 53537 46e65b 53536->53537 53538 4071f8 19 API calls 53537->53538 53539 46e669 53538->53539 53540 451c00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53539->53540 53541 46e67b 53540->53541 53542 414fa8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53541->53542 53543 46e68c 53542->53543 53544 414fa8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53543->53544 53545 46e69c MessageBeep 53544->53545 53546 4232e0 100 API calls 53545->53546 53547 46e6ab 53546->53547 53548 46e81c 7 API calls 53547->53548 53550 46e6cb 53547->53550 53549 46e6c1 53548->53549 53551 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53549->53551 53550->53520 53551->53550 53553 416fd2 53554 41707a 53553->53554 53555 416fea 53553->53555 53572 4157ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53554->53572 53557 417004 SendMessageA 53555->53557 53558 416ff8 53555->53558 53568 417058 53557->53568 53559 417002 CallWindowProcA 53558->53559 53560 41701e 53558->53560 53559->53568 53569 41a4e8 GetSysColor 53560->53569 53563 417029 SetTextColor 53564 41703e 53563->53564 53570 41a4e8 GetSysColor 53564->53570 53566 417043 SetBkColor 53571 41ab70 GetSysColor CreateBrushIndirect 53566->53571 53569->53563 53570->53566 53571->53568 53572->53568 53573 416ad4 53574 416ae1 53573->53574 53575 416b3b 53573->53575 53580 4169e0 CreateWindowExA 53574->53580 53576 416ae8 SetPropA SetPropA 53576->53575 53577 416b1b 53576->53577 53578 416b2e SetWindowPos 53577->53578 53578->53575 53580->53576 53581 482c3e 53582 4517dc 5 API calls 53581->53582 53583 482c52 53582->53583 53584 481c60 21 API calls 53583->53584 53585 482c76 53584->53585 53586 422774 53587 422783 53586->53587 53592 421704 53587->53592 53590 4227a3 53593 421773 53592->53593 53595 421713 53592->53595 53598 421784 53593->53598 53617 412960 GetMenuItemCount GetMenuStringA GetMenuState 53593->53617 53595->53593 53616 4091bc 19 API calls 53595->53616 53596 42184a 53601 421823 53596->53601 53603 42185e SetMenu 53596->53603 53597 4217b2 53599 421825 53597->53599 53607 4217cd 53597->53607 53598->53596 53598->53597 53599->53601 53606 421839 53599->53606 53600 421876 53620 42164c 10 API calls 53600->53620 53601->53600 53619 4222bc 11 API calls 53601->53619 53603->53601 53605 42187d 53605->53590 53615 422678 10 API calls 53605->53615 53609 421842 SetMenu 53606->53609 53607->53601 53610 4217f0 GetMenu 53607->53610 53609->53601 53611 421813 53610->53611 53612 4217fa 53610->53612 53618 412960 GetMenuItemCount GetMenuStringA GetMenuState 53611->53618 53614 42180d SetMenu 53612->53614 53614->53611 53615->53590 53616->53595 53617->53598 53618->53601 53619->53600 53620->53605 53621 44b9dc 53622 44b9ea 53621->53622 53624 44ba09 53621->53624 53622->53624 53625 44b8c0 53622->53625 53626 44b8f3 53625->53626 53636 414f78 53626->53636 53628 44b906 53629 44b933 GetDC 53628->53629 53630 40357c 4 API calls 53628->53630 53640 41a678 53629->53640 53630->53629 53633 44b964 53648 44b5f4 53633->53648 53635 44b978 ReleaseDC 53635->53624 53637 414f86 53636->53637 53638 4034e0 4 API calls 53637->53638 53639 414f93 53638->53639 53639->53628 53641 41a6a3 53640->53641 53642 41a73f 53640->53642 53659 403520 53641->53659 53643 403400 4 API calls 53642->53643 53644 41a757 SelectObject 53643->53644 53644->53633 53646 41a6fb 53647 41a733 CreateFontIndirectA 53646->53647 53647->53642 53649 44b60b 53648->53649 53650 44b69e 53649->53650 53651 44b687 53649->53651 53652 44b61e 53649->53652 53650->53635 53653 44b697 DrawTextA 53651->53653 53652->53650 53654 402648 4 API calls 53652->53654 53653->53650 53655 44b62f 53654->53655 53656 44b64d MultiByteToWideChar DrawTextW 53655->53656 53657 402660 4 API calls 53656->53657 53658 44b67f 53657->53658 53658->53635 53660 4034e0 4 API calls 53659->53660 53661 40352a 53660->53661 53661->53646 53662 42e87f SetErrorMode 53663 42409c 53668 4240d2 53663->53668 53666 42417c 53669 424183 53666->53669 53670 4241b7 53666->53670 53667 42411d 53671 424123 53667->53671 53672 4241e0 53667->53672 53691 4240f3 53668->53691 53757 423ff8 53668->53757 53673 424441 53669->53673 53674 424189 53669->53674 53677 4241c2 53670->53677 53678 42452a IsIconic 53670->53678 53675 424155 53671->53675 53676 424128 53671->53676 53679 4241f2 53672->53679 53680 4241fb 53672->53680 53673->53691 53729 424467 IsWindowEnabled 53673->53729 53682 4243a3 SendMessageA 53674->53682 53683 424197 53674->53683 53675->53691 53707 42416e 53675->53707 53708 4242cf 53675->53708 53685 424286 53676->53685 53686 42412e 53676->53686 53687 424566 53677->53687 53688 4241cb 53677->53688 53684 42453e GetFocus 53678->53684 53678->53691 53689 424208 53679->53689 53690 4241f9 53679->53690 53778 424624 11 API calls 53680->53778 53682->53691 53683->53691 53693 424150 53683->53693 53724 4243e6 53683->53724 53684->53691 53696 42454f 53684->53696 53784 424014 NtdllDefWindowProc_A 53685->53784 53697 424137 53686->53697 53698 4242ae PostMessageA 53686->53698 53790 424ce0 WinHelpA PostMessageA 53687->53790 53688->53693 53694 42457d 53688->53694 53779 42466c 11 API calls 53689->53779 53780 424014 NtdllDefWindowProc_A 53690->53780 53693->53691 53777 424014 NtdllDefWindowProc_A 53693->53777 53705 424586 53694->53705 53706 42459b 53694->53706 53789 41f484 GetCurrentThreadId EnumThreadWindows 53696->53789 53703 424140 53697->53703 53704 424335 53697->53704 53761 424014 NtdllDefWindowProc_A 53698->53761 53712 424149 53703->53712 53713 42425e IsIconic 53703->53713 53714 42433e 53704->53714 53715 42436f 53704->53715 53716 424964 5 API calls 53705->53716 53791 4249bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53706->53791 53707->53693 53717 42429b 53707->53717 53762 424014 NtdllDefWindowProc_A 53708->53762 53711 424556 53711->53691 53726 42455e SetFocus 53711->53726 53712->53693 53727 424221 53712->53727 53719 42427a 53713->53719 53720 42426e 53713->53720 53728 423fa4 5 API calls 53714->53728 53776 424014 NtdllDefWindowProc_A 53715->53776 53716->53691 53723 424608 12 API calls 53717->53723 53718 42457b 53718->53691 53783 424014 NtdllDefWindowProc_A 53719->53783 53782 424050 15 API calls 53720->53782 53723->53691 53724->53691 53745 424408 IsWindowEnabled 53724->53745 53725 4242d5 53733 424313 53725->53733 53734 4242f1 53725->53734 53726->53691 53727->53691 53781 4230dc 50 API calls 53727->53781 53735 424346 53728->53735 53729->53691 53736 424475 53729->53736 53732 424375 53737 42438d 53732->53737 53743 41f334 2 API calls 53732->53743 53769 423f14 53733->53769 53763 423fa4 53734->53763 53741 424358 53735->53741 53748 41f3e8 6 API calls 53735->53748 53749 42447c IsWindowVisible 53736->53749 53744 423f14 6 API calls 53737->53744 53785 424014 NtdllDefWindowProc_A 53741->53785 53743->53737 53744->53691 53745->53691 53750 424416 53745->53750 53748->53741 53749->53691 53751 42448a GetFocus 53749->53751 53786 4127a0 7 API calls 53750->53786 53753 418670 53751->53753 53754 42449f SetFocus 53753->53754 53787 4156d0 53754->53787 53758 424002 53757->53758 53759 42400d 53757->53759 53758->53759 53760 408bb0 7 API calls 53758->53760 53759->53666 53759->53667 53760->53759 53761->53691 53762->53725 53764 423ff2 PostMessageA 53763->53764 53765 423fb3 53763->53765 53764->53691 53765->53764 53766 423fea 53765->53766 53768 423fde SetWindowPos 53765->53768 53792 40b668 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53766->53792 53768->53765 53768->53766 53770 423f9d PostMessageA 53769->53770 53771 423f24 53769->53771 53770->53691 53771->53770 53772 423f2a EnumWindows 53771->53772 53772->53770 53773 423f46 GetWindow GetWindowLongA 53772->53773 53793 423eac GetWindow 53772->53793 53774 423f65 53773->53774 53774->53770 53775 423f91 SetWindowPos 53774->53775 53775->53770 53775->53774 53776->53732 53777->53691 53778->53691 53779->53691 53780->53691 53781->53691 53782->53691 53783->53691 53784->53691 53785->53691 53786->53691 53788 4156eb SetFocus 53787->53788 53788->53691 53789->53711 53790->53718 53791->53718 53792->53764 53794 423ecd GetWindowLongA 53793->53794 53795 423ed9 53793->53795 53794->53795

                                                        Executed Functions

                                                        Function 0042E52C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • AllocateAndInitializeSid.ADVAPI32(0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E566
                                                        • GetVersion.KERNEL32(00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E583
                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E59C
                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E5A2
                                                        • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E5B7
                                                        • FreeSid.ADVAPI32(00000000,0042E717,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E70A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                        • String ID: CheckTokenMembership$advapi32.dll
                                                        • API String ID: 2252812187-1888249752
                                                        • Opcode ID: f4960b7a49011525d960532232f681973928629b6f01e22650505b23fa7ca7d4
                                                        • Instruction ID: bd7b6b299922f244852f5898a9d4d4a5ef1c154b8f3e5ea1adaf5ad24a825e41
                                                        • Opcode Fuzzy Hash: f4960b7a49011525d960532232f681973928629b6f01e22650505b23fa7ca7d4
                                                        • Instruction Fuzzy Hash: 36519471B44315AEEB11EAE69C42B7F77ACDB19304F94047BB500EB282D57CDD048B69
                                                        Function 00450A28 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetVersion.KERNEL32(00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A53
                                                          • Part of subcall function 004509F8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450A10
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A8F
                                                        • GetProcAddress.KERNEL32(6EDE0000,RmStartSession), ref: 00450AAD
                                                        • GetProcAddress.KERNEL32(6EDE0000,RmRegisterResources), ref: 00450AC2
                                                        • GetProcAddress.KERNEL32(6EDE0000,RmGetList), ref: 00450AD7
                                                        • GetProcAddress.KERNEL32(6EDE0000,RmShutdown), ref: 00450AEC
                                                        • GetProcAddress.KERNEL32(6EDE0000,RmRestart), ref: 00450B01
                                                        • GetProcAddress.KERNEL32(6EDE0000,RmEndSession), ref: 00450B16
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                        • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                        • API String ID: 2754715182-3419246398
                                                        • Opcode ID: 69ff123684ebd81fb8406be45396341c47124d95e1b8311954c188464bf28ffd
                                                        • Instruction ID: 2841e6775defb51719e30d1654eee8915289afef741f041a49b247766738df14
                                                        • Opcode Fuzzy Hash: 69ff123684ebd81fb8406be45396341c47124d95e1b8311954c188464bf28ffd
                                                        • Instruction Fuzzy Hash: 8F212EB4510204BFE710FBE2DC86B6E77E8E714759F540537B840A71A2E678A949CB1C
                                                        Function 0042409C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 620 42409c-4240d0 621 4240d2-4240d3 620->621 622 424104-42411b call 423ff8 620->622 624 4240d5-4240f1 call 40b6dc 621->624 627 42417c-424181 622->627 628 42411d 622->628 657 4240f3-4240fb 624->657 658 424100-424102 624->658 630 424183 627->630 631 4241b7-4241bc 627->631 632 424123-424126 628->632 633 4241e0-4241f0 628->633 634 424441-424449 630->634 635 424189-424191 630->635 638 4241c2-4241c5 631->638 639 42452a-424538 IsIconic 631->639 636 424155-424158 632->636 637 424128 632->637 640 4241f2-4241f7 633->640 641 4241fb-424203 call 424624 633->641 646 4245e2-4245ea 634->646 652 42444f-42445a call 418670 634->652 644 4243a3-4243ca SendMessageA 635->644 645 424197-42419c 635->645 653 424239-424240 636->653 654 42415e-42415f 636->654 648 424286-424296 call 424014 637->648 649 42412e-424131 637->649 650 424566-42457b call 424ce0 638->650 651 4241cb-4241cc 638->651 639->646 647 42453e-424549 GetFocus 639->647 655 424208-424210 call 42466c 640->655 656 4241f9-42421c call 424014 640->656 641->646 644->646 659 4241a2-4241a3 645->659 660 4244da-4244e5 645->660 661 424601-424607 646->661 647->646 668 42454f-424558 call 41f484 647->668 648->646 669 424137-42413a 649->669 670 4242ae-4242c4 PostMessageA call 424014 649->670 650->646 663 4241d2-4241d5 651->663 664 42457d-424584 651->664 652->646 713 424460-42446f call 418670 IsWindowEnabled 652->713 653->646 673 424246-42424d 653->673 674 424165-424168 654->674 675 4243cf-4243d6 654->675 655->646 656->646 657->661 658->622 658->624 676 424502-42450d 659->676 677 4241a9-4241ac 659->677 660->646 679 4244eb-4244fd 660->679 680 4245b0-4245b7 663->680 681 4241db 663->681 690 424586-424599 call 424964 664->690 691 42459b-4245ae call 4249bc 664->691 668->646 728 42455e-424564 SetFocus 668->728 687 424140-424143 669->687 688 424335-42433c 669->688 703 4242c9-4242ca 670->703 673->646 693 424253-424259 673->693 694 42416e-424171 674->694 695 4242cf-4242ef call 424014 674->695 675->646 683 4243dc-4243e1 call 404e54 675->683 676->646 702 424513-424525 676->702 699 4241b2 677->699 700 4243e6-4243ee 677->700 679->646 697 4245ca-4245d9 680->697 698 4245b9-4245c8 680->698 701 4245db-4245dc call 424014 681->701 683->646 708 424149-42414a 687->708 709 42425e-42426c IsIconic 687->709 710 42433e-424351 call 423fa4 688->710 711 42436f-424380 call 424014 688->711 690->646 691->646 693->646 714 424177 694->714 715 42429b-4242a9 call 424608 694->715 741 424313-424330 call 423f14 PostMessageA 695->741 742 4242f1-42430e call 423fa4 PostMessageA 695->742 697->646 698->646 699->701 700->646 726 4243f4-4243fb 700->726 737 4245e1 701->737 702->646 703->646 729 424150 708->729 730 424221-424229 708->730 719 42427a-424281 call 424014 709->719 720 42426e-424275 call 424050 709->720 754 424363-42436a call 424014 710->754 755 424353-42435d call 41f3e8 710->755 748 424382-424388 call 41f334 711->748 749 424396-42439e call 423f14 711->749 713->646 745 424475-424484 call 418670 IsWindowVisible 713->745 714->701 715->646 719->646 720->646 726->646 740 424401-424410 call 418670 IsWindowEnabled 726->740 728->646 729->701 730->646 743 42422f-424234 call 4230dc 730->743 737->646 740->646 770 424416-42442c call 4127a0 740->770 741->646 742->646 743->646 745->646 771 42448a-4244d5 GetFocus call 418670 SetFocus call 4156d0 SetFocus 745->771 768 42438d-424390 748->768 749->646 754->646 755->754 768->749 770->646 776 424432-42443c 770->776 771->646 776->646
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d3afa93adabb46443c504942de233bf03f0b46355f13bd1967fa0a2ed8ec3e90
                                                        • Instruction ID: 825bfe9503c2e42b9fb69ea357955289e6132b3f8b751ff356745ab72a8b0ef1
                                                        • Opcode Fuzzy Hash: d3afa93adabb46443c504942de233bf03f0b46355f13bd1967fa0a2ed8ec3e90
                                                        • Instruction Fuzzy Hash: F0E18C34700124EFD710DB69E585A5EB7B4FB88304FA440A6FA85EB356C738EE81DB19
                                                        Function 00422CEC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 779 422cec-422cfd 780 422d21-422d40 779->780 781 422cff-422d09 779->781 782 423036-42304d 780->782 783 422d46-422d50 780->783 781->780 784 422d0b-422d1c call 40914c call 40311c 781->784 785 422f31-422f77 call 402c00 783->785 786 422d56-422d9b call 402c00 783->786 784->780 796 422f83-422f8d 785->796 797 422f79-422f7e call 4222bc 785->797 798 422da1-422dab 786->798 799 422e3f-422e53 786->799 801 422f8f-422f97 call 416b40 796->801 802 422f9c-422fa6 796->802 797->796 803 422de7-422dfb call 423638 798->803 804 422dad-422dc4 call 414b4c 798->804 805 422e59-422e63 799->805 806 422f0c-422f2c call 418670 ShowWindow 799->806 801->782 812 422fc7-422fda call 418670 GetActiveWindow 802->812 813 422fa8-422fc5 call 418670 SetWindowPos 802->813 824 422e00-422e14 call 423630 803->824 825 422dfd 803->825 827 422dc6 804->827 828 422dc9-422de0 call 414b90 804->828 807 422e65-422e99 call 418670 SendMessageA call 418670 ShowWindow 805->807 808 422e9b-422ee5 call 418670 ShowWindow call 418670 CallWindowProcA call 415154 805->808 806->782 845 422eea-422f07 SendMessageA 807->845 808->845 831 422fdc-422fec call 418670 IsIconic 812->831 832 422ffd-422fff 812->832 813->782 846 422e16 824->846 847 422e19-422e1b 824->847 825->824 827->828 828->847 851 422de2-422de5 828->851 831->832 852 422fee-422ffb call 418670 call 41f484 831->852 840 423001-423024 call 418670 SetWindowPos SetActiveWindow 832->840 841 423026-423031 call 418670 ShowWindow 832->841 840->782 841->782 845->782 846->847 853 422e1f-422e21 847->853 854 422e1d 847->854 851->847 852->832 858 422e23 853->858 859 422e25-422e3a 853->859 854->853 858->859 859->799
                                                        APIs
                                                        • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422E84
                                                        • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042304E), ref: 00422E94
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MessageSendShowWindow
                                                        • String ID:
                                                        • API String ID: 1631623395-0
                                                        • Opcode ID: fee8d02af05d41bac173c1050129a49de0b4046ad33b8f8baa5915edb3818267
                                                        • Instruction ID: 26a98208f56e96a8b9863cf96f01cb8393c818091eec428a2aa80c5483449fd4
                                                        • Opcode Fuzzy Hash: fee8d02af05d41bac173c1050129a49de0b4046ad33b8f8baa5915edb3818267
                                                        • Instruction Fuzzy Hash: 82915270B04254EFD711DFA9DA86F9E77F4AB04304F5600BAF504AB392C779AE40AB58
                                                        Function 0042F75C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • IsIconic.USER32(?), ref: 0042F784
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0042F798
                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0042F7AF
                                                        • GetActiveWindow.USER32 ref: 0042F7B8
                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7E5
                                                        • SetActiveWindow.USER32(?,0042F915,00000000,?), ref: 0042F806
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ActiveLong$IconicMessage
                                                        • String ID:
                                                        • API String ID: 1633107849-0
                                                        • Opcode ID: be0373c710087f03ab0545effd90c0908f588120069f13ff64c56f04a7fa3a3c
                                                        • Instruction ID: 13cdee708698089d3899b8003c30923a51aeb8c8037ba69dea4574f539849007
                                                        • Opcode Fuzzy Hash: be0373c710087f03ab0545effd90c0908f588120069f13ff64c56f04a7fa3a3c
                                                        • Instruction Fuzzy Hash: C6319371A00614AFDB01EFB6DC52D5EBBF8EB09304B9144BAF804E3292D7389D15CB18
                                                        Function 004089F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
                                                        • Instruction ID: 256e1aeba2a9af0ec73989512e647111dc5dc60b4a8a7c740aeb84942aea65fa
                                                        • Opcode Fuzzy Hash: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
                                                        • Instruction Fuzzy Hash: 61E0683170021457C311A91A8C82AFBB34CDB18354F40427FBD44E73C2EDB89E4146EC
                                                        Function 00424014 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245E1,?,00000000,004245EC), ref: 0042403E
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: NtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 4255912815-0
                                                        • Opcode ID: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
                                                        • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                        • Opcode Fuzzy Hash: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
                                                        • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                        Function 004063FC Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
                                                        • GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
                                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B
                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406680
                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406696
                                                        • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 004066A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                        • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                        • API String ID: 3297890031-1119018034
                                                        • Opcode ID: aa2224054af9e2cdb85ff1d97acc07dc748637bf55eb8aa36b25b3eca2d85656
                                                        • Instruction ID: 7e21cf5f117f2e3abcec30b6674fd8076a5a40f26409e7412662737288cf0c05
                                                        • Opcode Fuzzy Hash: aa2224054af9e2cdb85ff1d97acc07dc748637bf55eb8aa36b25b3eca2d85656
                                                        • Instruction Fuzzy Hash: 5C612030A00009EBDB01FBAAD982D8D7BB89B45749B214077A405772F6DB3CEF199B5D
                                                        Function 00485E3C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 72libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 513 485e3c-485e61 GetModuleHandleA GetProcAddress 514 485ec8-485ecd GetSystemInfo 513->514 515 485e63-485e79 GetNativeSystemInfo GetProcAddress 513->515 516 485ed2-485edb 514->516 515->516 517 485e7b-485e86 GetCurrentProcess 515->517 518 485edd-485ee1 516->518 519 485ef1-485ef8 516->519 517->516 526 485e88-485e8c 517->526 520 485efa-485f01 518->520 521 485ee3-485ee7 518->521 522 485f1c-485f21 519->522 520->522 524 485ee9-485eed 521->524 525 485f03-485f0a 521->525 527 485f0c-485f13 524->527 528 485eef-485f15 524->528 525->522 526->516 529 485e8e-485e95 call 452ef4 526->529 527->522 528->522 529->516 533 485e97-485ea4 GetProcAddress 529->533 533->516 534 485ea6-485ebd GetModuleHandleA GetProcAddress 533->534 534->516 535 485ebf-485ec6 534->535 535->516
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
                                                        • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
                                                        • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6
                                                        • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485ECD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                        • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                        • API String ID: 2230631259-2623177817
                                                        • Opcode ID: 9d291c22a71a0cf1a9fee4c4184e10d43f1fae15fdb33576c9d22a7be2dcaa12
                                                        • Instruction ID: 52726a1ce108b2e1205f78178c8bd3673f5dc6952592f7a0a7a67ab458256f91
                                                        • Opcode Fuzzy Hash: 9d291c22a71a0cf1a9fee4c4184e10d43f1fae15fdb33576c9d22a7be2dcaa12
                                                        • Instruction Fuzzy Hash: FD118465148F8195DE1273794C8A77F2A888B10718F2C0C3B7B847A6D2DBBC8D85972F
                                                        Function 0047E8A8 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 0042DD28: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,004545B0,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229), ref: 0042DD3B
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                          • Part of subcall function 0042DD80: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
                                                          • Part of subcall function 0042DD80: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0
                                                        • SHGetKnownFolderPath.SHELL32(0049CD48,00008000,00000000,?,00000000,0047EB7C), ref: 0047EA82
                                                        • CoTaskMemFree.OLE32(?,0047EAC5), ref: 0047EAB8
                                                          • Part of subcall function 0042D698: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DECE,00000000,0042DF60,?,?,?,0049E62C,00000000,00000000), ref: 0042D6C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                        • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                        • API String ID: 3771764029-544719455
                                                        • Opcode ID: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
                                                        • Instruction ID: 78e7a351989074df20a48af568640fcf9ae091c764a67f88943fd453c39c20c9
                                                        • Opcode Fuzzy Hash: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
                                                        • Instruction Fuzzy Hash: D4616034610104DFDB10EBA6D84269E7F69EB48319F60C6BBE404E7395C73CAE49CA9D
                                                        Function 0047F0B4 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 863 47f0b4-47f106 call 42dd54 call 42c88c call 4035c0 call 452db0 872 47f123-47f12a 863->872 873 47f108-47f10f 863->873 876 47f135-47f137 872->876 877 47f12c-47f133 872->877 874 47f111-47f118 873->874 875 47f139 873->875 874->872 878 47f11a-47f121 874->878 879 47f13b-47f13d 875->879 876->879 877->875 877->876 878->872 878->875 880 47f13f-47f164 call 42c88c call 4035c0 call 47ed78 879->880 881 47f169-47f1af call 42dd54 call 42c88c call 40357c call 42e824 * 2 879->881 880->881 897 47f1d6-47f1f0 GetProcAddress 881->897 898 47f1b1-47f1d1 call 407d84 call 453b40 881->898 899 47f1f2-47f1f7 call 453b40 897->899 900 47f1fc-47f21e call 403420 call 403400 897->900 898->897 899->900
                                                        APIs
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                        • GetProcAddress.KERNEL32(74350000,SHGetFolderPathA), ref: 0047F1E1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryProcSystem
                                                        • String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                        • API String ID: 996212319-3422985891
                                                        • Opcode ID: bc52ae8ca97decd057a22e62308b2ca98b91365db34e2635b6964e716f063628
                                                        • Instruction ID: 162927b5a2cba69edd54960eab9b72e157ae6c4c2e5edd016ae03b58ced20ba2
                                                        • Opcode Fuzzy Hash: bc52ae8ca97decd057a22e62308b2ca98b91365db34e2635b6964e716f063628
                                                        • Instruction Fuzzy Hash: C1413034A0020ADFCB10EFA5D9819EEB7B5EF44309F90847BE518A7252D7389E09CB59
                                                        Function 00423D04 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 0041F854: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872
                                                        • GetClassInfoA.USER32(00400000,00423B0C), ref: 00423D2F
                                                        • RegisterClassA.USER32(0049C630), ref: 00423D47
                                                        • GetSystemMetrics.USER32(00000000), ref: 00423D69
                                                        • GetSystemMetrics.USER32(00000001), ref: 00423D78
                                                        • SetWindowLongA.USER32(004108F0,000000FC,00423B1C), ref: 00423DD4
                                                        • SendMessageA.USER32(004108F0,00000080,00000001,00000000), ref: 00423DF5
                                                        • GetSystemMenu.USER32(004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C,0041F234), ref: 00423E00
                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C,0041F234), ref: 00423E0F
                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423E1C
                                                        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423E32
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                        • String ID:
                                                        • API String ID: 183575631-0
                                                        • Opcode ID: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
                                                        • Instruction ID: 3c08988f126546789c3863b6090fce38962bc241f8b01a8198fec2671c318d21
                                                        • Opcode Fuzzy Hash: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
                                                        • Instruction Fuzzy Hash: B73173B17402506AEB10AF69EC82F6736989714709F60017BFA44EE2D7D6BDED00876D
                                                        Function 004539C8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                        • API String ID: 1646373207-2130885113
                                                        • Opcode ID: 1e37e0ab1df9e757d704b947a29f50b329146a292bd817b3065b294340fa9558
                                                        • Instruction ID: 18891d3ceb8887e2f5320c13b89f4eae329e81661ad9de64afed935a1ef9114c
                                                        • Opcode Fuzzy Hash: 1e37e0ab1df9e757d704b947a29f50b329146a292bd817b3065b294340fa9558
                                                        • Instruction Fuzzy Hash: EA119130644255BEEB00EF72D802B5E77A8D74479AF60447BF88066292D67C9E4C8A2D
                                                        Function 00430E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430E28
                                                        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430E37
                                                        • GetCurrentThreadId.KERNEL32 ref: 00430E51
                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00430E72
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                        • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                        • API String ID: 4130936913-2943970505
                                                        • Opcode ID: 18e0ea013f721cf9d0855e1711e424e1ec4dc69dbdb3ee4d586f10aea4099809
                                                        • Instruction ID: 010e98d13399693fc9d497d8664f6f2789eb24ebecb377ca83b09cc51ba55008
                                                        • Opcode Fuzzy Hash: 18e0ea013f721cf9d0855e1711e424e1ec4dc69dbdb3ee4d586f10aea4099809
                                                        • Instruction Fuzzy Hash: 58F082B09483408ED300EB768842B1E7BE4AB58718F404A3FB498A62A1D77A9910CB1F
                                                        Function 004232E0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 976 4232e0-4232fb call 414570 979 42331e-42332f call 40914c call 40311c 976->979 980 4232fd-423304 976->980 985 423334-42333b GetCapture 979->985 980->979 982 423306-423310 980->982 982->979 984 423312-42331c 982->984 984->979 984->985 987 42334e-4233e6 ReleaseCapture GetActiveWindow call 423824 call 41f334 call 423294 call 418670 SendMessageA 985->987 988 42333d-423349 GetCapture SendMessageA 985->988 997 4233ec-4233f9 call 42494c 987->997 988->987 1000 42340a-423414 997->1000 1001 4233fb-423408 997->1001 1002 42341e-423429 1000->1002 1003 423416-423419 call 4231e4 1000->1003 1001->1002 1002->997 1005 42342b-423456 call 418670 SendMessageA call 418670 GetActiveWindow 1002->1005 1003->1002 1010 423458-42345a 1005->1010 1011 42345d-423472 call 42328c 1005->1011 1010->1011
                                                        APIs
                                                        • GetCapture.USER32 ref: 00423334
                                                        • GetCapture.USER32 ref: 00423343
                                                        • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423349
                                                        • ReleaseCapture.USER32 ref: 0042334E
                                                        • GetActiveWindow.USER32 ref: 0042335D
                                                        • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004233DC
                                                        • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423440
                                                        • GetActiveWindow.USER32 ref: 0042344F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CaptureMessageSend$ActiveWindow$Release
                                                        • String ID:
                                                        • API String ID: 862346643-0
                                                        • Opcode ID: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
                                                        • Instruction ID: 18bdd7e577e3521af934e8bbd68e58ee55e38e107d312ae6febd14bbc8fb8244
                                                        • Opcode Fuzzy Hash: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
                                                        • Instruction Fuzzy Hash: 07414D30B00254AFDB10EF6AD982B9E77F1AF04704F5440BAE440AB2A2DB7D9F40CB58
                                                        Function 00423B1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423BD9
                                                        • OemToCharA.USER32(?,?), ref: 00423BEC
                                                        • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423C2C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Char$FileIconLoadLowerModuleName
                                                        • String ID: 2$MAINICON
                                                        • API String ID: 3935243913-3181700818
                                                        • Opcode ID: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
                                                        • Instruction ID: 9510fd107b4d1d478bc251de40ec4f21bd31917ac71a3749b9d0f73c54ce2f3c
                                                        • Opcode Fuzzy Hash: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
                                                        • Instruction Fuzzy Hash: 1031C271A042549EDB10EF69D8C47C67BE8AF14308F4441BAE844DB293D7BEDA88CB55
                                                        Function 004193C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 004193CD
                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 004193EE
                                                        • GetCurrentThreadId.KERNEL32 ref: 00419409
                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 0041942A
                                                          • Part of subcall function 00423558: GetDC.USER32(00000000), ref: 004235AE
                                                          • Part of subcall function 00423558: EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,?,00000001), ref: 004235C1
                                                          • Part of subcall function 00423558: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
                                                          • Part of subcall function 00423558: ReleaseDC.USER32(00000000,00000000), ref: 004235D4
                                                          • Part of subcall function 00423B1C: LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
                                                          • Part of subcall function 00423B1C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423BD9
                                                          • Part of subcall function 00423B1C: OemToCharA.USER32(?,?), ref: 00423BEC
                                                          • Part of subcall function 00423B1C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423C2C
                                                          • Part of subcall function 0041F5A8: GetVersion.KERNEL32(?,00419480,00000000,?,?,?,00000001), ref: 0041F5B6
                                                          • Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5D2
                                                          • Part of subcall function 0041F5A8: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5DE
                                                          • Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5EC
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
                                                          • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                        • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                        • API String ID: 316262546-2767913252
                                                        • Opcode ID: 01010ffcc25770325181b3a7c3472aaf3562720f676c53cb12d5d492de89c379
                                                        • Instruction ID: 70937e91f797630ba3b8911ce9801afdb7ec3901755c8c3c4a5a11a92c11164f
                                                        • Opcode Fuzzy Hash: 01010ffcc25770325181b3a7c3472aaf3562720f676c53cb12d5d492de89c379
                                                        • Instruction Fuzzy Hash: 92111A706182409AC300FF76D94279E3BE09B64309F80953FF449A72A2DB3DAD458B5F
                                                        Function 00413ACC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 00413AF4
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00413AFF
                                                        • GetWindowLongA.USER32(?,000000F4), ref: 00413B11
                                                        • SetWindowLongA.USER32(?,000000F4,?), ref: 00413B24
                                                        • SetPropA.USER32(?,00000000,00000000), ref: 00413B3B
                                                        • SetPropA.USER32(?,00000000,00000000), ref: 00413B52
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$Prop
                                                        • String ID:
                                                        • API String ID: 3887896539-0
                                                        • Opcode ID: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
                                                        • Instruction ID: ae8f1583d3b1519aebe57cde2a9c9bb5e562c2388428f51edfa5c09d84851558
                                                        • Opcode Fuzzy Hash: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
                                                        • Instruction Fuzzy Hash: 8B11FC75500204BFCB00DFD9DC84E9A3BE8EB19364F104266B918DB2A2D738E990CB94
                                                        Function 0047EDD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE63
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE6C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectoryErrorLast
                                                        • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                        • API String ID: 1375471231-2952887711
                                                        • Opcode ID: 317e1e7bbf4a3af73abdabfebb4315cb522a7b50e84db4702da261b6b103e4b1
                                                        • Instruction ID: 86bef283ce988d733661aa3151468cc82572962b3dbe771d766a2fd360a5d677
                                                        • Opcode Fuzzy Hash: 317e1e7bbf4a3af73abdabfebb4315cb522a7b50e84db4702da261b6b103e4b1
                                                        • Instruction Fuzzy Hash: C6415674A001099BCB11FFA2D881ADEB7B9FF48305F50457BE404B7792DB38AE058B98
                                                        Function 00423F14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumWindows.USER32(00423EAC), ref: 00423F38
                                                        • GetWindow.USER32(?,00000003), ref: 00423F4D
                                                        • GetWindowLongA.USER32(?,000000EC), ref: 00423F5C
                                                        • SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$EnumLongWindows
                                                        • String ID: EB
                                                        • API String ID: 4191631535-4058845024
                                                        • Opcode ID: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
                                                        • Instruction ID: d60c47438ca5cb8406b8c3c26f1ac59805b97d32456ef5cb908caaf585e7f615
                                                        • Opcode Fuzzy Hash: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
                                                        • Instruction Fuzzy Hash: E5115E71B04610AFDB109F28E989F5677F4EB08719F61066AF9649B2E2C378DC40CB58
                                                        Function 0042F1C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                          • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                          • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                        • API String ID: 395431579-1506664499
                                                        • Opcode ID: 10e85ac42e3d5d72963f54dd94e2667e767766e27aca82d6749a6d4de36c3baa
                                                        • Instruction ID: 6fa00d493cbbc8796123fe1d0635de5045be30c1a8ceda1a87749c26dfdb7117
                                                        • Opcode Fuzzy Hash: 10e85ac42e3d5d72963f54dd94e2667e767766e27aca82d6749a6d4de36c3baa
                                                        • Instruction Fuzzy Hash: 6501C434700758FBE711DB62EC42B5A7AF8DB56704FD000B7B00062691C6BA9D48862D
                                                        Function 00421704 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(00000000), ref: 004217F1
                                                        • SetMenu.USER32(00000000,00000000), ref: 0042180E
                                                        • SetMenu.USER32(00000000,00000000), ref: 00421843
                                                        • SetMenu.USER32(00000000,00000000), ref: 0042185F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Menu
                                                        • String ID:
                                                        • API String ID: 3711407533-0
                                                        • Opcode ID: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
                                                        • Instruction ID: cda4d875d1f608ccb0f244f9e48059a425efb766f93e731c33a2d40a56ce0a72
                                                        • Opcode Fuzzy Hash: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
                                                        • Instruction Fuzzy Hash: 4641B230B002604BDB20BE3A98857DB36959FA1708F48047FB8408F3A7CA7DCC8587AD
                                                        Function 00416FD2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(?,?,?,?), ref: 00417014
                                                        • SetTextColor.GDI32(?,00000000), ref: 0041702E
                                                        • SetBkColor.GDI32(?,00000000), ref: 00417048
                                                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 00417070
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Color$CallMessageProcSendTextWindow
                                                        • String ID:
                                                        • API String ID: 601730667-0
                                                        • Opcode ID: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
                                                        • Instruction ID: 80572e548b46958a0d24f1498dfa195ce4484893cdd9813db9ff7b95e026d91f
                                                        • Opcode Fuzzy Hash: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
                                                        • Instruction Fuzzy Hash: A71151B5604700AFD710EE6ECD84E8B77EDDF49310B14882BB599DB612C62CEC418B79
                                                        Function 00423558 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 004235AE
                                                        • EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,?,00000001), ref: 004235C1
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004235D4
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CapsDeviceEnumFontsRelease
                                                        • String ID:
                                                        • API String ID: 2698912916-0
                                                        • Opcode ID: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
                                                        • Instruction ID: e37963186075478de4bf5b94465d182e7684c730ebf482ac601e72b604436184
                                                        • Opcode Fuzzy Hash: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
                                                        • Instruction Fuzzy Hash: B301D2A17043006AE700BF795D82B9B37649F00309F04467BF808AF3C2D67E9805476E
                                                        Function 0049BA2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
                                                          • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356
                                                          • Part of subcall function 004063FC: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
                                                          • Part of subcall function 004063FC: GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
                                                          • Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
                                                          • Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B
                                                          • Part of subcall function 00406854: 6FDA1CD0.COMCTL32(0049BA49), ref: 00406854
                                                          • Part of subcall function 00410BF4: GetCurrentThreadId.KERNEL32 ref: 00410C42
                                                          • Part of subcall function 004194D0: GetVersion.KERNEL32(0049BA62), ref: 004194D0
                                                          • Part of subcall function 0044FDB0: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
                                                          • Part of subcall function 0044FDB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1
                                                          • Part of subcall function 0045027C: GetVersionExA.KERNEL32(0049E794,0049BA7B), ref: 0045028B
                                                          • Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
                                                          • Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
                                                          • Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
                                                          • Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A
                                                          • Part of subcall function 004578E4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E
                                                          • Part of subcall function 00465A14: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
                                                          • Part of subcall function 00465A14: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65
                                                          • Part of subcall function 0046E39C: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7
                                                          • Part of subcall function 0047AD94: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
                                                          • Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
                                                          • Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7
                                                          • Part of subcall function 004863AC: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF
                                                          • Part of subcall function 00498A20: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00498A39
                                                        • SetErrorMode.KERNEL32(00000001,00000000,0049BAF0), ref: 0049BAC2
                                                          • Part of subcall function 0049B7EC: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
                                                          • Part of subcall function 0049B7EC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC
                                                          • Part of subcall function 00424964: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424983
                                                          • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                        • ShowWindow.USER32(?,00000005,00000000,0049BAF0), ref: 0049BB23
                                                          • Part of subcall function 00484988: SetActiveWindow.USER32(?), ref: 00484A36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
                                                        • String ID: Setup
                                                        • API String ID: 56708735-3839654196
                                                        • Opcode ID: 2217903e9f2865072847906a57765d3fb0d568c696a06ecb9b42a467f31b905f
                                                        • Instruction ID: 45436910a3e38556774c512443cf6fe356218821253e756f5799c0333a1408c1
                                                        • Opcode Fuzzy Hash: 2217903e9f2865072847906a57765d3fb0d568c696a06ecb9b42a467f31b905f
                                                        • Instruction Fuzzy Hash: 5F31D2752046009EC601BBB7F95391D3BA8EB99708BA2443FF804D6663DF3D6814CA7E
                                                        Function 00478520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478624
                                                        • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478638
                                                        Strings
                                                        • Extracting temporary file: , xrefs: 00478560
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FileTime$Local
                                                        • String ID: Extracting temporary file:
                                                        • API String ID: 791338737-4171118009
                                                        • Opcode ID: aa520a3ac5f958c34d744b30d7c234d8bf6031cbe7fc8b25111e19f533191b71
                                                        • Instruction ID: 383de906be10c9968b5e8a45eec8df85735b502e1e4fcc0ad11d623c1d954b10
                                                        • Opcode Fuzzy Hash: aa520a3ac5f958c34d744b30d7c234d8bf6031cbe7fc8b25111e19f533191b71
                                                        • Instruction Fuzzy Hash: FA41A670A00249AFCB01DFA5CC92EDFBBB8EB09304F51847AF914A7291D7789905CB58
                                                        Function 004863AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
                                                          • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
                                                          • Part of subcall function 00485E3C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
                                                          • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
                                                          • Part of subcall function 00485E3C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
                                                          • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
                                                          • Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
                                                          • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6
                                                          • Part of subcall function 00486178: GetVersionExA.KERNEL32(?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 00486186
                                                          • Part of subcall function 00486178: GetVersionExA.KERNEL32(0000009C,?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 004861D8
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                          • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                          • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                        • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
                                                        • String ID: SHGetKnownFolderPath$shell32.dll
                                                        • API String ID: 1303913335-2936008475
                                                        • Opcode ID: 908d6e67ee5bab08ebaef87692d62277a9194b68cfc666c248f8018bed7f5e16
                                                        • Instruction ID: 0a3b8753df86b64a0abe51da698ff3945e27f94a4f66e9c257dfb1cfa232dc74
                                                        • Opcode Fuzzy Hash: 908d6e67ee5bab08ebaef87692d62277a9194b68cfc666c248f8018bed7f5e16
                                                        • Instruction Fuzzy Hash: 2A315EB06002019EC740FFBA999674A3BA4DB5430CB91897BF400FB3D2D77DA8099B5E
                                                        Function 00454220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00454266
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045426F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectoryErrorLast
                                                        • String ID: .tmp
                                                        • API String ID: 1375471231-2986845003
                                                        • Opcode ID: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
                                                        • Instruction ID: 415d91b16f05740ba1416afe7bf5adb9ba5615b539517dd81add0c9acb6d8760
                                                        • Opcode Fuzzy Hash: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
                                                        • Instruction Fuzzy Hash: C9216775A002189BDB01EFA1C8429DFB7B8EB84309F50457BFC01BB342D63C9E458B65
                                                        Function 004578E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00457874: CoInitialize.OLE32(00000000), ref: 0045787A
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                          • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                          • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                        • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
                                                        • String ID: SHCreateItemFromParsingName$shell32.dll
                                                        • API String ID: 1013667774-2320870614
                                                        • Opcode ID: 77c59d3b40fdf16789a6f1b6c398cc8a4dcbb3a6b410720b7a14e3a082a16fe9
                                                        • Instruction ID: 883c9a478e7d65875247b88054ead2603694175a92ab65d05d339cd7b334e9d1
                                                        • Opcode Fuzzy Hash: 77c59d3b40fdf16789a6f1b6c398cc8a4dcbb3a6b410720b7a14e3a082a16fe9
                                                        • Instruction Fuzzy Hash: F7F03670604608ABE700EBA6E842F5D77ACDB45759F604077B800B2692D67CAE08C96D
                                                        Function 0046E39C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                          • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                          • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                        • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
                                                        • String ID: SHPathPrepareForWriteA$shell32.dll
                                                        • API String ID: 2552568031-2683653824
                                                        • Opcode ID: 3f0d3514a23c37851456d116febb2af5c8ca922eb4f10ed87c397e76bc5b7ffd
                                                        • Instruction ID: 1520e6e4c9beca3123f98d7cbe6aabbef4d784ad694bed30d21e1b99286f75d0
                                                        • Opcode Fuzzy Hash: 3f0d3514a23c37851456d116febb2af5c8ca922eb4f10ed87c397e76bc5b7ffd
                                                        • Instruction Fuzzy Hash: 48F04434604618BBDB00EB63DC42F5E7BECD745754FA14076F400A6591EA78AE048969
                                                        Function 0047E814 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047EB66,00000000,0047EB7C), ref: 0047E876
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: RegisteredOrganization$RegisteredOwner
                                                        • API String ID: 3535843008-1113070880
                                                        • Opcode ID: 0fdb0a2a247bfeabe2f329d85a7e25e2766b5e62c95caade4e06d9dbaca377a3
                                                        • Instruction ID: 7230bcb305953dbfdc536c8ede0a4f62da6dd01636a6d4693cd9d102c919f290
                                                        • Opcode Fuzzy Hash: 0fdb0a2a247bfeabe2f329d85a7e25e2766b5e62c95caade4e06d9dbaca377a3
                                                        • Instruction Fuzzy Hash: F7F0B430B04104AFEB04E6A6ED82BEB379DC715308F2095BBE505DB392D678ED05979E
                                                        Function 00452CE8 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 755A1520.VERSION(00000000,?,?,?,?), ref: 00452D08
                                                        • 755A1500.VERSION(00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D35
                                                        • 755A1540.VERSION(?,00452DAC,?,?,00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D4F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: A1500A1520A1540
                                                        • String ID:
                                                        • API String ID: 2563864905-0
                                                        • Opcode ID: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
                                                        • Instruction ID: ddd73f9b83f47df12750701182fb86573bb1adbd0e7288047a879799487d3de5
                                                        • Opcode Fuzzy Hash: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
                                                        • Instruction Fuzzy Hash: EE216871A005086FD701DAA98D41DAFB7FCDB46711F554477FC04E3242D6799E08C769
                                                        Function 0044B8C0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0044B935
                                                        • SelectObject.GDI32(?,00000000), ref: 0044B958
                                                        • ReleaseDC.USER32(00000000,?), ref: 0044B98B
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ObjectReleaseSelect
                                                        • String ID:
                                                        • API String ID: 1831053106-0
                                                        • Opcode ID: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
                                                        • Instruction ID: 5f6416779418d586cf190573f7bf4a7bb4d400156242e88c08e8c7aea5cbb268
                                                        • Opcode Fuzzy Hash: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
                                                        • Instruction Fuzzy Hash: C62177B0E04308AFEB11DFA5C881B9EBBB8EB49304F5184BAF500A7291D77CD940CB59
                                                        Function 0044B5F4 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B680,?,004849A3,?,?), ref: 0044B652
                                                        • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B665
                                                        • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B699
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DrawText$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 65125430-0
                                                        • Opcode ID: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
                                                        • Instruction ID: 1ea4d790d63f24178cbae964d575408221d26853f0f73c11de666758b6730ab2
                                                        • Opcode Fuzzy Hash: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
                                                        • Instruction Fuzzy Hash: D111B6B27046047FE710DAAA9C82D6FB7ECDB49724F10457AF504E7290DA399E018A69
                                                        Function 0042488C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004248A2
                                                        • TranslateMessage.USER32(?), ref: 0042491F
                                                        • DispatchMessageA.USER32(?), ref: 00424929
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Message$DispatchPeekTranslate
                                                        • String ID:
                                                        • API String ID: 4217535847-0
                                                        • Opcode ID: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
                                                        • Instruction ID: 2fd165f6649a427b3319829ae0df7e0e74220d275175f78bf4976128ec8e280a
                                                        • Opcode Fuzzy Hash: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
                                                        • Instruction Fuzzy Hash: 9711C4703053605ADA20E634A9417ABB7C4CFC3704F82481EF9D987392D37D9D89879A
                                                        Function 00416AD4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetPropA.USER32(00000000,00000000), ref: 00416AFA
                                                        • SetPropA.USER32(00000000,00000000), ref: 00416B0F
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416B36
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Prop$Window
                                                        • String ID:
                                                        • API String ID: 3363284559-0
                                                        • Opcode ID: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
                                                        • Instruction ID: f49ac21c72ec4198518a05967b53ec16f1ca927682628d76ec8ffae5e4f9a687
                                                        • Opcode Fuzzy Hash: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
                                                        • Instruction Fuzzy Hash: 75F0B271741220AFD710AB9A8C85FA633DCAB19715F160176BD09EF286C678DC41C7A8
                                                        Function 0041F2E4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 0041F2F4
                                                        • IsWindowEnabled.USER32(?), ref: 0041F2FE
                                                        • EnableWindow.USER32(?,00000000), ref: 0041F324
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$EnableEnabledVisible
                                                        • String ID:
                                                        • API String ID: 3234591441-0
                                                        • Opcode ID: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
                                                        • Instruction ID: 461c9e3a5a3bf819d65056d8b2c697f5f692a305fcbbe48695acf38c0ff2848d
                                                        • Opcode Fuzzy Hash: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
                                                        • Instruction Fuzzy Hash: E1E0EDB4101204AAE710AB76DCC1A56779CFB54354F818437AC159B293DA3DE8459A78
                                                        Function 0046E604 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0046E718: LoadBitmapA.USER32(00400000,DISKIMAGE), ref: 0046E7B7
                                                        • MessageBeep.USER32(00000000), ref: 0046E69E
                                                          • Part of subcall function 004232E0: GetCapture.USER32 ref: 00423334
                                                          • Part of subcall function 004232E0: GetCapture.USER32 ref: 00423343
                                                          • Part of subcall function 004232E0: SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423349
                                                          • Part of subcall function 004232E0: ReleaseCapture.USER32 ref: 0042334E
                                                          • Part of subcall function 004232E0: GetActiveWindow.USER32 ref: 0042335D
                                                          • Part of subcall function 004232E0: SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004233DC
                                                          • Part of subcall function 004232E0: SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423440
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Message$CaptureSend$ActiveBeepBitmapLoadReleaseWindow
                                                        • String ID: UhF
                                                        • API String ID: 2272996539-2771111025
                                                        • Opcode ID: a8f2e2cd131a828fa8bb109f9957ab4ff62b6253d9128456408600e1975ed1d4
                                                        • Instruction ID: c56b1ea04a1c46bbb18c62b8aa698bdde121bc0e39ed0abea29df0f6dcdc8de5
                                                        • Opcode Fuzzy Hash: a8f2e2cd131a828fa8bb109f9957ab4ff62b6253d9128456408600e1975ed1d4
                                                        • Instruction Fuzzy Hash: B4217434A04208AFCB01EFA6C8919DEBBF5EB49304F9144BAF804E7391D7396E01CB59
                                                        Function 0046E718 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadBitmapA.USER32(00400000,DISKIMAGE), ref: 0046E7B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: BitmapLoad
                                                        • String ID: DISKIMAGE
                                                        • API String ID: 3581186644-3494684436
                                                        • Opcode ID: 4320de41dab59bb184e9d5f325c5a6041b61741445b08e4c86b4b14fc58e15e6
                                                        • Instruction ID: 13075277373e97b0604a2622db55aac562b8659d8a1e7a74ea69e4ecb94c2a95
                                                        • Opcode Fuzzy Hash: 4320de41dab59bb184e9d5f325c5a6041b61741445b08e4c86b4b14fc58e15e6
                                                        • Instruction Fuzzy Hash: 6A214A353406008BC210FB2ADC82A8A7395AF85314F14843FF459973A6EF39AC428B9E
                                                        Function 0047E730 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047E97C,00000000,0047EB7C), ref: 0047E775
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047E745
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion
                                                        • API String ID: 47109696-1019749484
                                                        • Opcode ID: 4b3bee87705d6717c5286d9df08baf8453e837dcb4d01f010b1a0e9ea3263404
                                                        • Instruction ID: a9f283cd3a80185a7eeae6af9f057f4917a41fcfe10abca868fc5e90a7391123
                                                        • Opcode Fuzzy Hash: 4b3bee87705d6717c5286d9df08baf8453e837dcb4d01f010b1a0e9ea3263404
                                                        • Instruction Fuzzy Hash: 7CF082357042146BDA04A65F5C42BAEA79D8B88758F2041BBF908DB342DAB99E0203AD
                                                        Function 0042E2AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        Strings
                                                        • System\CurrentControlSet\Control\Windows, xrefs: 0042E2C6
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID: System\CurrentControlSet\Control\Windows
                                                        • API String ID: 71445658-1109719901
                                                        • Opcode ID: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
                                                        • Instruction ID: 56e59db3f123c5f73e455ef79faaa31902e81261c81f50e50b595f428ef93046
                                                        • Opcode Fuzzy Hash: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
                                                        • Instruction Fuzzy Hash: 6FD0C772510128BBD701DA89DC41EFB775DDB15760F40401BFD1497141C2B4EC5197F4
                                                        Function 004806B8 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetACP.KERNEL32(?,?,00000001,00000000,00480997,?,-0000001A,0048289A,-00000010,?,00000004,0000001C,00000000,00482C37,?,0045E3F8), ref: 0048072E
                                                          • Part of subcall function 0042E7AC: GetDC.USER32(00000000), ref: 0042E7BB
                                                          • Part of subcall function 0042E7AC: EnumFontsA.GDI32(?,00000000,0042E798,00000000,00000000,0042E804,?,00000000,00000000,?,00000001,00000000,00000002,00000000,0048361D), ref: 0042E7E6
                                                          • Part of subcall function 0042E7AC: ReleaseDC.USER32(00000000,?), ref: 0042E7FE
                                                        • SendNotifyMessageA.USER32(00020422,00000496,00002711,-00000001), ref: 004808FE
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: EnumFontsMessageNotifyReleaseSend
                                                        • String ID:
                                                        • API String ID: 2649214853-0
                                                        • Opcode ID: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
                                                        • Instruction ID: d9213170d9bb76dc80c92ed06a2bbf1e51aab055aabe148a8f981411f3335874
                                                        • Opcode Fuzzy Hash: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
                                                        • Instruction Fuzzy Hash: 925185746101049BDB50FF26D88165E77A9BB54309B50893BE8049B367CB3CED4ECB9D
                                                        Function 0042E090 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E0CC
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E13C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
                                                        • Instruction ID: ac779da0cea268326c2a6d460357836690a2c7bc48c0bb75f71a4d6dd427c8e5
                                                        • Opcode Fuzzy Hash: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
                                                        • Instruction Fuzzy Hash: F6415D71E00129ABDB11DE92D881BBFB7B9AB00704F94447AE804F7281D738AE44CBA5
                                                        Function 0040B268 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B282
                                                        • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B3DF,00000000,0040B3F7,?,?,?,00000000), ref: 0040B293
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Resource$FindFree
                                                        • String ID:
                                                        • API String ID: 4097029671-0
                                                        • Opcode ID: 56b5692d0589e69d78817d1186c68a61f8e6556489325b11d82404695b0d2b2e
                                                        • Instruction ID: 695c6acfda2bd8b41d5000065fdd751145cb6e9c132907bad199632a3a3e20ef
                                                        • Opcode Fuzzy Hash: 56b5692d0589e69d78817d1186c68a61f8e6556489325b11d82404695b0d2b2e
                                                        • Instruction Fuzzy Hash: 9701F7717003046FD700EF66DC52D1A77ADDB49758711807BF500EB2D0D6799C01D66D
                                                        Function 0041F334 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 0041F383
                                                        • EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Thread$CurrentEnumWindows
                                                        • String ID:
                                                        • API String ID: 2396873506-0
                                                        • Opcode ID: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
                                                        • Instruction ID: 69490fc5d8632824c24a89202964c68dfb33a06c8812e8dd8cc51cc2245d12bd
                                                        • Opcode Fuzzy Hash: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
                                                        • Instruction Fuzzy Hash: E7016D75A04608BFD701CF76EC5195ABBF8E789720B62C877E804D3790E7386811DE18
                                                        Function 004236CC Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 004236D9
                                                        • LoadCursorA.USER32(00000000,00000000), ref: 00423703
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CursorLoad
                                                        • String ID:
                                                        • API String ID: 3238433803-0
                                                        • Opcode ID: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
                                                        • Instruction ID: 38849c99451a314d8fe435546c8a0ff0f6ed66ecc1deebef06b1f4ec46e3768a
                                                        • Opcode Fuzzy Hash: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
                                                        • Instruction Fuzzy Hash: 5FF0A7617041206BD620593E6CC1D2A76AC8B81B35F61033BFA2BD73D1C66E6D41416D
                                                        Function 0042E824 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLibraryLoadMode
                                                        • String ID:
                                                        • API String ID: 2987862817-0
                                                        • Opcode ID: 1a6091ce078db88393fc002325d20e82ca7bdc15aaa61f0720148644d5cbec67
                                                        • Instruction ID: d8a4edba93e6b3564287fdd291ee362a4641d771db482aeeea55453c97403edd
                                                        • Opcode Fuzzy Hash: 1a6091ce078db88393fc002325d20e82ca7bdc15aaa61f0720148644d5cbec67
                                                        • Instruction Fuzzy Hash: 49F08270B14744BEDB116F779C6282BBBECE749B1079249B6F800A3691E63C88108928
                                                        Function 0047EAC5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SHGetKnownFolderPath.SHELL32(0049CD58,00008000,00000000,?), ref: 0047EAD5
                                                        • CoTaskMemFree.OLE32(?,0047EB18), ref: 0047EB0B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FolderFreeKnownPathTask
                                                        • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                        • API String ID: 969438705-544719455
                                                        • Opcode ID: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
                                                        • Instruction ID: 165899f7cf3a7d3cc2084f0fc85f54689cbe0ef7c4de0502b74dd13bf0a7d919
                                                        • Opcode Fuzzy Hash: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
                                                        • Instruction Fuzzy Hash: C9E06D31340640AEEB11CA629C12B597BA8EB89B14BA184B3F500E6694D679AE009A58
                                                        Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocFree
                                                        • String ID:
                                                        • API String ID: 2087232378-0
                                                        • Opcode ID: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
                                                        • Instruction ID: 9ed38fc533d8e4e5af650f240f956f2e356275670cbb68eb90ec247bb51ad9a4
                                                        • Opcode Fuzzy Hash: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
                                                        • Instruction Fuzzy Hash: 27F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9
                                                        Function 00408A6C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00408BA2), ref: 00408A8B
                                                          • Part of subcall function 0040727C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00407299
                                                          • Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DefaultInfoLoadLocaleStringSystem
                                                        • String ID:
                                                        • API String ID: 1658689577-0
                                                        • Opcode ID: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
                                                        • Instruction ID: 1a1ee965da3d5e477180f9d3e1b3e31d3a1d40cbd97d3d5e52e02950362564b9
                                                        • Opcode Fuzzy Hash: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
                                                        • Instruction Fuzzy Hash: A7314F75E001099BCF00EB95C8819EEB779EF84314F51857BE814BB286E738AE458B99
                                                        Function 0042002C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 004200C9
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoScroll
                                                        • String ID:
                                                        • API String ID: 629608716-0
                                                        • Opcode ID: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
                                                        • Instruction ID: fb0b6b32162d284d5e4e4472e465846aa9f3b1678ed1a2f027c040ff7edaf6c0
                                                        • Opcode Fuzzy Hash: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
                                                        • Instruction Fuzzy Hash: 4E214FB1604755AFD340DF39A44076ABBE4BB48314F04892EE098C3341E779E995CBD6
                                                        Function 004169E0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416A15
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 8d08b68c4afb1eab64d7fdcca146e1daab38f0b730360c265ee6b03fda5131d2
                                                        • Instruction ID: 5ef094d12f7d71e5830b73219e88c414bb2d46ce683ba0b40c209d6d3be90de3
                                                        • Opcode Fuzzy Hash: 8d08b68c4afb1eab64d7fdcca146e1daab38f0b730360c265ee6b03fda5131d2
                                                        • Instruction Fuzzy Hash: 26F025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD261EC108BB1
                                                        Function 00414E44 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E7F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                        • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                        • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                        • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                        Function 00450F9C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450FDC
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 724ae1468d06d2a46712d5b9868f6ea52c04c69a058dc852d8341962a3bca91f
                                                        • Instruction ID: 0bb8bc98a2ce5191ccdfd632eb20aa7c5cb2b99e9b0e2766e1f3384ce1d09118
                                                        • Opcode Fuzzy Hash: 724ae1468d06d2a46712d5b9868f6ea52c04c69a058dc852d8341962a3bca91f
                                                        • Instruction Fuzzy Hash: 28E092B13401483ED340DFAC7C81F9237CC931A314F008033B948D7241C4619D118BA8
                                                        Function 0042D15C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,0042D1A4,?,00000001,?,?,00000000,?,0042D1F6,00000000,004531FD,00000000,0045321E,?,00000000), ref: 0042D187
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: a944933b7e94ac2da4548c012b878e77f53d3e7fac6ad7ed32738dad81323317
                                                        • Instruction ID: 90f30b3d4511ddb26d4e54eb5cb5bde7ef97429f4a5987d97ea56347c6c51953
                                                        • Opcode Fuzzy Hash: a944933b7e94ac2da4548c012b878e77f53d3e7fac6ad7ed32738dad81323317
                                                        • Instruction Fuzzy Hash: C0E09B71704344BFD701FF62DC53E5ABBECDB49714BA14476B404D7691D5785E10C468
                                                        Function 0042ED58 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FormatMessage
                                                        • String ID:
                                                        • API String ID: 1306739567-0
                                                        • Opcode ID: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
                                                        • Instruction ID: e79f09bbc4d4bb3d85d444e79d719d693aec0fec5ee663d6819558c24f001612
                                                        • Opcode Fuzzy Hash: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
                                                        • Instruction Fuzzy Hash: F1E0206179471226F23515566C43B77160E43C0704F94403A7F40DD3D3D6AE9906425E
                                                        Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExA.USER32(00000000,00423B0C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00406329
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                        • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                        • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                        • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                        Function 00414B0C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL(00498852,?,00498874,?,?,00000000,00498852,?,?), ref: 00414B2B
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                        • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                        • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                        • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                        Function 004073A0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004073B4
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 803a6739d4a2560f638b2739305ab39b64de9ba4a7bf4e405682762548192292
                                                        • Instruction ID: 517e21fc39e357fcc75414f86969db1bfc0739985e912eef881c3d4632b4c6ac
                                                        • Opcode Fuzzy Hash: 803a6739d4a2560f638b2739305ab39b64de9ba4a7bf4e405682762548192292
                                                        • Instruction Fuzzy Hash: 74D012723181506AE220A55A5C44EAB6EDCCBC5770F10063AB958D21C1D6309C01C675
                                                        Function 00423ADC Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00423A88: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A9D
                                                        • ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7
                                                          • Part of subcall function 00423AB8: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423AD4
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem$ShowWindow
                                                        • String ID:
                                                        • API String ID: 3202724764-0
                                                        • Opcode ID: 6c97eab4d5f35d9e0c4c492f0780e1f33e5a1e11612eb1c0cb2b18762b4c2d00
                                                        • Instruction ID: a4d1e59934daad15499cd62f29d800d7a8388f589a5efdc182870931650505b7
                                                        • Opcode Fuzzy Hash: 6c97eab4d5f35d9e0c4c492f0780e1f33e5a1e11612eb1c0cb2b18762b4c2d00
                                                        • Instruction Fuzzy Hash: 81D05B127411702102107A7B2405A8B45AC4D9225B384047BB48097303D95D4D0552A8
                                                        Function 00424754 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: TextWindow
                                                        • String ID:
                                                        • API String ID: 530164218-0
                                                        • Opcode ID: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
                                                        • Instruction ID: 9eeed77ebbf23638ebb637759628e88e4fff7ef3ebed755505968d13fb2e7b10
                                                        • Opcode Fuzzy Hash: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
                                                        • Instruction Fuzzy Hash: 44D05EE2B011702BCB01BAAD54C4AC667CC8B8925AB1940BBF904EF257C738CE408398
                                                        Function 0042D1B4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00451DA3,00000000), ref: 0042D1BF
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: edecd2973abb1a87aacb4b7103d0c28639b492f0686a1453dc354fd5429015d1
                                                        • Instruction ID: de8bff456184001464f3abbdb54ffbc0c147f56bb2634b1a4235557a7056eb2a
                                                        • Opcode Fuzzy Hash: edecd2973abb1a87aacb4b7103d0c28639b492f0686a1453dc354fd5429015d1
                                                        • Instruction Fuzzy Hash: 81C08CE0712210169E10A5BD2CC652B02C84A5833A3A40A37B429E66E2D23D88662029
                                                        Function 00407350 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB64,0040D110,?,00000000,?), ref: 0040736D
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: c5e72e818eea8d943971d170bd663bc7876837d772fabd95408c822716423010
                                                        • Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
                                                        • Opcode Fuzzy Hash: c5e72e818eea8d943971d170bd663bc7876837d772fabd95408c822716423010
                                                        • Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C
                                                        Function 0041F82C Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F840
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
                                                        • Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
                                                        • Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
                                                        • Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91
                                                        Function 0042E87F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(?,0042E89D), ref: 0042E890
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
                                                        • Instruction ID: 8695c582b33247a37f73f24666a6b5554d32f9d966171ece6814e81b39e17e84
                                                        • Opcode Fuzzy Hash: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
                                                        • Instruction Fuzzy Hash: 49B09B76F0C6005DF705DAD5745552D67D4D7C57203E14977F150D35C0D53C5800491C
                                                        Function 0041F854 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
                                                        • Instruction ID: f08fc093bd3761fae95f56252c9cb4b1dce7b9a4e026fad3115f2fcf1a938b7c
                                                        • Opcode Fuzzy Hash: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
                                                        • Instruction Fuzzy Hash: CC115A746007059BDB10EF1AC880B82FBE4EFA9350F10C53AE9588F385D774E849CBA9
                                                        Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FreeVirtual
                                                        • String ID:
                                                        • API String ID: 1263568516-0
                                                        • Opcode ID: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
                                                        • Instruction ID: 4f728963ec5fa8eda03367237536c92bed861ff5ff18aa36a9f69eb769fc07b0
                                                        • Opcode Fuzzy Hash: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
                                                        • Instruction Fuzzy Hash: 9301FC766442148FC310DE29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D9
                                                        Function 0045379C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00453805), ref: 004537E7
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: 92f0ee8e8a4b15c912bf615fad65a600288caf0acef9b37822fa40831d8923ec
                                                        • Instruction ID: cb4131d2e651d1d846aaeffdd441063052296316b0d396e6bd3d8335f5975378
                                                        • Opcode Fuzzy Hash: 92f0ee8e8a4b15c912bf615fad65a600288caf0acef9b37822fa40831d8923ec
                                                        • Instruction Fuzzy Hash: BA012076A04208AF8711DF69AC014EEFBF8EB4D7617208677FC54D3382D7744E0596A4
                                                        Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LocalAlloc.KERNEL32(00000000,00000644,?,0049E450,004013A3,?,?,00401443,?,?,?,00000000,00004003,00401983), ref: 00401353
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AllocLocal
                                                        • String ID:
                                                        • API String ID: 3494564517-0
                                                        • Opcode ID: 5712d2456a5c70657260606722268c90ba5ea6029e9afae63aaa89408be14ea2
                                                        • Instruction ID: ffebfc31ce5e110c1853f263bec794d38bcb1f4ca44e5b50064370e0b14d6dc8
                                                        • Opcode Fuzzy Hash: 5712d2456a5c70657260606722268c90ba5ea6029e9afae63aaa89408be14ea2
                                                        • Instruction Fuzzy Hash: DEF05E717012018FE724CF29D880656B7E1EBA9365F20807EE5C5D77A0D3358C418B54

                                                        Non-executed Functions

                                                        Function 0041F5A8 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersion.KERNEL32(?,00419480,00000000,?,?,?,00000001), ref: 0041F5B6
                                                        • SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5D2
                                                        • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5DE
                                                        • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5EC
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
                                                        • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
                                                        • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED
                                                        • FreeLibrary.KERNEL32(00000001,?,00419480,00000000,?,?,?,00000001), ref: 0041F6FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                        • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                        • API String ID: 2323315520-3614243559
                                                        • Opcode ID: 6fb1055e458234a7f9b902a9421b4c6cec01f5c74ead6a35fd10c6f040d197fa
                                                        • Instruction ID: ada4b9d978a757ba6954df3af716d105719faea7ce3d9b9d26d7a4626bcf7c8a
                                                        • Opcode Fuzzy Hash: 6fb1055e458234a7f9b902a9421b4c6cec01f5c74ead6a35fd10c6f040d197fa
                                                        • Instruction Fuzzy Hash: 093112B1600610BBD710EBB1ACC6A653294F76C724795097BF144D71A2E77CA84A8F1C
                                                        Function 00458E58 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00458EBF
                                                        • QueryPerformanceCounter.KERNEL32(021B3858,00000000,00459152,?,?,021B3858,00000000,?,0045984E,?,021B3858,00000000), ref: 00458EC8
                                                        • GetSystemTimeAsFileTime.KERNEL32(021B3858,021B3858), ref: 00458ED2
                                                        • GetCurrentProcessId.KERNEL32(?,021B3858,00000000,00459152,?,?,021B3858,00000000,?,0045984E,?,021B3858,00000000), ref: 00458EDB
                                                        • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458F51
                                                        • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021B3858,021B3858), ref: 00458F5F
                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FA7
                                                        • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004590FD,?,00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FE0
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                        • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459089
                                                        • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004590BF
                                                        • CloseHandle.KERNEL32(000000FF,00459104,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004590F7
                                                          • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                        • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                        • API String ID: 770386003-3271284199
                                                        • Opcode ID: 503e93522aeb4d6eb01a580b699a4beccb5251148982b03956413f8d61ac7c90
                                                        • Instruction ID: 040c0b68ca5c8794fa0f134b015e2131507262e67e069d6a1689acc5a442bbd1
                                                        • Opcode Fuzzy Hash: 503e93522aeb4d6eb01a580b699a4beccb5251148982b03956413f8d61ac7c90
                                                        • Instruction Fuzzy Hash: 9C710170A00754AEDB11DF65CC45B9EB7F8AB05705F1084AAF908FB282DB785944CF69
                                                        Function 00456E68 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(0049CA78,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456EAE
                                                        • CoCreateInstance.OLE32(0049C764,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456ED4
                                                        • SysFreeString.OLEAUT32(00000000), ref: 0045708B
                                                        Strings
                                                        • {pf32}\, xrefs: 00456F4E
                                                        • CoCreateInstance, xrefs: 00456EDF
                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 004570C2
                                                        • IPropertyStore::Commit, xrefs: 00457113
                                                        • %ProgramFiles(x86)%\, xrefs: 00456F5E
                                                        • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456FED
                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004570FA
                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00457021
                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00457070
                                                        • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00457134
                                                        • IPersistFile::Save, xrefs: 00457192
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateInstance$FreeString
                                                        • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                        • API String ID: 308859552-2363233914
                                                        • Opcode ID: 1a04e3ad86ed443edbec985671ef4627b21a6ac01ec9052fef93741c1d993dd6
                                                        • Instruction ID: 2e1e526739867e50670bceb89507c71339c1b21d6ee211b494412a744f46fea4
                                                        • Opcode Fuzzy Hash: 1a04e3ad86ed443edbec985671ef4627b21a6ac01ec9052fef93741c1d993dd6
                                                        • Instruction Fuzzy Hash: 3DB13C71A04104AFDB10DFA9D885B9E7BF8AF09306F1440A6F804E7362DB38DD49CB69
                                                        Function 0047A678 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0047A4E4: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021B79FC,?,?,?,021B79FC,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
                                                          • Part of subcall function 0047A4E4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
                                                          • Part of subcall function 0047A4E4: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B79FC,?,?,?,021B79FC,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
                                                          • Part of subcall function 0047A4E4: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B79FC,?,?,?,021B79FC), ref: 0047A540
                                                          • Part of subcall function 0047A4E4: CloseHandle.KERNEL32(00000000,?,?,?,021B79FC,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E
                                                          • Part of subcall function 0047A5BC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,0047A64E,?,?,?,021B79FC,?,0047A6B0,00000000,0047A7C6,?,?,?,?), ref: 0047A5EC
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0047A700
                                                        • GetLastError.KERNEL32(00000000,0047A7C6,?,?,?,?), ref: 0047A709
                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047A756
                                                        • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047A77A
                                                        • CloseHandle.KERNEL32(00000000,0047A7AB,00000000,00000000,000000FF,000000FF,00000000,0047A7A4,?,00000000,0047A7C6,?,?,?,?), ref: 0047A79E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                        • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                        • API String ID: 883996979-221126205
                                                        • Opcode ID: 58d1bfba5840bad948c2963b7d5ad4a4cbc1477af2dcba1bc699b1f368994b23
                                                        • Instruction ID: 0d6525aa7dba4a670bafe224496e1c5a7b1f34ed0ce7a0cdec9df710ef63790c
                                                        • Opcode Fuzzy Hash: 58d1bfba5840bad948c2963b7d5ad4a4cbc1477af2dcba1bc699b1f368994b23
                                                        • Instruction Fuzzy Hash: 15315871900204AFDB15EFA5C842ADEB7B8EF84318F50843BF518E7282D77C99158B5A
                                                        Function 00418814 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 00418823
                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 00418840
                                                        • GetWindowRect.USER32(?), ref: 0041885C
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0041886A
                                                        • GetWindowLongA.USER32(?,000000F8), ref: 0041887F
                                                        • ScreenToClient.USER32(00000000), ref: 00418888
                                                        • ScreenToClient.USER32(00000000,?), ref: 00418893
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                        • String ID: ,
                                                        • API String ID: 2266315723-3772416878
                                                        • Opcode ID: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
                                                        • Instruction ID: 4677e2b8f0f91e01fbb11cd2367981c379ed87121ba2a99f8ef1be567d42c28b
                                                        • Opcode Fuzzy Hash: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
                                                        • Instruction Fuzzy Hash: 5A11E971505201AFDB00EF69C885F9B77E8AF49314F140A7EB958DB296D738D900CB69
                                                        Function 00455E14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
                                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455E42
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E69
                                                        • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E6E
                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00455E7F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                        • String ID: SeShutdownPrivilege
                                                        • API String ID: 107509674-3733053543
                                                        • Opcode ID: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
                                                        • Instruction ID: 6597e5a33764c8e3d598d3dac94519450192e65d962eb3d098ce792c7942ec46
                                                        • Opcode Fuzzy Hash: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
                                                        • Instruction Fuzzy Hash: 08F06270294B02B9E620A7718C17F3B31CC9B40B59F54092ABD05EA1C3E7BCD6088A7A
                                                        Function 0049AF28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244,?,?,00000000,0049E62C), ref: 0049AF7F
                                                        • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049B002
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000), ref: 0049B01A
                                                        • FindClose.KERNEL32(000000FF,0049B045,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244), ref: 0049B038
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FileFind$AttributesCloseFirstNext
                                                        • String ID: isRS-$isRS-???.tmp
                                                        • API String ID: 134685335-3422211394
                                                        • Opcode ID: 8a0e407055bcc48a166b4c68cb87e7478124ee091fc37de7cfc9e5e296a24429
                                                        • Instruction ID: 04bf727f3197cccd33fd944652b66e3324626472502a6d6b0206edec7ebcaf7d
                                                        • Opcode Fuzzy Hash: 8a0e407055bcc48a166b4c68cb87e7478124ee091fc37de7cfc9e5e296a24429
                                                        • Instruction Fuzzy Hash: 49316471901618ABDF10EF65DD41ADFBBBCDB49304F5044B7A818A32A1E7389F45CE98
                                                        Function 00457E24 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457EA1
                                                        • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457EC8
                                                        • SetForegroundWindow.USER32(?), ref: 00457ED9
                                                        • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004581B1,?,00000000,004581ED), ref: 0045819C
                                                        Strings
                                                        • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045801C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                        • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                        • API String ID: 2236967946-3182603685
                                                        • Opcode ID: f0d9271b3600f25c345f7473f4edd4a9770fb5d51f0c8beac7dd56fb421c1a46
                                                        • Instruction ID: 1e470f9c67850fe58258b166e2de1343f71499e9040d68aaec82a8138f7570a6
                                                        • Opcode Fuzzy Hash: f0d9271b3600f25c345f7473f4edd4a9770fb5d51f0c8beac7dd56fb421c1a46
                                                        • Instruction Fuzzy Hash: D491FE34704604EFDB15CF55DD51F5ABBF9EB88704F2184BAE804A7792CA38AE09CB58
                                                        Function 0045663C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045677B), ref: 0045666C
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00456672
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                        • API String ID: 1646373207-3712701948
                                                        • Opcode ID: a26a4e61d10e36191c5b55e3e1f91ca85e589b1de8ffa63c09561c8afc3ad412
                                                        • Instruction ID: b3c638b06f07771193fa82c07f29861e578aec67d60b7d75356f70af58752f0b
                                                        • Opcode Fuzzy Hash: a26a4e61d10e36191c5b55e3e1f91ca85e589b1de8ffa63c09561c8afc3ad412
                                                        • Instruction Fuzzy Hash: 84418271A00249AFCF01EFA5C8829EEB7B8EF4C305F51456AF804F7252D6785E098B68
                                                        Function 00476F44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00476F9D
                                                        • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 0047707A
                                                        • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00477088
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID: unins$unins???.*
                                                        • API String ID: 3541575487-1009660736
                                                        • Opcode ID: e251b762db6165ba207b7824ace5213380cead4c6968a53f505fa530eae50332
                                                        • Instruction ID: b3651197dbd027c67a28626735fb33018e03d09d0edc3c1e02fba50c739ea7b0
                                                        • Opcode Fuzzy Hash: e251b762db6165ba207b7824ace5213380cead4c6968a53f505fa530eae50332
                                                        • Instruction Fuzzy Hash: C6313E70A04148AFCB10EB65CD81ADEB7BDEB45344F91C0F6A40CA72A2DB79DF458B58
                                                        Function 00418160 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 0041819F
                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$Placement$Iconic
                                                        • String ID: ,
                                                        • API String ID: 568898626-3772416878
                                                        • Opcode ID: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
                                                        • Instruction ID: 3dd2bdadd829011ee7f0b750d59610fe616def585f77d2d2d1cec2b35816d924
                                                        • Opcode Fuzzy Hash: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
                                                        • Instruction Fuzzy Hash: 02215172600204ABCF00EFA9CCC1EDA77A8AF49314F55456AFD18EF246CB78D844CB68
                                                        Function 004650D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001,00000000,0046528D), ref: 00465101
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465190
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465222
                                                        • FindClose.KERNEL32(000000FF,00465249,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 0046523C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseErrorFirstModeNext
                                                        • String ID:
                                                        • API String ID: 4011626565-0
                                                        • Opcode ID: 2fb1c301296fa1166147455f8f8ef7496ba139e6f88cfef0efaf9934acfaa298
                                                        • Instruction ID: 440dca86ff91bcf92ec396117f9ee2e7eb4a9bd4f86bd55e8ffce81b2904001c
                                                        • Opcode Fuzzy Hash: 2fb1c301296fa1166147455f8f8ef7496ba139e6f88cfef0efaf9934acfaa298
                                                        • Instruction Fuzzy Hash: 6B41A230A04A589FDB10EF65DC55ADEB7B8EB89309F4044FAF404E7381E63C9E488E59
                                                        Function 0046554C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001,00000000,00465733), ref: 004655C1
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 00465607
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656BC
                                                        • FindClose.KERNEL32(000000FF,004656E7,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656DA
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseErrorFirstModeNext
                                                        • String ID:
                                                        • API String ID: 4011626565-0
                                                        • Opcode ID: b90a0e96b7112793c089880cc0d83929c850bcc4406de3be7ff406baaa52c8e1
                                                        • Instruction ID: 5fa7a0e481a84f03f33422116c22c7c15fd1db6c0b7bd2f560a0f02907c35907
                                                        • Opcode Fuzzy Hash: b90a0e96b7112793c089880cc0d83929c850bcc4406de3be7ff406baaa52c8e1
                                                        • Instruction Fuzzy Hash: 82417335A00A18DFCB10EFA5CC85ADEB7B9EB88305F4044AAF804E7341E6389E44CE59
                                                        Function 0042EDC4 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EDE6
                                                        • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EE11
                                                        • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE1E
                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE26
                                                        • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE2C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                        • String ID:
                                                        • API String ID: 1177325624-0
                                                        • Opcode ID: be7acdfe5edbba34b858ce3ca365b130364ae6d53b31bd94e4eebd6c3b9b2d57
                                                        • Instruction ID: 70587ef730fcdfb329c4590a56e67438f12b0fd4b2c9556a93668e86dd7922da
                                                        • Opcode Fuzzy Hash: be7acdfe5edbba34b858ce3ca365b130364ae6d53b31bd94e4eebd6c3b9b2d57
                                                        • Instruction Fuzzy Hash: 9CF090723917203AF620B17AAC86F7F428CCB89B68F50423AF714FF1D1D9A85D0955AD
                                                        Function 00485CFC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 00485D3A
                                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 00485D58
                                                        • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D7A
                                                        • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D8E
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$IconicLong
                                                        • String ID:
                                                        • API String ID: 2754861897-0
                                                        • Opcode ID: 4c308d3b12315672c07ac890770fdfbe74c8bd42f6d9c93706204eed776ff039
                                                        • Instruction ID: 5af26d4b23032c42014cdd6a7ba96e1f526e5740e281828ed4b475e411d83285
                                                        • Opcode Fuzzy Hash: 4c308d3b12315672c07ac890770fdfbe74c8bd42f6d9c93706204eed776ff039
                                                        • Instruction Fuzzy Hash: 60011A716056409AEB10BB7A9C4DB5A33DD5B14304F19887BBC00DF2A3CA6DDC859B6C
                                                        Function 00463B44 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00463C18), ref: 00463B9C
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BD8
                                                        • FindClose.KERNEL32(000000FF,00463BFF,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BF2
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID:
                                                        • API String ID: 3541575487-0
                                                        • Opcode ID: cfb19cbf58148f20a8eb11bc863b9ba51049412b42bc76eb3cd84f5252a39ad4
                                                        • Instruction ID: a0cce92d96e660be0b97b7f28cec8121132c3377f259b36877ec83f4fdc062c8
                                                        • Opcode Fuzzy Hash: cfb19cbf58148f20a8eb11bc863b9ba51049412b42bc76eb3cd84f5252a39ad4
                                                        • Instruction Fuzzy Hash: 4C21D8315046886EDB11DF66CC41ADEBBACDB49705F5084FBF808E3661E638DF44CA5A
                                                        Function 0042466C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 00424674
                                                        • SetActiveWindow.USER32(?,?,?,?,0046E2FF), ref: 00424681
                                                          • Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7
                                                          • Part of subcall function 00423FA4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021B25AC,0042469A,?,?,?,?,0046E2FF), ref: 00423FDF
                                                        • SetFocus.USER32(00000000,?,?,?,?,0046E2FF), ref: 004246AE
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ActiveFocusIconicShow
                                                        • String ID:
                                                        • API String ID: 649377781-0
                                                        • Opcode ID: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
                                                        • Instruction ID: 41fac251e040b5459bea7d3bbf68ddb82a9bf8d4fdffabeb223ec960e46dc8d5
                                                        • Opcode Fuzzy Hash: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
                                                        • Instruction Fuzzy Hash: FCF0D0717001108BDB40FFAAE9C5B9632A4AF49704B55057BBC05DF35BC67CDC458768
                                                        Function 0042F294 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F2A1
                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F2B1
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F2D9
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                        • String ID:
                                                        • API String ID: 3525989157-0
                                                        • Opcode ID: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
                                                        • Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
                                                        • Opcode Fuzzy Hash: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
                                                        • Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96
                                                        Function 0041815E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 0041819F
                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$Placement$Iconic
                                                        • String ID:
                                                        • API String ID: 568898626-0
                                                        • Opcode ID: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
                                                        • Instruction ID: c40958ec65a3081d6570449c7fa77bc67a6f73258cf3a653cafff2f251148837
                                                        • Opcode Fuzzy Hash: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
                                                        • Instruction Fuzzy Hash: DE018F72240204BBDF10EE69DCC1EEB3398AB55364F15416AFD08DF242DA38EC8187A8
                                                        Function 00453238 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 00453275
                                                        • GetLastError.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 0045327D
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileFindFirstLast
                                                        • String ID:
                                                        • API String ID: 873889042-0
                                                        • Opcode ID: c4c3171c16221adfd5b81782e44e5dcf2185ce4d9b680bd399da6d8afc7dca24
                                                        • Instruction ID: 01611b9c15ef78b160da910fd5818d9ac2674b067f1b6166a22c9a12ef003207
                                                        • Opcode Fuzzy Hash: c4c3171c16221adfd5b81782e44e5dcf2185ce4d9b680bd399da6d8afc7dca24
                                                        • Instruction Fuzzy Hash: CAF02D72A04704AB8B10DF76AC0149EF7BCEB8637672046BBFC14E3692DB794F058558
                                                        Function 00417A28 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CaptureIconic
                                                        • String ID:
                                                        • API String ID: 2277910766-0
                                                        • Opcode ID: 8b5841202e75c57fd8ac5208eefac967cfec9e7ec15e216bf3ec2f525cd24fe3
                                                        • Instruction ID: 4baae68772761491d2023ced8ce828277fc49fe1aa00b8ecf1210e993849b5ad
                                                        • Opcode Fuzzy Hash: 8b5841202e75c57fd8ac5208eefac967cfec9e7ec15e216bf3ec2f525cd24fe3
                                                        • Instruction Fuzzy Hash: AFF0317134460287DB20E66AC885ABF62B99F48395F14443BE515C7356EA6CDD848358
                                                        Function 00424624 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 0042462B
                                                          • Part of subcall function 00423F14: EnumWindows.USER32(00423EAC), ref: 00423F38
                                                          • Part of subcall function 00423F14: GetWindow.USER32(?,00000003), ref: 00423F4D
                                                          • Part of subcall function 00423F14: GetWindowLongA.USER32(?,000000EC), ref: 00423F5C
                                                          • Part of subcall function 00423F14: SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92
                                                        • SetActiveWindow.USER32(?,?,?,00424203,00000000,004245EC), ref: 0042463F
                                                          • Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ActiveEnumIconicLongShowWindows
                                                        • String ID:
                                                        • API String ID: 2671590913-0
                                                        • Opcode ID: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
                                                        • Instruction ID: d3e93a58e57438a951a07f29fe0797b16f8422c20572e0da7720cbe2ca5f63be
                                                        • Opcode Fuzzy Hash: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
                                                        • Instruction Fuzzy Hash: B4E01A60700100C7EF00EFAAE8C4F8662A4BF88304F95017ABC48CF24BD67CDC448724
                                                        Function 00412A68 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C65), ref: 00412C53
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: NtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 4255912815-0
                                                        • Opcode ID: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
                                                        • Instruction ID: b726886feaa3cfb0c3c92f2e05cced8293b81fa2aba97a9fc1f2d8d784250eff
                                                        • Opcode Fuzzy Hash: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
                                                        • Instruction Fuzzy Hash: BD51F7317086058FC714DF6AD680A9AF3E5FFA8304B20866BD844C7365E7B8AD91C749
                                                        Function 0047AC34 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047AD82
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: NtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 4255912815-0
                                                        • Opcode ID: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
                                                        • Instruction ID: 72cb5964904ea9acb86450fde6e950c62e8bde0ebf735d0adfbf9209324b5543
                                                        • Opcode Fuzzy Hash: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
                                                        • Instruction Fuzzy Hash: C6415B75604104EFCB20CF59C2908AEB7F6EB88311B74C992E849DB751D338EE51DB96
                                                        Function 00455DCC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
                                                        • Instruction ID: 85d927fa64bde7e0f6bd0e56391a747b52e91616c2131cbf33e1fd207173554c
                                                        • Opcode Fuzzy Hash: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
                                                        • Instruction Fuzzy Hash: 91D0C2B230460063C700BA68DC825AA358D8B84305F00483E7CC5DA2C3EABDDA4C5696
                                                        Function 0042FA00 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042FA1C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: NtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 4255912815-0
                                                        • Opcode ID: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
                                                        • Instruction ID: e991843b48109e052d0f5957ab47f1130dd67dcde68d8ed9d112e108350b7662
                                                        • Opcode Fuzzy Hash: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
                                                        • Instruction Fuzzy Hash: 02D05E7131010C6B9B00DE98E840C6B33AC9B88700BA08829F908C7201C634ED1097A8
                                                        Function 0044BBBC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0044BB38: GetVersionExA.KERNEL32(00000094), ref: 0044BB55
                                                          • Part of subcall function 0044BB8C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BBA4
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
                                                        • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
                                                        • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
                                                        • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
                                                        • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E
                                                        • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BD20
                                                        • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BD32
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BD44
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BD56
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BD68
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BD7A
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BD8C
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD9E
                                                        • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BDB0
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BDC2
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BDD4
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BDE6
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BDF8
                                                        • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BE0A
                                                        • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BE1C
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BE2E
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BE40
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BE52
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BE64
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BE76
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BE88
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE9A
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BEAC
                                                        • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BEBE
                                                        • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BED0
                                                        • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BEE2
                                                        • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BEF4
                                                        • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BF06
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BF18
                                                        • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BF2A
                                                        • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BF3C
                                                        • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BF4E
                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BF60
                                                        • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BF72
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                        • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                        • API String ID: 2754715182-2910565190
                                                        • Opcode ID: 67b95b5371f249a8e9232e37dcb11037f6e4e7b41a9552869577b47b5d37a655
                                                        • Instruction ID: ecd7112d65f411c7eccfc6eab1653a3c74b71e6b2ad24da097032ecd241f34bd
                                                        • Opcode Fuzzy Hash: 67b95b5371f249a8e9232e37dcb11037f6e4e7b41a9552869577b47b5d37a655
                                                        • Instruction Fuzzy Hash: 3AA14DB0A41710EBEB40EFF6DCC6A2A37A8EB15B1475405BBB440EF295D6789C048F5E
                                                        Function 004952EC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000,00000000,004957E1,?,?,?,?,00000000,00000000,00000000), ref: 0049532C
                                                        • FindWindowA.USER32(00000000,00000000), ref: 0049535D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FindSleepWindow
                                                        • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                        • API String ID: 3078808852-3310373309
                                                        • Opcode ID: f8848a1a84b024abead4a61a3e9036c19501452696533f8aaac553cb32939556
                                                        • Instruction ID: 81b0b0a091168c97ae0ef179256dddc1b1175ea621cc4e7edfbae85d46dbfd27
                                                        • Opcode Fuzzy Hash: f8848a1a84b024abead4a61a3e9036c19501452696533f8aaac553cb32939556
                                                        • Instruction Fuzzy Hash: BEC17364B04A006BDB11BA7E8C8252F5D999F98704B21D97FB406EB78BCE3CDD0A435D
                                                        Function 0041CE9C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0041CED0
                                                        • CreateCompatibleDC.GDI32(?), ref: 0041CEDC
                                                        • CreateBitmap.GDI32(0041ADD4,?,00000001,00000001,00000000), ref: 0041CF00
                                                        • CreateCompatibleBitmap.GDI32(?,0041ADD4,?), ref: 0041CF10
                                                        • SelectObject.GDI32(0041D2CC,00000000), ref: 0041CF2B
                                                        • FillRect.USER32(0041D2CC,?,?), ref: 0041CF66
                                                        • SetTextColor.GDI32(0041D2CC,00000000), ref: 0041CF7B
                                                        • SetBkColor.GDI32(0041D2CC,00000000), ref: 0041CF92
                                                        • PatBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00FF0062), ref: 0041CFA8
                                                        • CreateCompatibleDC.GDI32(?), ref: 0041CFBB
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041CFEC
                                                        • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041D004
                                                        • RealizePalette.GDI32(00000000), ref: 0041D00D
                                                        • SelectPalette.GDI32(0041D2CC,00000000,00000001), ref: 0041D01C
                                                        • RealizePalette.GDI32(0041D2CC), ref: 0041D025
                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041D03E
                                                        • SetBkColor.GDI32(00000000,00000000), ref: 0041D055
                                                        • BitBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00000000,00000000,00000000,00CC0020), ref: 0041D071
                                                        • SelectObject.GDI32(00000000,?), ref: 0041D07E
                                                        • DeleteDC.GDI32(00000000), ref: 0041D094
                                                          • Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                        • String ID:
                                                        • API String ID: 269503290-0
                                                        • Opcode ID: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
                                                        • Instruction ID: 50a53eb504fbb6e8939598bee840ef50963709612b5229ad76d17b3bfbc4c74e
                                                        • Opcode Fuzzy Hash: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
                                                        • Instruction Fuzzy Hash: 8061DD71E44605AFDF10EBA9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                        Function 0046A2F8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(?,0046A512,?,?,00000001,00000000,00000000,0046A52D,?,00000000,00000000,?), ref: 0046A4FB
                                                        Strings
                                                        • Inno Setup: Deselected Tasks, xrefs: 0046A489
                                                        • Inno Setup: Selected Components, xrefs: 0046A41A
                                                        • Inno Setup: Setup Type, xrefs: 0046A40A
                                                        • Inno Setup: Icon Group, xrefs: 0046A3D6
                                                        • Inno Setup: User Info: Organization, xrefs: 0046A4CA
                                                        • Inno Setup: App Path, xrefs: 0046A3BA
                                                        • Inno Setup: Selected Tasks, xrefs: 0046A467
                                                        • Inno Setup: User Info: Name, xrefs: 0046A4B7
                                                        • Inno Setup: No Icons, xrefs: 0046A3E3
                                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046A357
                                                        • Inno Setup: Deselected Components, xrefs: 0046A43C
                                                        • Inno Setup: User Info: Serial, xrefs: 0046A4DD
                                                        • %s\%s_is1, xrefs: 0046A375
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                        • API String ID: 47109696-1093091907
                                                        • Opcode ID: 947d5e2a840cd0f7f0d09533035c80cb62753167544c3cfac0689ddf2d2c6ec6
                                                        • Instruction ID: bc3733d3a6311be72aa26145a3a6b26ae63bc40f30ab818c77ebdc0ae002d22e
                                                        • Opcode Fuzzy Hash: 947d5e2a840cd0f7f0d09533035c80cb62753167544c3cfac0689ddf2d2c6ec6
                                                        • Instruction Fuzzy Hash: 2F518170600A049FCB11DB65D952BEEB7B4EF49304F5084BAE841B7391E738AE15CF5A
                                                        Function 004744A8 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8
                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00474660
                                                        • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0047477B
                                                        • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00474791
                                                        • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004747B6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                        • String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
                                                        • API String ID: 971782779-2902529204
                                                        • Opcode ID: 330034a915ced079845cbf1cea9e084ad7f87fc11f80c344b399d6c520442979
                                                        • Instruction ID: 3ad2e39f7b63c2e1f507bff71cd9103ce15de2bb976d6045025a0d2193d98ff2
                                                        • Opcode Fuzzy Hash: 330034a915ced079845cbf1cea9e084ad7f87fc11f80c344b399d6c520442979
                                                        • Instruction Fuzzy Hash: A4D14574A00149AFDB01EFA9D581BEEBBF4AF48304F50806AF904B7391D7789D45CB69
                                                        Function 0049B254 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000,0049B9AD,?,00000000), ref: 0049B2D7
                                                        • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000), ref: 0049B2EA
                                                        • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000), ref: 0049B2FA
                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049B31B
                                                        • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000), ref: 0049B32B
                                                          • Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                        • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                        • API String ID: 2000705611-3672972446
                                                        • Opcode ID: 156ad486bfb0fac3f487207040e9f787bf55138415fd3a05a874ba80daf8e455
                                                        • Instruction ID: b2f29c3ed6207bb9e160049bb2bddfcad5bd5dcd32a025f4107ba54bac6b8e5f
                                                        • Opcode Fuzzy Hash: 156ad486bfb0fac3f487207040e9f787bf55138415fd3a05a874ba80daf8e455
                                                        • Instruction Fuzzy Hash: E691D430A04204AFDF11EBA5E952BAE7FB5EB49308F514477F900A7292C77CAC05DB99
                                                        Function 0045AF68 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,0045B224,?,?,?,?,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045B0D6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                        • API String ID: 1452528299-3112430753
                                                        • Opcode ID: ab50d6d67a90fe5bb3bdf92bbe17049e1b649d1ad40f3e02f79738e274085eea
                                                        • Instruction ID: 2fb3476e9d017ff0a5902371132bc4733b6d883e7af691887050c1a5ddfae389
                                                        • Opcode Fuzzy Hash: ab50d6d67a90fe5bb3bdf92bbe17049e1b649d1ad40f3e02f79738e274085eea
                                                        • Instruction Fuzzy Hash: 8E71A0307002486BCB01EB6998867AF7BA5EF48705F50846BFC11DB383DB7C9A49879D
                                                        Function 0045D450 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersion.KERNEL32 ref: 0045D46A
                                                        • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D48A
                                                        • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D497
                                                        • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D4A4
                                                        • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D4B2
                                                          • Part of subcall function 0045D358: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D3F7,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D3D1
                                                        • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D56B
                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D574
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                        • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                        • API String ID: 59345061-4263478283
                                                        • Opcode ID: 0828ca59996f9c66a971ac7fdd8876921b69cb906109572e65858b8da3e68693
                                                        • Instruction ID: 783a5280d5c6dd2c4afe06b2d07c38c27ed9239d6cb54be80e3f389c0ae86338
                                                        • Opcode Fuzzy Hash: 0828ca59996f9c66a971ac7fdd8876921b69cb906109572e65858b8da3e68693
                                                        • Instruction Fuzzy Hash: B75164B1D00608EFDB20DF99C841BAEB7B8EF48315F14806AF915B7381D6789945CF69
                                                        Function 0041B83C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041B853
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041B85D
                                                        • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B86F
                                                        • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B886
                                                        • GetDC.USER32(00000000), ref: 0041B892
                                                        • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B8BF
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041B8E5
                                                        • SelectObject.GDI32(00000000,?), ref: 0041B900
                                                        • SelectObject.GDI32(?,00000000), ref: 0041B90F
                                                        • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041B949
                                                        • SelectObject.GDI32(?,00000000), ref: 0041B957
                                                        • DeleteDC.GDI32(00000000), ref: 0041B960
                                                        • DeleteDC.GDI32(?), ref: 0041B969
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                        • String ID:
                                                        • API String ID: 644427674-0
                                                        • Opcode ID: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
                                                        • Instruction ID: 5bdd10242b191c11111876c14ee0e8e9a171a3e9253023a3b6fe339c600245b0
                                                        • Opcode Fuzzy Hash: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
                                                        • Instruction Fuzzy Hash: F841AC71E40659ABDF10EAE9D846FAFB7BCEB08704F104466F614FB281C77869408BA4
                                                        Function 00455070 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,?,00000000,?,00000000,00455309,?,0045B3FA,00000003,00000000,00000000,00455340), ref: 00455189
                                                          • Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77
                                                        • RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045520D
                                                        • RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045523C
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550A7
                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550E0
                                                        • RegOpenKeyEx, xrefs: 0045510C
                                                        • , xrefs: 004550FA
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$FormatMessageOpen
                                                        • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                        • API String ID: 2812809588-1577016196
                                                        • Opcode ID: 90c155d29a162f42536040a428d5147cc3b318795b3defe912c53872d02d50b9
                                                        • Instruction ID: a1e8c034b49f6a69a24190b621a186803033118ea706e5513908ccb254d87fbd
                                                        • Opcode Fuzzy Hash: 90c155d29a162f42536040a428d5147cc3b318795b3defe912c53872d02d50b9
                                                        • Instruction Fuzzy Hash: 30914071D00608ABDB00DBE5D952BEEB7F8EB49305F50406BF904F7282D6789E098B69
                                                        Function 00459CE8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00459BF4: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41
                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459D8F
                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459DF9
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459E60
                                                        Strings
                                                        • v1.1.4322, xrefs: 00459E52
                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459D42
                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459DAC
                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459E13
                                                        • .NET Framework not found, xrefs: 00459EAD
                                                        • .NET Framework version %s not found, xrefs: 00459E99
                                                        • v2.0.50727, xrefs: 00459DEB
                                                        • v4.0.30319, xrefs: 00459D81
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Close$Open
                                                        • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                        • API String ID: 2976201327-446240816
                                                        • Opcode ID: f6b3cb58f9efd823100033f5cf01a804f09535b735d8ab3221605bdce94989d0
                                                        • Instruction ID: 28c73818cd0e0a48a6ea9a4a771bbd3fec88f932accac903083750955a5b2269
                                                        • Opcode Fuzzy Hash: f6b3cb58f9efd823100033f5cf01a804f09535b735d8ab3221605bdce94989d0
                                                        • Instruction Fuzzy Hash: 6A51C135A041059BCB00DF65D8A2BEE77BADB49305F5444BBA901D7383EB39AE0EC758
                                                        Function 004592D4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNEL32(?), ref: 0045930B
                                                        • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459327
                                                        • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00459335
                                                        • GetExitCodeProcess.KERNEL32(?), ref: 00459346
                                                        • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045938D
                                                        • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004593A9
                                                        Strings
                                                        • Helper process exited., xrefs: 00459355
                                                        • Helper process exited with failure code: 0x%x, xrefs: 00459373
                                                        • Helper process exited, but failed to get exit code., xrefs: 0045937F
                                                        • Helper isn't responding; killing it., xrefs: 00459317
                                                        • Stopping 64-bit helper process. (PID: %u), xrefs: 004592FD
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                        • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                        • API String ID: 3355656108-1243109208
                                                        • Opcode ID: 31af0bc72dcf286b9cdcaf18319f9fca47c800144db10ee0d336689cc4105cd2
                                                        • Instruction ID: e85fc657e119397c97ed97e1faf084f02df15e80d39cea5897c552b80fc28b15
                                                        • Opcode Fuzzy Hash: 31af0bc72dcf286b9cdcaf18319f9fca47c800144db10ee0d336689cc4105cd2
                                                        • Instruction Fuzzy Hash: 1C212A70604740DBC720E779C88575B77D49F48305F04892EBC9ADB292EA78EC489B6A
                                                        Function 00454D24 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E274: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E2A0
                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454E4B
                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454F87
                                                          • Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77
                                                        Strings
                                                        • RegCreateKeyEx, xrefs: 00454DBF
                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D93
                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D63
                                                        • , xrefs: 00454DAD
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateFormatMessageQueryValue
                                                        • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                        • API String ID: 2481121983-1280779767
                                                        • Opcode ID: ad96e2b74533b1f25a57ff52286efab689ec44c2628258f67de485b39b5b3c90
                                                        • Instruction ID: c7e759269ab329005b5c2b3a4910326777c7a2f104b103968227fab848b04cb9
                                                        • Opcode Fuzzy Hash: ad96e2b74533b1f25a57ff52286efab689ec44c2628258f67de485b39b5b3c90
                                                        • Instruction Fuzzy Hash: FB81FE71A00209AFDB10DF95C952BEEB7B8FB48305F50452AF900FB282D7789E45CB69
                                                        Function 00499ABC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004540B8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
                                                          • Part of subcall function 004540B8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00499B39
                                                        • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00499C8D), ref: 00499B5A
                                                        • CreateWindowExA.USER32(00000000,STATIC,00499C9C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00499B81
                                                        • SetWindowLongA.USER32(?,000000FC,00499314), ref: 00499B94
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC,00499C9C), ref: 00499BC4
                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00499C38
                                                        • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000), ref: 00499C44
                                                          • Part of subcall function 0045452C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613
                                                        • DestroyWindow.USER32(?,00499C67,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC), ref: 00499C5A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                        • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                        • API String ID: 1549857992-2312673372
                                                        • Opcode ID: 1f3bafc0e186f300dec5fbc6d090f359a74c05df203eaf13724df8ff57aa1244
                                                        • Instruction ID: eb5cd57210df4e96fe4a968102c50da815bdab5ab87cf2bc8b3503f8df2cfa0e
                                                        • Opcode Fuzzy Hash: 1f3bafc0e186f300dec5fbc6d090f359a74c05df203eaf13724df8ff57aa1244
                                                        • Instruction Fuzzy Hash: 36414170A00208AFDF00EBA9DD42F9E7BF8EB09704F11457AF510F7291D6799E008B68
                                                        Function 0042F654 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetActiveWindow.USER32 ref: 0042F660
                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F674
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F681
                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F68E
                                                        • GetWindowRect.USER32(?,00000000), ref: 0042F6DA
                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F718
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                        • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                        • API String ID: 2610873146-3407710046
                                                        • Opcode ID: 5e6605ca9b65c224cfc07a0aeee16f59c7bd4f650269865c0fd0a92bfb0552d7
                                                        • Instruction ID: 4fddece845ce4b02eeba35f690bf3974305695bca327a465bc6d277b32236c01
                                                        • Opcode Fuzzy Hash: 5e6605ca9b65c224cfc07a0aeee16f59c7bd4f650269865c0fd0a92bfb0552d7
                                                        • Instruction Fuzzy Hash: F721C2B67006146BD300EA78EC85F3B77A9DBD4710F98463AF944DB382DA78EC084B59
                                                        Function 00463DE4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetActiveWindow.USER32 ref: 00463DF0
                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 00463E04
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463E11
                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00463E1E
                                                        • GetWindowRect.USER32(?,00000000), ref: 00463E6A
                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00463EA8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                        • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                        • API String ID: 2610873146-3407710046
                                                        • Opcode ID: ed5e1d45ac9973ee0f07f934d57a4fe524cf0ba1ee310df62ebcfe77385b1581
                                                        • Instruction ID: 5546c7ca55dac75a37d5be63b5862a2b7bf7fa91672d6aed0c393ab4f47302e1
                                                        • Opcode Fuzzy Hash: ed5e1d45ac9973ee0f07f934d57a4fe524cf0ba1ee310df62ebcfe77385b1581
                                                        • Instruction Fuzzy Hash: 5821B0B67006146BD300AB68CC41F3B76D9DB84B01F08452EF944DB382EA79ED018B6A
                                                        Function 004594AC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045968B,?,00000000,004596EE,?,?,021B3858,00000000), ref: 00459509
                                                        • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459566
                                                        • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459573
                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004595BF
                                                        • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00459620,?,00000000), ref: 004595E5
                                                        • GetLastError.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00459620,?,00000000), ref: 004595EC
                                                          • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                        • String ID: CreateEvent$TransactNamedPipe
                                                        • API String ID: 2182916169-3012584893
                                                        • Opcode ID: 3838fa40a1deebe970fde6eca78008ca9f4db9c6a92df26a9d5781284d1f31ce
                                                        • Instruction ID: 5e3c9d9fc8331b786f0ce76ad2fce8520c17318b204ac54c9f287bbe44ec3061
                                                        • Opcode Fuzzy Hash: 3838fa40a1deebe970fde6eca78008ca9f4db9c6a92df26a9d5781284d1f31ce
                                                        • Instruction Fuzzy Hash: 8B418D71A00608FFDB05DFA5C981F9EB7F9EB48714F1140A6F900E7692D6789E54CB28
                                                        Function 00457550 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,004576B5,?,?,00000031,?), ref: 00457578
                                                        • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 0045757E
                                                        • LoadTypeLib.OLEAUT32(00000000,?), ref: 004575CB
                                                          • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressErrorHandleLastLoadModuleProcType
                                                        • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                        • API String ID: 1914119943-2711329623
                                                        • Opcode ID: ff49ab651ffec048b27d6f6959800377bf6d0acb4d7fd8ae53fc314732ae47ad
                                                        • Instruction ID: 6576a6400b1684fe66b120d0c5268abc33dc5c30e9c8dd9853542a513f4dec10
                                                        • Opcode Fuzzy Hash: ff49ab651ffec048b27d6f6959800377bf6d0acb4d7fd8ae53fc314732ae47ad
                                                        • Instruction Fuzzy Hash: 2931B471604A04AFC711EFAADC41E5B77ADEB8C7157108476F804D3652DA38D904C728
                                                        Function 0042FA40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetActiveWindow.USER32 ref: 0042FA6F
                                                        • GetFocus.USER32 ref: 0042FA77
                                                        • RegisterClassA.USER32(0049C7AC), ref: 0042FA98
                                                        • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB6C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FAD6
                                                        • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FB1C
                                                        • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FB2D
                                                        • SetFocus.USER32(00000000,00000000,0042FB4F,?,?,?,00000001,00000000,?,00458BE2,00000000,0049E62C), ref: 0042FB34
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                        • String ID: ,I$TWindowDisabler-Window
                                                        • API String ID: 3167913817-1404624659
                                                        • Opcode ID: e2b2a2ae27556a65b412687966efa2413deb230ca33fdb04704f6127524fbc50
                                                        • Instruction ID: a62ceaa4fb40b7d97b276e036e96e71c03e0c95da72a7b9a05d0a528f526b251
                                                        • Opcode Fuzzy Hash: e2b2a2ae27556a65b412687966efa2413deb230ca33fdb04704f6127524fbc50
                                                        • Instruction Fuzzy Hash: A9218171B80710BAE210EB66DD13F1A7AA4EB14B04FE1413BF604BB2D1D7B97D0586AD
                                                        Function 0042E8A8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E8D1
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E8D7
                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E925
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressCloseHandleModuleProc
                                                        • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                        • API String ID: 4190037839-2401316094
                                                        • Opcode ID: bfe26157fc1d5c44e7f4d02ee5b383407bcb44f8cca39e96dfc57e8882b64368
                                                        • Instruction ID: cdd838938204d4cbb06352ad172040986bb4042bf6ca521554dfda5889237b72
                                                        • Opcode Fuzzy Hash: bfe26157fc1d5c44e7f4d02ee5b383407bcb44f8cca39e96dfc57e8882b64368
                                                        • Instruction Fuzzy Hash: 7F212170B00229AFDB50EBA7DC46BAE77A9EB04304F904477A500E7291DB7C9E45DB1C
                                                        Function 00417210 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RectVisible.GDI32(?,?), ref: 004172A3
                                                        • SaveDC.GDI32(?), ref: 004172B7
                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004172DA
                                                        • RestoreDC.GDI32(?,?), ref: 004172F5
                                                        • CreateSolidBrush.GDI32(00000000), ref: 00417375
                                                        • FrameRect.USER32(?,?,?), ref: 004173A8
                                                        • DeleteObject.GDI32(?), ref: 004173B2
                                                        • CreateSolidBrush.GDI32(00000000), ref: 004173C2
                                                        • FrameRect.USER32(?,?,?), ref: 004173F5
                                                        • DeleteObject.GDI32(?), ref: 004173FF
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                        • String ID:
                                                        • API String ID: 375863564-0
                                                        • Opcode ID: af4ae4eeb6710fbb213c1e53341c9029e3ebf74134847315771785f616f52871
                                                        • Instruction ID: c95a734d2d00aea9c177a3b06cfd5000d642d04c6817e823e80f404ee62f0a93
                                                        • Opcode Fuzzy Hash: af4ae4eeb6710fbb213c1e53341c9029e3ebf74134847315771785f616f52871
                                                        • Instruction Fuzzy Hash: 8B513A716086445FDB51EF69C8C0B9B77E8AF48314F1445AAFD488B287C738EC82CB99
                                                        Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                        • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                        • String ID:
                                                        • API String ID: 1694776339-0
                                                        • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                        • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                        • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                        • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                        Function 00422678 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMenu.USER32(00000000,00000000), ref: 004226C3
                                                        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226E1
                                                        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226EE
                                                        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226FB
                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422708
                                                        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422715
                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422722
                                                        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042272F
                                                        • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042274D
                                                        • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422769
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Menu$Delete$EnableItem$System
                                                        • String ID:
                                                        • API String ID: 3985193851-0
                                                        • Opcode ID: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
                                                        • Instruction ID: 3d3520f8b7ec6d74ae20e05d6755b86abcf69838e80cbfb0a1e170c33371412b
                                                        • Opcode Fuzzy Hash: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
                                                        • Instruction Fuzzy Hash: 4F2124703447047AE720E725DD8BFAB7AD89B04B08F044065B6447F2D3C6F8EA40869C
                                                        Function 00483BEC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00483DA9
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00483DBD
                                                        • SendNotifyMessageA.USER32(00020422,00000496,00002710,00000000), ref: 00483E2F
                                                        Strings
                                                        • Not restarting Windows because Setup is being run from the debugger., xrefs: 00483DDE
                                                        • Restarting Windows., xrefs: 00483E0A
                                                        • GetCustomSetupExitCode, xrefs: 00483C49
                                                        • Deinitializing Setup., xrefs: 00483C0A
                                                        • DeinitializeSetup, xrefs: 00483CA5
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary$MessageNotifySend
                                                        • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                        • API String ID: 3817813901-1884538726
                                                        • Opcode ID: a1d20826effbd6ee7987240b18311ca60e570c601e3f4d7b51613ce3ab4886e7
                                                        • Instruction ID: eabafc25287b198f6322efd67ece7b763d9c4378165dc3fe8608e6ffeb49dec3
                                                        • Opcode Fuzzy Hash: a1d20826effbd6ee7987240b18311ca60e570c601e3f4d7b51613ce3ab4886e7
                                                        • Instruction Fuzzy Hash: 4451B030700240AFD710EF79D885B5E77E4EB29B09F50887BE800D72A1DB38AE49CB19
                                                        Function 00462974 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SHGetMalloc.SHELL32(?), ref: 004629AF
                                                        • GetActiveWindow.USER32 ref: 00462A13
                                                        • CoInitialize.OLE32(00000000), ref: 00462A27
                                                        • SHBrowseForFolder.SHELL32(?), ref: 00462A3E
                                                        • CoUninitialize.OLE32(00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A53
                                                        • SetActiveWindow.USER32(?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A69
                                                        • SetActiveWindow.USER32(?,?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A72
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                        • String ID: A
                                                        • API String ID: 2684663990-3554254475
                                                        • Opcode ID: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
                                                        • Instruction ID: 226cd12c2bf5eadadc06a8ace2d3cfe2a2dab59726cbcd1c1d639dda9b16e66d
                                                        • Opcode Fuzzy Hash: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
                                                        • Instruction Fuzzy Hash: 2A3130B0E00208AFCB10EFB6D945A9EBBF8EB09304F51447AF414F7251E7789A04CB69
                                                        Function 00474358 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675,?,?,00000000,004748F8), ref: 0047437C
                                                          • Part of subcall function 0042D224: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D29A
                                                          • Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                        • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675), ref: 004743F3
                                                        • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000), ref: 004743F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                        • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                        • API String ID: 884541143-1710247218
                                                        • Opcode ID: 147003ba7c3bbf40b2bfbdba997664b3f04ddcc797e79a53afdb41a85b012f1f
                                                        • Instruction ID: 4e84a14b44ef1bdc1f764160ca150a50166b9b0d2b2f0232ddeafb405eb560a8
                                                        • Opcode Fuzzy Hash: 147003ba7c3bbf40b2bfbdba997664b3f04ddcc797e79a53afdb41a85b012f1f
                                                        • Instruction Fuzzy Hash: 2311C8307005147BD711E6659C82BAF73ADDB84758F60C17BF804A72C2DB3C9E02966D
                                                        Function 004190E4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000000E), ref: 00419100
                                                        • GetSystemMetrics.USER32(0000000D), ref: 00419108
                                                        • 6FD82980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041910E
                                                          • Part of subcall function 00410C88: 6FD7C400.COMCTL32(,I,000000FF,00000000,0041913C,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00410C8C
                                                        • 6FDECB00.COMCTL32(,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041915E
                                                        • 6FDEC740.COMCTL32(00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419169
                                                        • 6FDECB00.COMCTL32(,I,00000001,?,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000), ref: 0041917C
                                                        • 6FD80860.COMCTL32(,I,0041919F,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E), ref: 00419192
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MetricsSystem$C400C740D80860D82980
                                                        • String ID: ,I
                                                        • API String ID: 2924641870-3697734810
                                                        • Opcode ID: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
                                                        • Instruction ID: 6bf9c1d71f03a7720a29bcea3f2ffb204bbf738efc2d09f76f7aaa5da4135df4
                                                        • Opcode Fuzzy Hash: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
                                                        • Instruction Fuzzy Hash: D0116675744304BBEB14EBA5DC83F9E73A8EB04B04F50456AF604E72D1E6B99D808B58
                                                        Function 0045DB44 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DB4D
                                                        • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DB5D
                                                        • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DB6D
                                                        • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DB7D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                        • API String ID: 190572456-3516654456
                                                        • Opcode ID: 58de473dedc02e4961c84a33a0f5d680adc4af31b5539a839239541ecf730d78
                                                        • Instruction ID: 6393fdd59b419d4e4f2c5b3e50f991f6d57498fd626e4870853c8bb2a7f4f2ae
                                                        • Opcode Fuzzy Hash: 58de473dedc02e4961c84a33a0f5d680adc4af31b5539a839239541ecf730d78
                                                        • Instruction Fuzzy Hash: 1101FFB0D00600DBE724EF369C4672636EAAFA4706F15C43BAD49D66A3E778548CCE1C
                                                        Function 0041AD6C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetBkColor.GDI32(?,00000000), ref: 0041AE49
                                                        • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE83
                                                        • SetBkColor.GDI32(?,?), ref: 0041AE98
                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEE2
                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041AEED
                                                        • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEFD
                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AF3C
                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041AF46
                                                        • SetBkColor.GDI32(00000000,?), ref: 0041AF53
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Color$StretchText
                                                        • String ID:
                                                        • API String ID: 2984075790-0
                                                        • Opcode ID: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
                                                        • Instruction ID: cd8b06f21d39e7e3a7e3fb9164a1477e2cec4af8eaf2e363a2f859aea8ea57af
                                                        • Opcode Fuzzy Hash: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
                                                        • Instruction Fuzzy Hash: 5B61B4B5A00515EFCB40EFADD985E9AB7F9EF08314B1481AAF518DB251C734ED408BA8
                                                        Function 00458954 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                        • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458B08,?, /s ",?,regsvr32.exe",?,00458B08), ref: 00458A7A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseDirectoryHandleSystem
                                                        • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                        • API String ID: 2051275411-1862435767
                                                        • Opcode ID: fccac86d07197311a4edf8604bcb819999ceb6f5a46ea8415be930abf83fe94c
                                                        • Instruction ID: 80d87ab17c090028f18ddd9dc69d9a9522a7783b235ef4a64a7d04e5292bd67e
                                                        • Opcode Fuzzy Hash: fccac86d07197311a4edf8604bcb819999ceb6f5a46ea8415be930abf83fe94c
                                                        • Instruction Fuzzy Hash: 8341E470E003486BDB11EF95C842B9DB7B9AF45305F50407FB904BB296DF78AE098B59
                                                        Function 0044D7E4 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 0044D815
                                                        • GetSysColor.USER32(00000014), ref: 0044D81C
                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0044D834
                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D85D
                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D867
                                                        • GetSysColor.USER32(00000010), ref: 0044D86E
                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0044D886
                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8AF
                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8DA
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Text$Color$Draw$OffsetRect
                                                        • String ID:
                                                        • API String ID: 1005981011-0
                                                        • Opcode ID: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
                                                        • Instruction ID: 7afddb25c4ac74ad42c6f663f4adf30dc2f4b2673d3e6822d8b2a46fb9ac5c49
                                                        • Opcode Fuzzy Hash: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
                                                        • Instruction Fuzzy Hash: AB21AFB46015047FD700FB2ACD8AE9B7BECDF19319B00457A7914EB393C678DE408669
                                                        Function 00468610 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004686B3
                                                        • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004686D9
                                                          • Part of subcall function 0046854C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004685E7
                                                          • Part of subcall function 0046854C: DestroyCursor.USER32(00000000), ref: 004685FD
                                                        • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00468730
                                                        • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00468791
                                                        • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004687B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                        • String ID: c:\directory$shell32.dll
                                                        • API String ID: 3376378930-1375355148
                                                        • Opcode ID: b6c1907d4098c2e0cbdb9ddbbc3b84275fc9f93d63d07bf08395ee6d7f31ef64
                                                        • Instruction ID: 811d36ee9d093b3b0276aa4c13663b10f9457e770bee0cd4c871c76846c3392c
                                                        • Opcode Fuzzy Hash: b6c1907d4098c2e0cbdb9ddbbc3b84275fc9f93d63d07bf08395ee6d7f31ef64
                                                        • Instruction Fuzzy Hash: D2515070600244AFD710EF55CC8AFDAB7E8AB48305F5082BAF4049B751DA799E81CA59
                                                        Function 00499360 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B
                                                          • Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 004993F1
                                                        • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00499405
                                                        • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0049941F
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049942B
                                                        • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499431
                                                        • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499444
                                                        Strings
                                                        • Deleting Uninstall data files., xrefs: 00499367
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                        • String ID: Deleting Uninstall data files.
                                                        • API String ID: 1570157960-2568741658
                                                        • Opcode ID: dcf1fa44ca791b62f8829d6d279a4ef47d464233a3fb077f8fa075eafe451efd
                                                        • Instruction ID: b7a2e365abb4ca1ce7a24153babf5e0292396e8760e8134f6a37584f4bf7a1e8
                                                        • Opcode Fuzzy Hash: dcf1fa44ca791b62f8829d6d279a4ef47d464233a3fb077f8fa075eafe451efd
                                                        • Instruction Fuzzy Hash: 8F214470708200AFEB21EF7AEC86B163798DB58759F11453FB901DA1E3D6789C05DA1D
                                                        Function 00471A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D,?,?,?,?,00000000), ref: 00471AC7
                                                        • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D), ref: 00471ADE
                                                        • AddFontResourceA.GDI32(00000000), ref: 00471AFB
                                                        • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471B0F
                                                        Strings
                                                        • AddFontResource, xrefs: 00471B19
                                                        • Failed to set value in Fonts registry key., xrefs: 00471AD0
                                                        • Failed to open Fonts registry key., xrefs: 00471AE5
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                        • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                        • API String ID: 955540645-649663873
                                                        • Opcode ID: 1833a09a70803b4382502aa5e4deb5c24e4c660bf977aa41c59f976886b4857b
                                                        • Instruction ID: e418864d87a496604354a2259d3816e8ecf3f11e764263395734e4855b1f90ef
                                                        • Opcode Fuzzy Hash: 1833a09a70803b4382502aa5e4deb5c24e4c660bf977aa41c59f976886b4857b
                                                        • Instruction Fuzzy Hash: 5B2181707402047BDB10EA6A9C42F9A679CDB45704F60C077B904EB3D2EA7CED05966D
                                                        Function 00464224 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004168A0: GetClassInfoA.USER32(00400000,?,?), ref: 0041690F
                                                          • Part of subcall function 004168A0: UnregisterClassA.USER32(?,00400000), ref: 0041693B
                                                          • Part of subcall function 004168A0: RegisterClassA.USER32(?), ref: 0041695E
                                                        • GetVersion.KERNEL32 ref: 00464254
                                                        • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00464292
                                                        • SHGetFileInfo.SHELL32(00464330,00000000,?,00000160,00004011), ref: 004642AF
                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 004642CD
                                                        • SetCursor.USER32(00000000,00000000,00007F02,00464330,00000000,?,00000160,00004011), ref: 004642D3
                                                        • SetCursor.USER32(?,00464313,00007F02,00464330,00000000,?,00000160,00004011), ref: 00464306
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                        • String ID: Explorer
                                                        • API String ID: 2594429197-512347832
                                                        • Opcode ID: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
                                                        • Instruction ID: b3b98aa5a53488e53f8304eecf0dc9993ee5463f80e55bafd62bb8cbb11790a6
                                                        • Opcode Fuzzy Hash: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
                                                        • Instruction Fuzzy Hash: 4321BB307403046AFF11BBB65C47B9A76989B45708F5040BBBA05EB2C3D9BD5851866D
                                                        Function 0047A4E4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021B79FC,?,?,?,021B79FC,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B79FC,?,?,?,021B79FC,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
                                                        • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B79FC,?,?,?,021B79FC), ref: 0047A540
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,021B79FC,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                        • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                        • API String ID: 2704155762-2318956294
                                                        • Opcode ID: 9a2fa8f97a38dc74da99cb908791113ec1c22fa4b31381523c5c01c2eb65d99e
                                                        • Instruction ID: 4c547af52153d5fc494c8abbb987ccd3797ba2b79672919e7250df90ec71fc91
                                                        • Opcode Fuzzy Hash: 9a2fa8f97a38dc74da99cb908791113ec1c22fa4b31381523c5c01c2eb65d99e
                                                        • Instruction Fuzzy Hash: 54019291B4070476E520717A4C86BBF264C8BD4769F248137BB1CFE2D2E9AD992601AF
                                                        Function 0045A69C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,0045A81E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045A762
                                                          • Part of subcall function 00454BF0: FindClose.KERNEL32(000000FF,00454CE6), ref: 00454CD5
                                                        Strings
                                                        • Stripped read-only attribute., xrefs: 0045A724
                                                        • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A73C
                                                        • Failed to delete directory (%d). Will retry later., xrefs: 0045A77B
                                                        • Failed to strip read-only attribute., xrefs: 0045A730
                                                        • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A7D7
                                                        • Failed to delete directory (%d)., xrefs: 0045A7F8
                                                        • Deleting directory: %s, xrefs: 0045A6EB
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseErrorFindLast
                                                        • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                        • API String ID: 754982922-1448842058
                                                        • Opcode ID: 57d73ecb5a26e4a21e44b8e1c19324ce0402e2811ee4ac88cd56011b96146cb8
                                                        • Instruction ID: ed451348c7d3678a4819a833a09a40bf82a586c96773c367329f7393d5e0e002
                                                        • Opcode Fuzzy Hash: 57d73ecb5a26e4a21e44b8e1c19324ce0402e2811ee4ac88cd56011b96146cb8
                                                        • Instruction Fuzzy Hash: 9441A734A101189BCB00EB6988417AE76A59F89306F55867FAC01E7383DB7CCA1D875F
                                                        Function 00429910 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0042991A
                                                        • GetTextMetricsA.GDI32(00000000), ref: 00429923
                                                          • Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00429932
                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 0042993F
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00429946
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0042994E
                                                        • GetSystemMetrics.USER32(00000006), ref: 00429973
                                                        • GetSystemMetrics.USER32(00000006), ref: 0042998D
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                        • String ID:
                                                        • API String ID: 1583807278-0
                                                        • Opcode ID: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
                                                        • Instruction ID: 064b8ceea34646deb673d9898a5f132a00f345b4bbd4d539d92df2c89931976d
                                                        • Opcode Fuzzy Hash: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
                                                        • Instruction Fuzzy Hash: 1801C4D17047112BF710B2B69CC2F6B5588DB84368F44053FFA869A3D3E97D9C80866E
                                                        Function 0041E2B4 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0041E2B7
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E2C1
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041E2CE
                                                        • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E2DD
                                                        • GetStockObject.GDI32(00000007), ref: 0041E2EB
                                                        • GetStockObject.GDI32(00000005), ref: 0041E2F7
                                                        • GetStockObject.GDI32(0000000D), ref: 0041E303
                                                        • LoadIconA.USER32(00000000,00007F00), ref: 0041E314
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                        • String ID:
                                                        • API String ID: 225703358-0
                                                        • Opcode ID: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
                                                        • Instruction ID: eda06bb9e73b08d19024368069479301758e63dc44a0e31fec7fdbc279e4b1ec
                                                        • Opcode Fuzzy Hash: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
                                                        • Instruction Fuzzy Hash: 8C112B70645301AAE740FF765996BAA3690D724708F40943BF604EF3D2DB7E5C418B6E
                                                        Function 00464634 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00464738
                                                        • SetCursor.USER32(00000000,00000000,00007F02,00000000,004647CD), ref: 0046473E
                                                        • SetCursor.USER32(?,004647B5,00007F02,00000000,004647CD), ref: 004647A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Cursor$Load
                                                        • String ID: $ $Internal error: Item already expanding
                                                        • API String ID: 1675784387-1948079669
                                                        • Opcode ID: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
                                                        • Instruction ID: 9cbbcba472df96bd09ce797c5f765fac8c2f652b56477a68fde2327aac6a5f51
                                                        • Opcode Fuzzy Hash: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
                                                        • Instruction Fuzzy Hash: 8CB1C174600604DFDB20DF65C585B9BBBF0AF85308F1580ABE8459B792E778ED44CB1A
                                                        Function 0045452C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfileStringWrite
                                                        • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                        • API String ID: 390214022-3304407042
                                                        • Opcode ID: 15c80b712bfc3896de28ac9e123faf05c132c344b1f59453ec291826b5364b4c
                                                        • Instruction ID: c5648654d35dc4fa5992192bdfac3c74e0b4d15883e79a195514524b6fb94f40
                                                        • Opcode Fuzzy Hash: 15c80b712bfc3896de28ac9e123faf05c132c344b1f59453ec291826b5364b4c
                                                        • Instruction Fuzzy Hash: D1912334A001099BDB01EFA5D841BDEB7F5EF89309F508467E900BB692D778AE49CB58
                                                        Function 00478DC4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00478E1D
                                                        • SetWindowLongW.USER32(00000000,000000FC,00478D78), ref: 00478E44
                                                        • GetACP.KERNEL32(00000000,0047905C,?,00000000,00479086), ref: 00478E81
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00478EC7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ClassInfoLongMessageSendWindow
                                                        • String ID: COMBOBOX$Inno Setup: Language
                                                        • API String ID: 3391662889-4234151509
                                                        • Opcode ID: 01d3e66c9a3e61d938acc5b64d74612a966164ff955126988d22db253828594a
                                                        • Instruction ID: 9a1e1fbd3c649eeeadcf20bc1b1a007eb45d24132bb8eba9a2a930841c17950d
                                                        • Opcode Fuzzy Hash: 01d3e66c9a3e61d938acc5b64d74612a966164ff955126988d22db253828594a
                                                        • Instruction Fuzzy Hash: 64814E34A40605DFC710DF69C889AAAB7F5FB49304F1081BAE808DB762DB78AD45CB59
                                                        Function 00408BB0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00408DF8,?,?,?,?,00000000,00000000,00000000,?,00409DFF,00000000,00409E12), ref: 00408BCA
                                                          • Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16
                                                          • Part of subcall function 00408A44: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C46,?,?,?,00000000,00408DF8), ref: 00408A57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale$DefaultSystem
                                                        • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                        • API String ID: 1044490935-665933166
                                                        • Opcode ID: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
                                                        • Instruction ID: 6e389ecbf5aa42e5faf75f2f0cdd2dfe5a993f3520af0ea01b43abf2a46df86b
                                                        • Opcode Fuzzy Hash: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
                                                        • Instruction Fuzzy Hash: 20514E34B00148ABDB01EBAAC94169E676ADB98308F50947FB091BB7C7CE3CDA05975D
                                                        Function 00411B84 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetVersion.KERNEL32(00000000,00411D89), ref: 00411C1C
                                                        • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411CDA
                                                          • Part of subcall function 00411F3C: CreatePopupMenu.USER32 ref: 00411F56
                                                        • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D66
                                                          • Part of subcall function 00411F3C: CreateMenu.USER32 ref: 00411F60
                                                        • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D4D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Menu$Insert$Create$ItemPopupVersion
                                                        • String ID: ,$?
                                                        • API String ID: 2359071979-2308483597
                                                        • Opcode ID: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
                                                        • Instruction ID: 3fb5e0cd3bdc3201fae72ff24864c2251e092a1c83a82613ff871d7f09dca240
                                                        • Opcode Fuzzy Hash: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
                                                        • Instruction Fuzzy Hash: 82510674A00145ABDB10EF7ADD816DA7BF9AB09304F21417BFA04E73A6E738D941CB58
                                                        Function 0045580C Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28,00000000), ref: 004559B6
                                                        • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28), ref: 004559C3
                                                          • Part of subcall function 00455778: WaitForInputIdle.USER32(?,00000032), ref: 004557A4
                                                          • Part of subcall function 00455778: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004557C6
                                                          • Part of subcall function 00455778: GetExitCodeProcess.KERNEL32(?,?), ref: 004557D5
                                                          • Part of subcall function 00455778: CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                        • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                        • API String ID: 854858120-615399546
                                                        • Opcode ID: 3e4b0a1e103b7e8cb717b0e50394771715c1b6074b695854dfd9f18dc896e6e2
                                                        • Instruction ID: 0bf838f29b43a6125692e3b7c5bec048a51817b33ba316f47a5a27346a6aee42
                                                        • Opcode Fuzzy Hash: 3e4b0a1e103b7e8cb717b0e50394771715c1b6074b695854dfd9f18dc896e6e2
                                                        • Instruction Fuzzy Hash: 34518B7060074DABDB00EF95D892BEEBBB9AF44305F50453BB804B7292D77C5E098759
                                                        Function 0041C2F3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0041C3B8
                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0041C3C7
                                                        • GetBitmapBits.GDI32(?,?,?), ref: 0041C418
                                                        • GetBitmapBits.GDI32(?,?,?), ref: 0041C426
                                                        • DeleteObject.GDI32(?), ref: 0041C42F
                                                        • DeleteObject.GDI32(?), ref: 0041C438
                                                        • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C455
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Object$BitmapBitsDelete$CreateIcon
                                                        • String ID:
                                                        • API String ID: 1030595962-0
                                                        • Opcode ID: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
                                                        • Instruction ID: 503a746306143f5d70b37ccc37edd8169d972c8c437de2bc6362dd1504a2ea70
                                                        • Opcode Fuzzy Hash: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
                                                        • Instruction Fuzzy Hash: 52511831E002199FCB14DFE9C8819EEB7F9EF48314B10852AF914E7391D638AD81CB64
                                                        Function 0041D368 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D38E
                                                        • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D3AD
                                                        • SelectPalette.GDI32(?,?,00000001), ref: 0041D413
                                                        • RealizePalette.GDI32(?), ref: 0041D422
                                                        • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D48C
                                                        • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D4CA
                                                        • SelectPalette.GDI32(?,?,00000001), ref: 0041D4EF
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                        • String ID:
                                                        • API String ID: 2222416421-0
                                                        • Opcode ID: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
                                                        • Instruction ID: 994e6928e375576195bbff131da20e2633e51e8889d6c5a0b4bc55991cd6db0b
                                                        • Opcode Fuzzy Hash: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
                                                        • Instruction Fuzzy Hash: 10512FB0A00604AFD714DFA9C985F9AB7F9EF08304F148599B959D7292C778ED80CB58
                                                        Function 00457B6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000000,?,?), ref: 00457BBE
                                                          • Part of subcall function 0042470C: GetWindowTextA.USER32(?,?,00000100), ref: 0042472C
                                                          • Part of subcall function 0041F334: GetCurrentThreadId.KERNEL32 ref: 0041F383
                                                          • Part of subcall function 0041F334: EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389
                                                          • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457C25
                                                        • TranslateMessage.USER32(?), ref: 00457C43
                                                        • DispatchMessageA.USER32(?), ref: 00457C4C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                        • String ID: [Paused]
                                                        • API String ID: 1007367021-4230553315
                                                        • Opcode ID: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
                                                        • Instruction ID: 06e1226616be40fe5bc559768a91633e97e499603686e5a952697563b4c26b81
                                                        • Opcode Fuzzy Hash: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
                                                        • Instruction Fuzzy Hash: 523195319082485EDB12DBB5E841BDE7BF8DB49304F908077E810E7292D63C9909CB68
                                                        Function 0046C9CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursor.USER32(00000000,0046CB0B), ref: 0046CA88
                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0046CA96
                                                        • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CA9C
                                                        • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAA6
                                                        • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAAC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Cursor$LoadSleep
                                                        • String ID: CheckPassword
                                                        • API String ID: 4023313301-1302249611
                                                        • Opcode ID: 0aa64cbbfa6ee51f6af4513d1c42fabb596d922ffa3bf18d5eac006c523a3d99
                                                        • Instruction ID: dc4a4552949694c44ab81909cbfa5d37629526438aba0b0bd6801612213ae34e
                                                        • Opcode Fuzzy Hash: 0aa64cbbfa6ee51f6af4513d1c42fabb596d922ffa3bf18d5eac006c523a3d99
                                                        • Instruction Fuzzy Hash: 10318234740244AFD711DB69C8CAFAA7BE4AF05304F5580B6B944AB3E2D778AE40CB49
                                                        Function 00479DE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00479D08: GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
                                                          • Part of subcall function 00479D08: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
                                                          • Part of subcall function 00479D08: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29
                                                        • SendMessageA.USER32(00000000,0000004A,00000000,0047A19A), ref: 00479E15
                                                        • GetTickCount.KERNEL32 ref: 00479E5A
                                                        • GetTickCount.KERNEL32 ref: 00479E64
                                                        • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00479EB9
                                                        Strings
                                                        • CallSpawnServer: Unexpected response: $%x, xrefs: 00479E4A
                                                        • CallSpawnServer: Unexpected status: %d, xrefs: 00479EA2
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                        • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                        • API String ID: 613034392-3771334282
                                                        • Opcode ID: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
                                                        • Instruction ID: d0290b535038f0b538ca996bd373034cc9ef5a4571df1c0a7e48467b85276075
                                                        • Opcode Fuzzy Hash: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
                                                        • Instruction Fuzzy Hash: 82319C34A102149ADB20EBB9C8867EEB7A59F44704F50843BB148EB382D67D8E41C7AD
                                                        Function 0045A014 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A0CF
                                                        Strings
                                                        • Failed to load .NET Framework DLL "%s", xrefs: 0045A0B4
                                                        • CreateAssemblyCache, xrefs: 0045A0C6
                                                        • Fusion.dll, xrefs: 0045A06F
                                                        • .NET Framework CreateAssemblyCache function failed, xrefs: 0045A0F2
                                                        • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A0DA
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                        • API String ID: 190572456-3990135632
                                                        • Opcode ID: 47528f8cc21b60fe5fd6cbfcf43eb270d72f12e503475e47cc24ebc3cb25aa49
                                                        • Instruction ID: 9a321e89453ba4f36132349ca91dc91ba75a1bd21e0a38aa57df13fbbf55b943
                                                        • Opcode Fuzzy Hash: 47528f8cc21b60fe5fd6cbfcf43eb270d72f12e503475e47cc24ebc3cb25aa49
                                                        • Instruction Fuzzy Hash: B831A970D006059BCB11EFA5C84169EF7B5AF44715F40867BE910A7382DB3C9A188799
                                                        Function 0041C5D8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041C4D8: GetObjectA.GDI32(?,00000018), ref: 0041C4E5
                                                        • GetFocus.USER32 ref: 0041C5F8
                                                        • GetDC.USER32(?), ref: 0041C604
                                                        • SelectPalette.GDI32(?,?,00000000), ref: 0041C625
                                                        • RealizePalette.GDI32(?), ref: 0041C631
                                                        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C648
                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C670
                                                        • ReleaseDC.USER32(?,?), ref: 0041C67D
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                        • String ID:
                                                        • API String ID: 3303097818-0
                                                        • Opcode ID: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
                                                        • Instruction ID: 25388d08763cc31724119198cc62293da4a252d14e83de2780c9a5f0ba17a272
                                                        • Opcode Fuzzy Hash: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
                                                        • Instruction Fuzzy Hash: C6116A71A40608BBDB10EBE9CC85FAFB7FCEF48700F15446AB518E7281D6789D008B68
                                                        Function 0048603C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004860F4), ref: 004860D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                        • API String ID: 47109696-2530820420
                                                        • Opcode ID: ff85b02056e2cb5a4886c45475dc49e10810097e95d73e01023e101910441b08
                                                        • Instruction ID: a713916a89d0883095a157a8cdf94fb09fad54fb56f7fa23aac7c7215c81ef38
                                                        • Opcode Fuzzy Hash: ff85b02056e2cb5a4886c45475dc49e10810097e95d73e01023e101910441b08
                                                        • Instruction Fuzzy Hash: C411BF30604248AADB82FB65CC45B9FBBA9DB12314F524977A800E7283EB3DDE45871D
                                                        Function 00498374 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 00498385
                                                          • Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737
                                                        • SelectObject.GDI32(00000000,00000000), ref: 004983A7
                                                        • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00498925), ref: 004983BB
                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 004983DD
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004983FA
                                                        Strings
                                                        • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004983B2
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                        • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                        • API String ID: 2948443157-222967699
                                                        • Opcode ID: 40663912515a33d48857a7cc17ded0f9fd9d2e35270be9166755b58ff18b4f99
                                                        • Instruction ID: c67935f8e5cb56b1937036d64f6bf01096dd8c8546995d157710775fc85ec82d
                                                        • Opcode Fuzzy Hash: 40663912515a33d48857a7cc17ded0f9fd9d2e35270be9166755b58ff18b4f99
                                                        • Instruction Fuzzy Hash: 10018875604605AFEB00DFE9CC41F5FB7ECDB49704F51447AB500E7281EA78AD008B68
                                                        Function 0044CDDC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0044CDAC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CDC4
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,0044CE9E,?,?,?,?,00000000,00000000), ref: 0044CE26
                                                        • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CE37
                                                        • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CE47
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                        • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                        • API String ID: 2141747552-1050967733
                                                        • Opcode ID: 7ba4e215260a1174b67bd43160c3744282142a018bd3cfbd5bd7167bd4463890
                                                        • Instruction ID: a702f4643fe6e099115479b548097bfe9a63d2924ca5d738d996a727133e4afc
                                                        • Opcode Fuzzy Hash: 7ba4e215260a1174b67bd43160c3744282142a018bd3cfbd5bd7167bd4463890
                                                        • Instruction Fuzzy Hash: 65119170602308ABF710EFA2DCC2B5A77A8E794708F64047BA00066691D7BD99448A1D
                                                        Function 0041B8F2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SelectObject.GDI32(00000000,?), ref: 0041B900
                                                        • SelectObject.GDI32(?,00000000), ref: 0041B90F
                                                        • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041B949
                                                        • SelectObject.GDI32(?,00000000), ref: 0041B957
                                                        • DeleteDC.GDI32(00000000), ref: 0041B960
                                                        • DeleteDC.GDI32(?), ref: 0041B969
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$Delete$Stretch
                                                        • String ID:
                                                        • API String ID: 1458357782-0
                                                        • Opcode ID: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
                                                        • Instruction ID: 7af7168ee4e3f122af8b0d4427163761b09037522acd9a56f3a9582fc2e5d9ca
                                                        • Opcode Fuzzy Hash: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
                                                        • Instruction Fuzzy Hash: F7117CB2E40559ABDF10D6D9D885FAFB7BCEF08304F004416B714FB241C678A8418B94
                                                        Function 00423824 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32 ref: 0042383F
                                                        • WindowFromPoint.USER32(?,?), ref: 0042384C
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042385A
                                                        • GetCurrentThreadId.KERNEL32 ref: 00423861
                                                        • SendMessageA.USER32(00000000,00000084,?,?), ref: 0042387A
                                                        • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423891
                                                        • SetCursor.USER32(00000000), ref: 004238A3
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                        • String ID:
                                                        • API String ID: 1770779139-0
                                                        • Opcode ID: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
                                                        • Instruction ID: af43fee0338c9e624ebb6e65c196278dc7248109df2d757125d2dc099b9481b9
                                                        • Opcode Fuzzy Hash: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
                                                        • Instruction Fuzzy Hash: 4C01B16230431136D6207A795C86E2F26E8DFC5B19F50413FB509BE282DA3D8C00636D
                                                        Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                        • RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                        • RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                        • String ID: `I$`I
                                                        • API String ID: 730355536-3984424023
                                                        • Opcode ID: 64002adec9d96eccb06c3eb006b1eb85ee1d021eaacb40bd1b5c7d4f0963175f
                                                        • Instruction ID: 94269b02b44d1611755d75869bdd1b1cad58823c34eb859de2800409b3eb1631
                                                        • Opcode Fuzzy Hash: 64002adec9d96eccb06c3eb006b1eb85ee1d021eaacb40bd1b5c7d4f0963175f
                                                        • Instruction Fuzzy Hash: BC01C070644240AEFB19EB6B98027253ED4D799748F11883BF440A6AF1CABD4840CB6E
                                                        Function 00498198 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 004981A8
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004981B5
                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004981C2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule
                                                        • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                        • API String ID: 667068680-2254406584
                                                        • Opcode ID: 5be428eabab937aecaf376b261ae7240ba502668b3757660f019f9de16c27e60
                                                        • Instruction ID: c24bc2e529edd3fc2f7d71c8166a3bd51aa09706bb3324dad5a4058a97bc4c43
                                                        • Opcode Fuzzy Hash: 5be428eabab937aecaf376b261ae7240ba502668b3757660f019f9de16c27e60
                                                        • Instruction Fuzzy Hash: D5F09662B81A1566DA20257E1C42A7B69CCCB87764F14017FBE44B7383EDAD8C0646BD
                                                        Function 0045DA18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045DA21
                                                        • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045DA31
                                                        • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045DA41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                        • API String ID: 190572456-508647305
                                                        • Opcode ID: dde6d51f60abe5d0672bfaed80a86c2dd87a06dd1ae076193d4a680638cd494a
                                                        • Instruction ID: 1edccc56acb66b4562ddfa4c7a90d58ee85ee4b976394e257a4a6a33c45d2cf5
                                                        • Opcode Fuzzy Hash: dde6d51f60abe5d0672bfaed80a86c2dd87a06dd1ae076193d4a680638cd494a
                                                        • Instruction Fuzzy Hash: 52F01DB09056008BD314DF36AC45727379DEB98306F58803BA845D11A3E77A089CEA0C
                                                        Function 0045DF18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DF21
                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DF31
                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DF41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                        • API String ID: 190572456-212574377
                                                        • Opcode ID: 1ba7f0a7f932c0f12d1df9f0648249643268a813f4c94efa46eb8b1189ec4832
                                                        • Instruction ID: c781611ed6df2ffd52f678218cea13a9d8474895aea0bca464552a1c0941260e
                                                        • Opcode Fuzzy Hash: 1ba7f0a7f932c0f12d1df9f0648249643268a813f4c94efa46eb8b1189ec4832
                                                        • Instruction Fuzzy Hash: 97F030B5E00300DEE724DF32AC0972336D9AFA4716F14803BA946D66A3D378444DCE2D
                                                        Function 0042EEAC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEC5
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EECB
                                                        • InterlockedExchange.KERNEL32(0049E66C,00000001), ref: 0042EEDC
                                                          • Part of subcall function 0042EE3C: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
                                                          • Part of subcall function 0042EE3C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
                                                          • Part of subcall function 0042EE3C: InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69
                                                        • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEF0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                        • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                        • API String ID: 142928637-2676053874
                                                        • Opcode ID: 927f38515658db31c7fed5d91d2e5f67c49424a855da097203f7ba78f6ca986b
                                                        • Instruction ID: d73472cc1cf9ee785b15135c95e247d87a8e276cbab312dacd1aac06db931f35
                                                        • Opcode Fuzzy Hash: 927f38515658db31c7fed5d91d2e5f67c49424a855da097203f7ba78f6ca986b
                                                        • Instruction Fuzzy Hash: 6BE01BB1750720E6EE10B7777C46FA72654DB64769F950437F100A51D1C7FE0C848A6D
                                                        Function 0047AD94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
                                                        • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
                                                        • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule
                                                        • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                        • API String ID: 667068680-222143506
                                                        • Opcode ID: b45619e19b7df4f31f5a5e1e7913cc9e2f5992c7008335275ff0f295cd2b689d
                                                        • Instruction ID: e761ed85866ee686b9535240fc539701727dd680da56f3fb001ecc562e4fb54d
                                                        • Opcode Fuzzy Hash: b45619e19b7df4f31f5a5e1e7913cc9e2f5992c7008335275ff0f295cd2b689d
                                                        • Instruction Fuzzy Hash: 07C012E0680701AED610B7715C86D7E254DD550B1A320C03B7089B55C3D67C0C284F2D
                                                        Function 0041BAFC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFocus.USER32 ref: 0041BBD5
                                                        • GetDC.USER32(?), ref: 0041BBE1
                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BC16
                                                        • RealizePalette.GDI32(00000000), ref: 0041BC22
                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC50
                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC84
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Palette$Select$BitmapCreateFocusRealize
                                                        • String ID:
                                                        • API String ID: 3275473261-0
                                                        • Opcode ID: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
                                                        • Instruction ID: 6f3d196da8cc9963e266c073c65a40cf0d83fd4bf7ad6034c31d612a174a896e
                                                        • Opcode Fuzzy Hash: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
                                                        • Instruction Fuzzy Hash: 23511D70A00209AFDB11DFA9C895AEEBBF8FF49704F10446AF500A7750D7799D81CBA9
                                                        Function 0041BDCC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFocus.USER32 ref: 0041BEA7
                                                        • GetDC.USER32(?), ref: 0041BEB3
                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEED
                                                        • RealizePalette.GDI32(00000000), ref: 0041BEF9
                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BF1D
                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF51
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Palette$Select$BitmapCreateFocusRealize
                                                        • String ID:
                                                        • API String ID: 3275473261-0
                                                        • Opcode ID: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
                                                        • Instruction ID: d1d8e12ac76011fa0e11fd225ecf21e9d1788b3d06fe05564f2eab64f20773a9
                                                        • Opcode Fuzzy Hash: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
                                                        • Instruction Fuzzy Hash: 28510875A00618AFCB11DFA9C891AEEBBF9EF49700F158066F504EB750D7389D40CBA8
                                                        Function 00477568 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042F2FC: GetTickCount.KERNEL32 ref: 0042F302
                                                          • Part of subcall function 0042F118: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F14D
                                                        • GetLastError.KERNEL32(00000000,004776FD,?,?,0049F1E4,00000000), ref: 004775D0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CountErrorFileLastMoveTick
                                                        • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx$Renaming uninstaller.$The existing file appears to be in use (%d). Retrying.
                                                        • API String ID: 2406187244-79500563
                                                        • Opcode ID: f00db5f89b9f5975da9f6cb11f7777b8f20394951357caea12b8a3a53631f4f6
                                                        • Instruction ID: 6023fe8b67aa7ba447fd38945f059c1701a0e9a08149722a7a21e5b3243787af
                                                        • Opcode Fuzzy Hash: f00db5f89b9f5975da9f6cb11f7777b8f20394951357caea12b8a3a53631f4f6
                                                        • Instruction Fuzzy Hash: 2B4145749041099FCB11EFA9D882ADEB7B4EF48314FA0853BE404A7355D77CA905CBAD
                                                        Function 0041B998 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFocus.USER32 ref: 0041BA0E
                                                        • GetDC.USER32(?), ref: 0041BA1A
                                                        • GetDeviceCaps.GDI32(?,00000068), ref: 0041BA36
                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA53
                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA6A
                                                        • ReleaseDC.USER32(?,?), ref: 0041BAB6
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                        • String ID:
                                                        • API String ID: 2502006586-0
                                                        • Opcode ID: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
                                                        • Instruction ID: a7c0e65a03819a5ca0ecfd2330013adb4d65aecf06c5c54e884ed256bbcda07e
                                                        • Opcode Fuzzy Hash: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
                                                        • Instruction Fuzzy Hash: 7941C371A042149FDB10DFA9C886AAFBBB4EF45740F1484AAF940EB351D238AD11CBA5
                                                        Function 0045D8DC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947
                                                        • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045DA14,?,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D986
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                        • API String ID: 1452528299-1580325520
                                                        • Opcode ID: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
                                                        • Instruction ID: 6e5dfac74c505aaab96e92fe344d79fc6b24c6561d5ee78f4b35f8cdf0e82ab5
                                                        • Opcode Fuzzy Hash: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
                                                        • Instruction Fuzzy Hash: 1611A5B5A04209AFD731DEA1C941BAA7AACDF48306F6040376D04A6283D67C5F0AD52E
                                                        Function 0041C21C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000000B), ref: 0041C265
                                                        • GetSystemMetrics.USER32(0000000C), ref: 0041C26F
                                                        • GetDC.USER32(00000000), ref: 0041C279
                                                        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C2A0
                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C2AD
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041C2E6
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CapsDeviceMetricsSystem$Release
                                                        • String ID:
                                                        • API String ID: 447804332-0
                                                        • Opcode ID: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
                                                        • Instruction ID: 9f2a90fdc7dd77bbc6d9abc5b90aadbfd0b864dc6f709442552c07669a95c1ee
                                                        • Opcode Fuzzy Hash: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
                                                        • Instruction Fuzzy Hash: 07213C75E44649AFEB00EFE9C882BEEB7B4EB48714F10806AF514B7280D7795940CB69
                                                        Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,00401B68), ref: 00401ABD
                                                        • LocalFree.KERNEL32(00828C78,00000000,00401B68), ref: 00401ACF
                                                        • VirtualFree.KERNEL32(?,00000000,00008000,00828C78,00000000,00401B68), ref: 00401AEE
                                                        • LocalFree.KERNEL32(00829C78,?,00000000,00008000,00828C78,00000000,00401B68), ref: 00401B2D
                                                        • RtlLeaveCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B58
                                                        • RtlDeleteCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B62
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                        • String ID:
                                                        • API String ID: 3782394904-0
                                                        • Opcode ID: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
                                                        • Instruction ID: e11c9f51ffc8675c4dd52d411ec329e75971582e09b40c19516fbc4ecb4e7f79
                                                        • Opcode Fuzzy Hash: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
                                                        • Instruction Fuzzy Hash: 1E119D30B00340AAEB15EB67AC82B263BE49765708F44047BF40067AF2D67DA840876E
                                                        Function 0048099C Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongA.USER32(?,000000EC), ref: 004809AA
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046E2F5), ref: 004809D0
                                                        • GetWindowLongA.USER32(?,000000EC), ref: 004809E0
                                                        • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00480A01
                                                        • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00480A15
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00480A31
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$Show
                                                        • String ID:
                                                        • API String ID: 3609083571-0
                                                        • Opcode ID: fd47eba282066f6077479a46be718dc6a36e411284a163d57f72b468d1ce45bd
                                                        • Instruction ID: 5fbc0a759a363429862e9e166b445db90943e559ec10ec679e577617c806b0ab
                                                        • Opcode Fuzzy Hash: fd47eba282066f6077479a46be718dc6a36e411284a163d57f72b468d1ce45bd
                                                        • Instruction Fuzzy Hash: 3C014CB1650210ABD710EB79CD41F2A77A8AB2D310F054767FA55EB3E3C239EC048B08
                                                        Function 0041B700 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041AB70: CreateBrushIndirect.GDI32 ref: 0041ABDB
                                                        • UnrealizeObject.GDI32(00000000), ref: 0041B70C
                                                        • SelectObject.GDI32(?,00000000), ref: 0041B71E
                                                        • SetBkColor.GDI32(?,00000000), ref: 0041B741
                                                        • SetBkMode.GDI32(?,00000002), ref: 0041B74C
                                                        • SetBkColor.GDI32(?,00000000), ref: 0041B767
                                                        • SetBkMode.GDI32(?,00000001), ref: 0041B772
                                                          • Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                        • String ID:
                                                        • API String ID: 3527656728-0
                                                        • Opcode ID: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
                                                        • Instruction ID: e5a7d4b7c2e235827ad94a1825542cc68ab193fc61db3cfd758683236e3ca83d
                                                        • Opcode Fuzzy Hash: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
                                                        • Instruction Fuzzy Hash: 25F0C275615100ABDE00FFBADACAE4B37989F443097048097B504DF197C67CE8504B39
                                                        Function 00473AB4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473C61
                                                        • FindClose.KERNEL32(000000FF,00473C8C,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473C7F
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473D83
                                                        • FindClose.KERNEL32(000000FF,00473DAE,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473DA1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileNext
                                                        • String ID: @G
                                                        • API String ID: 2066263336-4243591082
                                                        • Opcode ID: 1cc741e5c4ef1280895ba2791e394c1bf036ebb5d817aa49c04b32d02f1d3c68
                                                        • Instruction ID: 0da19416abf0173bdc8d3c7c7f8ad009371619145402d5c4f287baa4c6a871bb
                                                        • Opcode Fuzzy Hash: 1cc741e5c4ef1280895ba2791e394c1bf036ebb5d817aa49c04b32d02f1d3c68
                                                        • Instruction Fuzzy Hash: 28C1393490424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE848B7291D738AA45DF58
                                                        Function 00455F08 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045609F,?,00000000,004560DF), ref: 00455FE5
                                                        Strings
                                                        • PendingFileRenameOperations, xrefs: 00455F84
                                                        • PendingFileRenameOperations2, xrefs: 00455FB4
                                                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455F68
                                                        • WININIT.INI, xrefs: 00456014
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                        • API String ID: 47109696-2199428270
                                                        • Opcode ID: 9dfc2b98b90071e22a213d9389a7df350b212952719fe429392f10e3a4148aed
                                                        • Instruction ID: a4a9f2ec6dce7785653c913c6c24b0c1e176cc517468c749f5f74b0afa9d98e4
                                                        • Opcode Fuzzy Hash: 9dfc2b98b90071e22a213d9389a7df350b212952719fe429392f10e3a4148aed
                                                        • Instruction Fuzzy Hash: F551B430E002089BDB15EF62DD51ADEB7B9EF45705F50817BF904A72C2DB78AE49CA18
                                                        Function 0049ABE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                        • ShowWindow.USER32(?,00000005,00000000,0049AE45,?,?,00000000), ref: 0049AC16
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                          • Part of subcall function 00407738: SetCurrentDirectoryA.KERNEL32(00000000,?,0049AC3E,00000000,0049AE11,?,?,00000005,00000000,0049AE45,?,?,00000000), ref: 00407743
                                                          • Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                        • String ID: .dat$.msg$IMsg$Uninstall
                                                        • API String ID: 3312786188-1660910688
                                                        • Opcode ID: 53b6f65285982668746e543cc84d5efa9f0486b10c6d6310eca3673f68ba39dd
                                                        • Instruction ID: 41fce5d7155baeeb4201c3977cb987a547f2b9c6e2b52af906847905e2aac1f5
                                                        • Opcode Fuzzy Hash: 53b6f65285982668746e543cc84d5efa9f0486b10c6d6310eca3673f68ba39dd
                                                        • Instruction Fuzzy Hash: 4E31A374A00214AFCB00EF65CC52A6E7BB5FB89304F61857AF800E7752D739AD15CB99
                                                        Function 0042EF38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF6A
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF70
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF99
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressByteCharHandleModuleMultiProcWide
                                                        • String ID: ShutdownBlockReasonCreate$user32.dll
                                                        • API String ID: 828529508-2866557904
                                                        • Opcode ID: 76c3ae556ff5016cceda8b60c842384167c68f0016227ebd4f9b5bd92a37e0ae
                                                        • Instruction ID: 98e14bcb75ccd3fa79125cd8f842b3c85c6f4936fd04c03cffbbcbf6111bfa2c
                                                        • Opcode Fuzzy Hash: 76c3ae556ff5016cceda8b60c842384167c68f0016227ebd4f9b5bd92a37e0ae
                                                        • Instruction Fuzzy Hash: 8AF0F6E134462237E620B27FAC82F7B55CC8F98719F15003AB508FA2C1EA6CC905426F
                                                        Function 00458888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004588B8
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 004588D9
                                                        • CloseHandle.KERNEL32(?,0045890C), ref: 004588FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                        • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                        • API String ID: 2573145106-3235461205
                                                        • Opcode ID: be6dda61f35e97c9406aa8abc37fd9e2e9b8a4ec884dd5ed8b307779caa2d451
                                                        • Instruction ID: 5ab474d98eb3a0ece9291f621c53fee7be03ae90ebbbcbdbcbdfc60506012216
                                                        • Opcode Fuzzy Hash: be6dda61f35e97c9406aa8abc37fd9e2e9b8a4ec884dd5ed8b307779caa2d451
                                                        • Instruction Fuzzy Hash: 5601A271600204AFDB11EBA98C02A6A73A8EB45715F60057AF810F73D3DE38AE04961D
                                                        Function 0042E2D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2E0
                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E47B,00000000,0042E493,?,?,?,?,00000006,?,00000000,0049A6E1), ref: 0042E2FB
                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E301
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressDeleteHandleModuleProc
                                                        • String ID: RegDeleteKeyExA$advapi32.dll
                                                        • API String ID: 588496660-1846899949
                                                        • Opcode ID: a7d7d163a2b4572837d540fa9020a88c6075fbeda32d6ef88a980983cb7fdc09
                                                        • Instruction ID: 4593d6951ad1389f122581937974f3187b46c4a982a9796ded25b619d02fe20b
                                                        • Opcode Fuzzy Hash: a7d7d163a2b4572837d540fa9020a88c6075fbeda32d6ef88a980983cb7fdc09
                                                        • Instruction Fuzzy Hash: 84E06571750234F6D674AA677C4AF97260CD764726F940837F545661D187BC1C40CA5C
                                                        Function 0042EE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
                                                        • InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressExchangeHandleInterlockedModuleProc
                                                        • String ID: ChangeWindowMessageFilter$user32.dll
                                                        • API String ID: 3478007392-2498399450
                                                        • Opcode ID: d92cc62ee20d7ac2e8fab9b782aa11417d22a09e2c448ccd967ab38ddec500c6
                                                        • Instruction ID: 048ca61b172dfedb03cf1c059d2784ab3124221c9e2a99dd16ddbc81be59c6a3
                                                        • Opcode Fuzzy Hash: d92cc62ee20d7ac2e8fab9b782aa11417d22a09e2c448ccd967ab38ddec500c6
                                                        • Instruction Fuzzy Hash: B6E0B6A1661310EAFA10B7736C8AF562555AB34B19FA1043BF100651E1C6BC0884C91D
                                                        Function 00479D08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
                                                        • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProcProcessThreadWindow
                                                        • String ID: AllowSetForegroundWindow$user32.dll
                                                        • API String ID: 1782028327-3855017861
                                                        • Opcode ID: c36f3de8e5dc3318ea7383228e8bc1b00cc42ae4fa1597e4dc77134cd03fc9db
                                                        • Instruction ID: 5357bd2adcb02916e042a40b4a090124369338466f1717feba3059f4eb7ed124
                                                        • Opcode Fuzzy Hash: c36f3de8e5dc3318ea7383228e8bc1b00cc42ae4fa1597e4dc77134cd03fc9db
                                                        • Instruction Fuzzy Hash: F8D0A9A0200301A6ED20B3B68C0BEEF239C8E9470AB10C83B3808F2187CA3CDC455B3C
                                                        Function 00448A1C Relevance: 7.7, APIs: 5, Instructions: 160libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448C1C), ref: 00448B48
                                                        • GetLastError.KERNEL32(00000000,?,?,00000000,00448C1C), ref: 00448B6F
                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00448BD6
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00448C1C), ref: 00448BF1
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$AddressLibraryLoadProc
                                                        • String ID:
                                                        • API String ID: 1866314245-0
                                                        • Opcode ID: 63cc74ccd02df5d1501b917637fd563c114fed944347ce56eb0fb2cf20442c69
                                                        • Instruction ID: 86cd10a4b754a346bbb6b93b1800c6189756eba4f25aae068f18fd67d3000257
                                                        • Opcode Fuzzy Hash: 63cc74ccd02df5d1501b917637fd563c114fed944347ce56eb0fb2cf20442c69
                                                        • Instruction Fuzzy Hash: B35146B0A001459FDB00EF95C481AAFB7F8EF45315F10817EE414BB396CA789E458B59
                                                        Function 004170BC Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BeginPaint.USER32(00000000,?), ref: 004170E2
                                                        • SaveDC.GDI32(?), ref: 00417113
                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,004171D5), ref: 00417174
                                                        • RestoreDC.GDI32(?,?), ref: 0041719B
                                                        • EndPaint.USER32(00000000,?,004171DC,00000000,004171D5), ref: 004171CF
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                        • String ID:
                                                        • API String ID: 3808407030-0
                                                        • Opcode ID: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
                                                        • Instruction ID: a59a5e74ec56046a8e44d3172024536881dae92cda495952d4f2aea49f83957e
                                                        • Opcode Fuzzy Hash: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
                                                        • Instruction Fuzzy Hash: 9C413D70A08204AFDB14DBA9C985FAA77F9FB48314F1544AAE8059B362C7789D81CB18
                                                        Function 00414C90 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
                                                        • Instruction ID: b7433d6af5671a809cf87ab508426f3e85ed5e2fdb4bb50135625d5106dc29cf
                                                        • Opcode Fuzzy Hash: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
                                                        • Instruction Fuzzy Hash: 1B3170706057009FC720EB2DC884AABB7E8AF89710F04891EF9D5C3751D238EC808B59
                                                        Function 0041C048 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000000B), ref: 0041C05A
                                                        • GetSystemMetrics.USER32(0000000C), ref: 0041C064
                                                        • GetDC.USER32(00000000), ref: 0041C0A2
                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0E9
                                                        • DeleteObject.GDI32(00000000), ref: 0041C12A
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                        • String ID:
                                                        • API String ID: 1095203571-0
                                                        • Opcode ID: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
                                                        • Instruction ID: af0cd6ff41168786fc466cfb62adbf741af89e47da0ede509f3e80318da31809
                                                        • Opcode Fuzzy Hash: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
                                                        • Instruction Fuzzy Hash: 92314174E40205EFDB00DFA5C981AAEB7F5EB48704F1185AAF510AB381D7789E80DF98
                                                        Function 00429C5C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C98
                                                        • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429CC7
                                                        • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429CE3
                                                        • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429D0E
                                                        • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429D2C
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
                                                        • Instruction ID: 60921b255c01a359d0eb68e62e5e28d9b6fe2da514f119f30b014399c46582d3
                                                        • Opcode Fuzzy Hash: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
                                                        • Instruction Fuzzy Hash: C121AF707007057AD710ABA7DC82F4BB6ACDB40708F90043EB501AB2D2DB78AD41866D
                                                        Function 00475178 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0045D8DC: SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 004751FA
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 00475210
                                                        Strings
                                                        • Could not set permissions on the key because it currently does not exist., xrefs: 00475204
                                                        • Failed to set permissions on the key (%d)., xrefs: 00475221
                                                        • Setting permissions on key: %s\%s, xrefs: 004751BE
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: Could not set permissions on the key because it currently does not exist.$Failed to set permissions on the key (%d).$Setting permissions on key: %s\%s
                                                        • API String ID: 1452528299-522033246
                                                        • Opcode ID: 9afe7f6ef950d09d727a421adb36acbdfe7afe6cee18ff7455d772914f0bda9c
                                                        • Instruction ID: 51041ab3257bc5012ea3fc5fd74b59e1bc6a173a0ae5939bb589f078bf527dbc
                                                        • Opcode Fuzzy Hash: 9afe7f6ef950d09d727a421adb36acbdfe7afe6cee18ff7455d772914f0bda9c
                                                        • Instruction Fuzzy Hash: 0821A770A046045FDB00EBA9D8416DEBBF4EB89314F5044BBE404EB353DBB85D058BAD
                                                        Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                        • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                        • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocString
                                                        • String ID:
                                                        • API String ID: 262959230-0
                                                        • Opcode ID: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
                                                        • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                        • Opcode Fuzzy Hash: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
                                                        • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                        Function 00414870 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 004148A9
                                                        • RealizePalette.GDI32(00000000), ref: 004148B1
                                                        • SelectPalette.GDI32(00000000,00000000,00000001), ref: 004148C5
                                                        • RealizePalette.GDI32(00000000), ref: 004148CB
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004148D6
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Palette$RealizeSelect$Release
                                                        • String ID:
                                                        • API String ID: 2261976640-0
                                                        • Opcode ID: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
                                                        • Instruction ID: 1b199f70f0334c5ad2d95ba866badc65d16692e0f82b4d98eea4daff33ed8e78
                                                        • Opcode Fuzzy Hash: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
                                                        • Instruction Fuzzy Hash: 8901DF7521C3806AE200B63D8C85A9F6FEC9FCA314F05596EF498DB382CA7ACC018765
                                                        Function 0046D0BC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • NextButtonClick, xrefs: 0046D1F8
                                                        • PrepareToInstall failed: %s, xrefs: 0046D41A
                                                        • Need to restart Windows? %s, xrefs: 0046D441
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                        • API String ID: 0-2329492092
                                                        • Opcode ID: 63d3597acc74761f4a9ef7d7e63a4e4b970332813741b9af62c50f78ebebbda6
                                                        • Instruction ID: 44988f13848ffd89d71039ac62f11851b9b9fcebd064a36e5433384ef0c4aa5d
                                                        • Opcode Fuzzy Hash: 63d3597acc74761f4a9ef7d7e63a4e4b970332813741b9af62c50f78ebebbda6
                                                        • Instruction Fuzzy Hash: 4ED13E34E00109DFDB00EF99C585AEE77F5AB49308F6444B6E804AB352E778AE45CB5A
                                                        Function 00485444 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetActiveWindow.USER32(?,?,00000000,00485795), ref: 00485568
                                                        • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00485606
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ActiveChangeNotifyWindow
                                                        • String ID: $Need to restart Windows? %s
                                                        • API String ID: 1160245247-4200181552
                                                        • Opcode ID: 9061c37254fef60ca9898f52830b83b37c3b313871d48de346d5b16913c0e269
                                                        • Instruction ID: 8ac728fbb8e3d27f98a22662cdea6886523d2868be6ee68a7c392ecda210aa03
                                                        • Opcode Fuzzy Hash: 9061c37254fef60ca9898f52830b83b37c3b313871d48de346d5b16913c0e269
                                                        • Instruction Fuzzy Hash: 1B91A034A006449FDB10EB69D885B9E77E1AF55308F5484BBE800DB366D73CA809CB5E
                                                        Function 00471340 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8
                                                        • GetLastError.KERNEL32(00000000,0047153D,?,?,0049F1E4,00000000), ref: 0047141A
                                                        • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471494
                                                        • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004714B9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ChangeNotify$ErrorFullLastNamePath
                                                        • String ID: Creating directory: %s
                                                        • API String ID: 2451617938-483064649
                                                        • Opcode ID: 5478a24772dd0d0e8c2d5609fb53a7c934c2ee6ad9183a5ec1ae9e87ae7531c0
                                                        • Instruction ID: 20bf2e2c57de6391f44c88e9dad00ec8a22121e450acada444c040a0f05f54d0
                                                        • Opcode Fuzzy Hash: 5478a24772dd0d0e8c2d5609fb53a7c934c2ee6ad9183a5ec1ae9e87ae7531c0
                                                        • Instruction Fuzzy Hash: 94514634E00248ABDB01DFA9C982BDEB7F5AF48304F50847AE815B7392D7789E04CB59
                                                        Function 00407434 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407493
                                                        • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040750D
                                                        • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407565
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Enum$NameOpenResourceUniversal
                                                        • String ID: Z
                                                        • API String ID: 3604996873-1505515367
                                                        • Opcode ID: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
                                                        • Instruction ID: 40f8d8e8b2f406d6a8a22564fe957c27a4ea1e6c79599dfe788430968c9fdea8
                                                        • Opcode Fuzzy Hash: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
                                                        • Instruction Fuzzy Hash: DD51A270E04608AFDB11EF99CC41A9EBBF9EB09314F1045BAE400B72D1D778AE418F5A
                                                        Function 004613A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004613D4
                                                        • GetDIBits.GDI32(00000000,00000000,?,00000000,00000000,004615E1), ref: 004614D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: BitsCapsDevice
                                                        • String ID: $(
                                                        • API String ID: 1216508973-55695022
                                                        • Opcode ID: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
                                                        • Instruction ID: 5dc47b70b294587cc13581978d3ce92ec5f010f9ab1f52b5f87cd7b8da97004a
                                                        • Opcode Fuzzy Hash: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
                                                        • Instruction Fuzzy Hash: 67413E71E00209AFDB00DFA9C885AAEFBF8FF49304F14406AE515F72A0D7799944CB5A
                                                        Function 0044D62C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetRectEmpty.USER32(?), ref: 0044D6BA
                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D6E5
                                                        • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D76D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DrawText$EmptyRect
                                                        • String ID:
                                                        • API String ID: 182455014-2867612384
                                                        • Opcode ID: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
                                                        • Instruction ID: 12a4b21e602b9f7a78cd53eafda620a7b7433ebb18c5ccfef023c502be569e40
                                                        • Opcode Fuzzy Hash: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
                                                        • Instruction Fuzzy Hash: B6515171E00244AFDB11DFA5C885BDEBBF9EF49308F05847AE805EB252D7789944CB64
                                                        Function 0042F440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0042F46A
                                                          • Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737
                                                        • SelectObject.GDI32(?,00000000), ref: 0042F48D
                                                        • ReleaseDC.USER32(00000000,?), ref: 0042F56C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CreateFontIndirectObjectReleaseSelect
                                                        • String ID: ...\
                                                        • API String ID: 3133960002-983595016
                                                        • Opcode ID: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
                                                        • Instruction ID: 6da19e17498f2b2ee05211f2735e4231f31b0ac4056ea50bc180adaf4849e001
                                                        • Opcode Fuzzy Hash: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
                                                        • Instruction Fuzzy Hash: 3E313370B00229ABDF11EF9AD851BAEB7B8EB48304FD0447BF414A7291C77C5D45CA59
                                                        Function 004555D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045567E
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00455744), ref: 004556E8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressByteCharMultiProcWide
                                                        • String ID: SfcIsFileProtected$sfc.dll
                                                        • API String ID: 2508298434-591603554
                                                        • Opcode ID: cd1d4ec634ffaaeb32f3c4dbc28009c9e63fbc03d90feba525fc8c0b3ebaedcf
                                                        • Instruction ID: 311e8501e48ef86dedbd1e32416f62ff44579e2f461d143f7aa5c8e880f43ce1
                                                        • Opcode Fuzzy Hash: cd1d4ec634ffaaeb32f3c4dbc28009c9e63fbc03d90feba525fc8c0b3ebaedcf
                                                        • Instruction Fuzzy Hash: FC418670A00718DBEB20EB55DC95BAD77B8AB04309F5041B7A908E7293D7785F48DA5C
                                                        Function 004540B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle
                                                        • String ID: .tmp$_iu
                                                        • API String ID: 3498533004-10593223
                                                        • Opcode ID: 395db152fd65c362e2974d92ef0648ae146372e30c305f9e092b113869095efe
                                                        • Instruction ID: 578c6d25dcdad9d531da493d0199c9855db5075e5bb7f28aad5cf4ca392b9bb0
                                                        • Opcode Fuzzy Hash: 395db152fd65c362e2974d92ef0648ae146372e30c305f9e092b113869095efe
                                                        • Instruction Fuzzy Hash: F431C770E00119ABCB11EFA5C842B9EBBB5AF54309F60416AF804BB3C2D6385F4586A8
                                                        Function 004168A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassInfoA.USER32(00400000,?,?), ref: 0041690F
                                                        • UnregisterClassA.USER32(?,00400000), ref: 0041693B
                                                        • RegisterClassA.USER32(?), ref: 0041695E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Class$InfoRegisterUnregister
                                                        • String ID: @
                                                        • API String ID: 3749476976-2766056989
                                                        • Opcode ID: 95908a4b8d643ef5bfa5da8da74dc820b4acfd9787754f50a54d26a38ce9fbef
                                                        • Instruction ID: f0814f926fbfb3063bbfc520005841906eff1053595eb63299fc6e458af65efd
                                                        • Opcode Fuzzy Hash: 95908a4b8d643ef5bfa5da8da74dc820b4acfd9787754f50a54d26a38ce9fbef
                                                        • Instruction Fuzzy Hash: 70316E702043418BDB20EF69C485B9A77E5AB89308F04447FF985DF392DB39DD858B6A
                                                        Function 0049B094 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNEL32(00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B104
                                                        • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B12D
                                                        • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049B146
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: File$Attributes$Move
                                                        • String ID: isRS-%.3u.tmp
                                                        • API String ID: 3839737484-3657609586
                                                        • Opcode ID: fe636f5d486f977561d955d8d27fc1c933ee631e33dfc5204804ac15784fdca6
                                                        • Instruction ID: e58a6bb4d61ebf27a8f85bf79e18a3daf7ddf139a146e4c83f08b8ac6b3baeb0
                                                        • Opcode Fuzzy Hash: fe636f5d486f977561d955d8d27fc1c933ee631e33dfc5204804ac15784fdca6
                                                        • Instruction Fuzzy Hash: B2216470E10209ABCF04EFA9D9929AFBBB8EF44354F10453AB814B72D1D7385E018A99
                                                        Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                        • ExitProcess.KERNEL32 ref: 00404E0D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ExitMessageProcess
                                                        • String ID: Error$Runtime error at 00000000
                                                        • API String ID: 1220098344-2970929446
                                                        • Opcode ID: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
                                                        • Instruction ID: d5004cfacfd42fd5c2be0182736057b03719568bea5446043c3b888183e5f090
                                                        • Opcode Fuzzy Hash: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
                                                        • Instruction Fuzzy Hash: AE21B360A442519AEB15E7B7EC857163BD197E9348F048177E700B73E3C6BC984487AE
                                                        Function 0045742C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8
                                                          • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                          • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                        • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00457480
                                                        • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 004574AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                        • String ID: LoadTypeLib$RegisterTypeLib
                                                        • API String ID: 1312246647-2435364021
                                                        • Opcode ID: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
                                                        • Instruction ID: 9f3c69dbed6527a7536611739b590712afd4786c139aba5f8c5ce656fa2fa7d6
                                                        • Opcode Fuzzy Hash: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
                                                        • Instruction Fuzzy Hash: 0D11B130B04604BFDB11DFA6DD51A5ABBADEB89305F1084B6BC04D3652EA389A04CA18
                                                        Function 004579E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 004579FE
                                                        • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457A9B
                                                        Strings
                                                        • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457A2A
                                                        • Failed to create DebugClientWnd, xrefs: 00457A64
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                        • API String ID: 3850602802-3720027226
                                                        • Opcode ID: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
                                                        • Instruction ID: 1ab6ed05e85d1bb283b6b865c49c58556a26672ef247bde5bc39928aa0d5d30a
                                                        • Opcode Fuzzy Hash: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
                                                        • Instruction Fuzzy Hash: 751123707082106FE310AB28AC81B8F7B989B15309F04807BF985DB383C3799D08C7AE
                                                        Function 00450424 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 0045048C
                                                        • LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 004504D2
                                                          • Part of subcall function 004503F4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045040C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad$DirectorySystem
                                                        • String ID: RICHED20.DLL$RICHED32.DLL
                                                        • API String ID: 2630572097-740611112
                                                        • Opcode ID: 374f2d9e90cc37eef180cc8d20d2e3149e70aeb14d460e8c5a8d30249f6f1077
                                                        • Instruction ID: 4d2f5d6df61b0d0ac72fc53e5f3b8721577eb5fe8aac3b6587ce23d73eaa98fa
                                                        • Opcode Fuzzy Hash: 374f2d9e90cc37eef180cc8d20d2e3149e70aeb14d460e8c5a8d30249f6f1077
                                                        • Instruction Fuzzy Hash: 4F212174500248FFDB00FFA2D886B5E77F8EB5435AF504477E800A7662D7786A498E5C
                                                        Function 0047A860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                        • GetFocus.USER32 ref: 0047A8CB
                                                        • GetKeyState.USER32(0000007A), ref: 0047A8DD
                                                        • WaitMessage.USER32(?,00000000,0047A904,?,00000000,0047A92B,?,?,00000001,00000000,?,00482693,00000000,0048361D), ref: 0047A8E7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: FocusMessageStateTextWaitWindow
                                                        • String ID: Wnd=$%x
                                                        • API String ID: 1381870634-2927251529
                                                        • Opcode ID: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
                                                        • Instruction ID: 77d4776769ed3d961f5a478265b7c30efea3ded7fa53bcd9a53f0dfc2223b557
                                                        • Opcode Fuzzy Hash: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
                                                        • Instruction Fuzzy Hash: A91194B0604145AFC700FF66D841A9E77B8EB89714B5288B6F408E7281D73C6D208A6B
                                                        Function 0046FD50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046FD58
                                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046FD67
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Time$File$LocalSystem
                                                        • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                        • API String ID: 1748579591-1013271723
                                                        • Opcode ID: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
                                                        • Instruction ID: 1dc787eced2517cb8807bab7c2b20f1510b2cd86f013857d73bb6b07fca1fef3
                                                        • Opcode Fuzzy Hash: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
                                                        • Instruction Fuzzy Hash: CB11F8A440C3919AD340DF2AC44472BBAE4AF99704F04496EF9C8D6391E77AC948DB67
                                                        Function 00454772 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 0045477F
                                                          • Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 004547A4
                                                          • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesDeleteErrorLastMove
                                                        • String ID: DeleteFile$MoveFile
                                                        • API String ID: 3024442154-139070271
                                                        • Opcode ID: b6f22cc9759424c3a784986225b8e0c35bb72f21a930fd5492b6a91afa80a7cc
                                                        • Instruction ID: 530c5230d1c48a198e6632d8711bb006f4eeac499d42d39edb4531016cb1c6b4
                                                        • Opcode Fuzzy Hash: b6f22cc9759424c3a784986225b8e0c35bb72f21a930fd5492b6a91afa80a7cc
                                                        • Instruction Fuzzy Hash: C2F086752142445AE701FFA6D84266E63ECDB8431FFA1443BFC00BB6C3DA3C9D094929
                                                        Function 00456240 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(?,004562AB,?,00000001,00000000), ref: 0045629E
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045624C
                                                        • PendingFileRenameOperations, xrefs: 00456270
                                                        • PendingFileRenameOperations2, xrefs: 0045627F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                        • API String ID: 47109696-2115312317
                                                        • Opcode ID: 48ad232b8f6a8cbfdb61e7b8cc1d16a08bbc4a1cad0ac18cbfd53448b60a69db
                                                        • Instruction ID: 03744892537dc61f373a56118159d2a705b6a08e7bce835c08af8ac15a0ef851
                                                        • Opcode Fuzzy Hash: 48ad232b8f6a8cbfdb61e7b8cc1d16a08bbc4a1cad0ac18cbfd53448b60a69db
                                                        • Instruction Fuzzy Hash: 2EF09671204604AFDB05E7A6DC13B6B73ACD744715FE245B7F900C7682DAB9ED04962C
                                                        Function 00465A14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0044BBBC: LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
                                                          • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E
                                                          • Part of subcall function 004659E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004659FB
                                                        • LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad$DirectorySystem
                                                        • String ID: SHPathPrepareForWriteA$shell32.dll
                                                        • API String ID: 1442766254-2683653824
                                                        • Opcode ID: af518b03cf9376046f8dcedef4f09e900b75585814e9c5691420b5e6294b90ad
                                                        • Instruction ID: 40adbffb9e5bdfd27d779661ae68592eaffae07e03a1378c290830cb38e34495
                                                        • Opcode Fuzzy Hash: af518b03cf9376046f8dcedef4f09e900b75585814e9c5691420b5e6294b90ad
                                                        • Instruction Fuzzy Hash: 07F04470640A08BFD701FBA2DC93F5E7BACDB45714FA0457BB400B6592E67C9E048A5D
                                                        Function 00459BF4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                        • API String ID: 47109696-2631785700
                                                        • Opcode ID: 5c71614b6ebbdb98b1cd66089ba05496443fa601233df4a1e1fdff343787822e
                                                        • Instruction ID: 38d3340ec7adb02875813bbcd1e17bd1b65749923c884860087a6e41a9d30ab7
                                                        • Opcode Fuzzy Hash: 5c71614b6ebbdb98b1cd66089ba05496443fa601233df4a1e1fdff343787822e
                                                        • Instruction Fuzzy Hash: CEF0A9713001109BC710EB1A9881B9E63CEDB92316F24403BBA85C7353E63CCC0A8629
                                                        Function 00485F94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FD5
                                                        • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FF8
                                                        Strings
                                                        • System\CurrentControlSet\Control\Windows, xrefs: 00485FA2
                                                        • CSDVersion, xrefs: 00485FCC
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                        • API String ID: 3677997916-1910633163
                                                        • Opcode ID: 04f19c647358babaddb2de840e198823e9f56cdd25c3502559b60c430ba2a3c4
                                                        • Instruction ID: 690f3357d7f3b8f107864325de2190f20260369eddc5d30bd8c99057d7f378d2
                                                        • Opcode Fuzzy Hash: 04f19c647358babaddb2de840e198823e9f56cdd25c3502559b60c430ba2a3c4
                                                        • Instruction Fuzzy Hash: D9F04475A40208EADF10EAD58C45BDF73BC9B04704F104567EB10E7280EB39AA04CB5D
                                                        Function 0042DD80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                        • API String ID: 1646373207-4063490227
                                                        • Opcode ID: 90681687b24dd86f9c3e273dd486589356378cd60c5b464a2f7951d6e4eef599
                                                        • Instruction ID: 364facf3dcd8fd4fb48bac821a112922c1d8aa8d1bb3947713f5e14a9d28bbdd
                                                        • Opcode Fuzzy Hash: 90681687b24dd86f9c3e273dd486589356378cd60c5b464a2f7951d6e4eef599
                                                        • Instruction Fuzzy Hash: 8EE026A1B60F0113D700317A5C8375B208E4F84718F90043F3984F52C2DDBCD988462D
                                                        Function 0042EFE4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF60), ref: 0042EFF2
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFF8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                        • API String ID: 1646373207-260599015
                                                        • Opcode ID: e8811ed0a627a4e133d1dc9a4b4f14b5e47b32fb59af0e63981d665b4b5d3b09
                                                        • Instruction ID: d167ebeb3a0c78ffef62d304a6593c01274f0b6b7e47665dfbb0b7c0d901300f
                                                        • Opcode Fuzzy Hash: e8811ed0a627a4e133d1dc9a4b4f14b5e47b32fb59af0e63981d665b4b5d3b09
                                                        • Instruction Fuzzy Hash: 68D0C792712732576A5035F53CC1AAB429CC9156AE3D40077FA40E6143D95DCC1926AC
                                                        Function 0044FDB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: NotifyWinEvent$user32.dll
                                                        • API String ID: 1646373207-597752486
                                                        • Opcode ID: 5908743018cfd2f6cefc4491aa27570e9f34bc63df026fe54f1bbb87c612bb86
                                                        • Instruction ID: 223032890b7009ceba89b3f881feb785258270d151d072d0a62a9436c582bc8a
                                                        • Opcode Fuzzy Hash: 5908743018cfd2f6cefc4491aa27570e9f34bc63df026fe54f1bbb87c612bb86
                                                        • Instruction Fuzzy Hash: 4FE012F0D417509AFB00FBB79846B093AE0D76471CB10107FF541A6653DBBC54588B1E
                                                        Function 0049B7EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: DisableProcessWindowsGhosting$user32.dll
                                                        • API String ID: 1646373207-834958232
                                                        • Opcode ID: 9ab8e43da6454e8868478a7b9e10f81f4b0d0e94fccef25b277911ace8fae704
                                                        • Instruction ID: 54119c6ef0f49054147f19105d5d020da2821b8521f233d32c589f61db0a4d0d
                                                        • Opcode Fuzzy Hash: 9ab8e43da6454e8868478a7b9e10f81f4b0d0e94fccef25b277911ace8fae704
                                                        • Instruction Fuzzy Hash: E5B09280681A01509C00B2B22E02A6B080CCC887997240037B400B00C6CF6C844504BD
                                                        Function 0047F8B0 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88), ref: 0047FA00
                                                        • FindClose.KERNEL32(000000FF,0047FA2B,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88,00000000), ref: 0047FA1E
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileNext
                                                        • String ID:
                                                        • API String ID: 2066263336-0
                                                        • Opcode ID: 9ad368ceea0c877d9926537a5f80a4e66bde3027648d760cd52d5e859b456359
                                                        • Instruction ID: a2492a823a8cbc0112e5e27725a6df3c9536d0a8ebd69a23b4f87c8590b3ed18
                                                        • Opcode Fuzzy Hash: 9ad368ceea0c877d9926537a5f80a4e66bde3027648d760cd52d5e859b456359
                                                        • Instruction Fuzzy Hash: AE814F7090024DAFCF11DFA5CC51AEFBBB8EB49304F5080BAE508A7291D7399A4ACF55
                                                        Function 00481F4C Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?,00000000), ref: 00481FF2
                                                        • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?), ref: 00481FFF
                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497), ref: 004820F4
                                                        • FindClose.KERNEL32(000000FF,0048211F,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?), ref: 00482112
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileNext
                                                        • String ID:
                                                        • API String ID: 2066263336-0
                                                        • Opcode ID: be6ad9d2a8f964023a2a96152d1b99d0eb4f567829eb4774c7009b24f520566a
                                                        • Instruction ID: 08b9d9e684fed8dea23f8f184a6a28fa9329586f58159be8e4499552dc0984e9
                                                        • Opcode Fuzzy Hash: be6ad9d2a8f964023a2a96152d1b99d0eb4f567829eb4774c7009b24f520566a
                                                        • Instruction Fuzzy Hash: A8518F70A00648AFCB11EFA5CD45ADEB7B8EB49315F1084AAA908F7351D7389F85CF54
                                                        Function 00414188 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDesktopWindow.USER32 ref: 004141D6
                                                        • GetDesktopWindow.USER32 ref: 0041428E
                                                          • Part of subcall function 00419350: 6FDEC6F0.COMCTL32(?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 0041936C
                                                          • Part of subcall function 00419350: ShowCursor.USER32(00000001,?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 00419389
                                                        • SetCursor.USER32(00000000,?,?,?,?,00413F83,00000000,00413F96), ref: 004142CC
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CursorDesktopWindow$Show
                                                        • String ID:
                                                        • API String ID: 2074268717-0
                                                        • Opcode ID: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
                                                        • Instruction ID: 19a59601e3d98a3dbb13d851837e3bb0d350916c882c7f1eea00ba3daa39fbf9
                                                        • Opcode Fuzzy Hash: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
                                                        • Instruction Fuzzy Hash: 1B414C74600161EFCB10EF6AE988B9637E1ABA5318B4588BBF414CB365D738DC81CB1D
                                                        Function 00408EE4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408F05
                                                        • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408F74
                                                        • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 0040900F
                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040904E
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: LoadString$FileMessageModuleName
                                                        • String ID:
                                                        • API String ID: 704749118-0
                                                        • Opcode ID: e82b26a13167112293795b81e0a8a1b48de0332502f5cec77e68efbc7c471c2d
                                                        • Instruction ID: ceac9c6dafe2e417819c9b5c7653bc03c0e73b1c5c8721bcefa97444966463b6
                                                        • Opcode Fuzzy Hash: e82b26a13167112293795b81e0a8a1b48de0332502f5cec77e68efbc7c471c2d
                                                        • Instruction Fuzzy Hash: 6B3152716083819EE330EB65C945B9B77D89B86704F00483EB6C8EB2D2DBB999048767
                                                        Function 0044EF30 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044EF79
                                                          • Part of subcall function 0044D5BC: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044D5EE
                                                        • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EFFD
                                                          • Part of subcall function 0042C044: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042C058
                                                        • IsRectEmpty.USER32(?), ref: 0044EFBF
                                                        • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EFE2
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                        • String ID:
                                                        • API String ID: 855768636-0
                                                        • Opcode ID: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
                                                        • Instruction ID: 10a93ef1daca5ec4afac806ac6fb62918bca6b9886f72cf97470359dbd205846
                                                        • Opcode Fuzzy Hash: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
                                                        • Instruction Fuzzy Hash: F211387170030027E720BA7E9C86B5B76899B88748F04083FB545EB383DD79D80987AA
                                                        Function 00498790 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OffsetRect.USER32(?,?,00000000), ref: 004987F4
                                                        • OffsetRect.USER32(?,00000000,?), ref: 0049880F
                                                        • OffsetRect.USER32(?,?,00000000), ref: 00498829
                                                        • OffsetRect.USER32(?,00000000,?), ref: 00498844
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: OffsetRect
                                                        • String ID:
                                                        • API String ID: 177026234-0
                                                        • Opcode ID: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
                                                        • Instruction ID: 3054ac6025076f3b6e7609c5ec68807071a52c8bb3756e2ec3ebb03cdf9dd8d0
                                                        • Opcode Fuzzy Hash: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
                                                        • Instruction Fuzzy Hash: A4213BB66042019BD700DE6DCD85E6BB7EEEBC4300F54CA2EF554C724ADA34E94487A6
                                                        Function 004176A8 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32 ref: 004176F0
                                                        • SetCursor.USER32(00000000), ref: 00417733
                                                        • GetLastActivePopup.USER32(?), ref: 0041775D
                                                        • GetForegroundWindow.USER32(?), ref: 00417764
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                        • String ID:
                                                        • API String ID: 1959210111-0
                                                        • Opcode ID: e473d6fd5258e5271c1e4462a64c5a209d04cf0713861ccc24dc9748cac10f85
                                                        • Instruction ID: 2e5a0fdf5ba03c47f255224e58a8cf5d0223c50b95843e628a0bc5c759944eb4
                                                        • Opcode Fuzzy Hash: e473d6fd5258e5271c1e4462a64c5a209d04cf0713861ccc24dc9748cac10f85
                                                        • Instruction Fuzzy Hash: C521A1342086018ACB10EF2AD885ADB33B1AB54754F45456BE4658B3A2D73CFC80CB89
                                                        Function 00498448 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0049845D
                                                        • MulDiv.KERNEL32(50142444,00000008,?), ref: 00498471
                                                        • MulDiv.KERNEL32(F6D0DBE8,00000008,?), ref: 00498485
                                                        • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 004984A3
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
                                                        • Instruction ID: 16986aa08010ea5786b5adfb16098ff8e4cfd335a8687684758257d255a94a27
                                                        • Opcode Fuzzy Hash: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
                                                        • Instruction Fuzzy Hash: E6112172604214ABCB40DFADC8C4D9B7BECEF4D330B14416AF918DB246DA34ED408BA4
                                                        Function 0041F910 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassInfoA.USER32(00400000,0041F900,?), ref: 0041F931
                                                        • UnregisterClassA.USER32(0041F900,00400000), ref: 0041F95A
                                                        • RegisterClassA.USER32(0049C598), ref: 0041F964
                                                        • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F99F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Class$InfoLongRegisterUnregisterWindow
                                                        • String ID:
                                                        • API String ID: 4025006896-0
                                                        • Opcode ID: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
                                                        • Instruction ID: 68e5657fabb3e6ce4c602d6ce4962bfcd13d5dfe703a8334c3f88caa16143e55
                                                        • Opcode Fuzzy Hash: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
                                                        • Instruction Fuzzy Hash: 10019EB22001147BCB10EF69DC81E9B3798A719324B10413BBA05EB2E1C63AAC158BAD
                                                        Function 00455778 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForInputIdle.USER32(?,00000032), ref: 004557A4
                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004557C6
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 004557D5
                                                        • CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                        • String ID:
                                                        • API String ID: 4071923889-0
                                                        • Opcode ID: 50d72ea7d667734f1bccca64eb66bfa6b711491f1f06d8a60cdd45e65d548796
                                                        • Instruction ID: 5ee05597952c7b60c0905264d30be017cf261a6af7f6414952b470fafc47fcf8
                                                        • Opcode Fuzzy Hash: 50d72ea7d667734f1bccca64eb66bfa6b711491f1f06d8a60cdd45e65d548796
                                                        • Instruction Fuzzy Hash: B801B970A40A18BEEB10D7A58C16F7BBBACDF49770F610567F904D72C2D5B85D00C668
                                                        Function 0040D4A0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D4B7
                                                        • LoadResource.KERNEL32(00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94,0000000A,00000000), ref: 0040D4D1
                                                        • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94), ref: 0040D4EB
                                                        • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?), ref: 0040D4F5
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Resource$FindLoadLockSizeof
                                                        • String ID:
                                                        • API String ID: 3473537107-0
                                                        • Opcode ID: 9bd8c699d2ce0c84cebcbedeaf10d9de5ae675f1ab96295db303bf00b8c9f240
                                                        • Instruction ID: 6e22508d3f73bf4cb8027158dc6397cf7561c54783b82958bb500a3598b7952a
                                                        • Opcode Fuzzy Hash: 9bd8c699d2ce0c84cebcbedeaf10d9de5ae675f1ab96295db303bf00b8c9f240
                                                        • Instruction Fuzzy Hash: 66F017736055046F9744EEADA881D6B77DCDE48364310417FF908D7246D938DD118B78
                                                        Function 004565CC Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000,0045C065), ref: 00456608
                                                        • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000), ref: 00456611
                                                        • RemoveFontResourceA.GDI32(00000000), ref: 0045661E
                                                        • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00456632
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                        • String ID:
                                                        • API String ID: 4283692357-0
                                                        • Opcode ID: 3c347d67d5b4f740ff1de30ee87ec094452c3a10ec61a00cfd5825290ed74f09
                                                        • Instruction ID: 8f096fb0a68a4ca8fa6e8945f44f96b9dbd63233ba955a9cb78d2d10420d775d
                                                        • Opcode Fuzzy Hash: 3c347d67d5b4f740ff1de30ee87ec094452c3a10ec61a00cfd5825290ed74f09
                                                        • Instruction Fuzzy Hash: A4F05EB574131076EA10B6B69D87F5B268C8F54745F50483BBA00EF2C3D97CD805566E
                                                        Function 00471658 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 004716A9
                                                        Strings
                                                        • Setting NTFS compression on directory: %s, xrefs: 00471677
                                                        • Failed to set NTFS compression state (%d)., xrefs: 004716BA
                                                        • Unsetting NTFS compression on directory: %s, xrefs: 0047168F
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                        • API String ID: 1452528299-1392080489
                                                        • Opcode ID: c9ecd17f4e813680e20a341dcb5c35bd710306302feb278d8d434751808c20c2
                                                        • Instruction ID: 126f6134b27ad8e4671cf18fb541cded6235f59fca6c90d789c2948c6de7ddb8
                                                        • Opcode Fuzzy Hash: c9ecd17f4e813680e20a341dcb5c35bd710306302feb278d8d434751808c20c2
                                                        • Instruction Fuzzy Hash: 9C014F30E082486BCB04DBAD54412DDBBE49F4D305F58C1EFA458E7292DA780A088BAA
                                                        Function 00471E04 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00000000), ref: 00471E55
                                                        Strings
                                                        • Setting NTFS compression on file: %s, xrefs: 00471E23
                                                        • Unsetting NTFS compression on file: %s, xrefs: 00471E3B
                                                        • Failed to set NTFS compression state (%d)., xrefs: 00471E66
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                        • API String ID: 1452528299-3038984924
                                                        • Opcode ID: 7175555579b74f1e91f071c7437ba591ebf1dee59165ca3eacc4bfe622640e89
                                                        • Instruction ID: f6184f432152a0a7fc1a05f21f829c234c5ebe7cab1ff57a01f48c4da343ccce
                                                        • Opcode Fuzzy Hash: 7175555579b74f1e91f071c7437ba591ebf1dee59165ca3eacc4bfe622640e89
                                                        • Instruction Fuzzy Hash: 6F01A230E0824866DB00DBED54412DDBBE58F4D344F54C1EFAC58E7392DF780A088B9A
                                                        Function 0047EF84 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CountSleepTick
                                                        • String ID:
                                                        • API String ID: 2227064392-0
                                                        • Opcode ID: 3a97ad30cdd890e38319d0d446ae931dd422a5845237926ba868b52b95081b14
                                                        • Instruction ID: 0807e7f7cf1e805980a62751cbb38808fe0fbb755af5a0e062f1309e6a3556a9
                                                        • Opcode Fuzzy Hash: 3a97ad30cdd890e38319d0d446ae931dd422a5845237926ba868b52b95081b14
                                                        • Instruction Fuzzy Hash: 3BE02B3230910065C72075BF18966BF498ACE89368F148BBFF088E7686C81C8C05957E
                                                        Function 0047A378 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A381
                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A387
                                                        • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3A9
                                                        • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3BA
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                        • String ID:
                                                        • API String ID: 215268677-0
                                                        • Opcode ID: ac4d9c8f746fed02195aeec2a75f74d8bec74019dc56b776fe9ec5c5957efb5f
                                                        • Instruction ID: c90943684b1729c40737559502ac118c81e83100165bab7ebfc4b972d9605339
                                                        • Opcode Fuzzy Hash: ac4d9c8f746fed02195aeec2a75f74d8bec74019dc56b776fe9ec5c5957efb5f
                                                        • Instruction Fuzzy Hash: 94F037616443006BD600EAB58D81E5F73DCDB44354F04883A7E94C72C1E678DC18A776
                                                        Function 004246D0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastActivePopup.USER32(?), ref: 004246DC
                                                        • IsWindowVisible.USER32(?), ref: 004246ED
                                                        • IsWindowEnabled.USER32(?), ref: 004246F7
                                                        • SetForegroundWindow.USER32(?), ref: 00424701
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                        • String ID:
                                                        • API String ID: 2280970139-0
                                                        • Opcode ID: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
                                                        • Instruction ID: 089861d4a48d175db2243411625799630e322bd2ba2e4807a6d4d74949adae11
                                                        • Opcode Fuzzy Hash: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
                                                        • Instruction Fuzzy Hash: 1CE08691B03531129E31FAA518D1A9B018CEDC6B843461127FC26F7243DB1CCC0041BC
                                                        Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalHandle.KERNEL32 ref: 00406287
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                        • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                        • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Global$AllocHandleLockUnlock
                                                        • String ID:
                                                        • API String ID: 2167344118-0
                                                        • Opcode ID: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
                                                        • Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
                                                        • Opcode Fuzzy Hash: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
                                                        • Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A
                                                        Function 0047C450 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047DD3D,?,00000000,00000000,00000001,00000000,0047C6ED,?,00000000), ref: 0047C6B1
                                                        Strings
                                                        • Failed to parse "reg" constant, xrefs: 0047C6B8
                                                        • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047C525
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                        • API String ID: 3535843008-1938159461
                                                        • Opcode ID: d0b61f1a9a78ef113e505d0d96d210997038224b20d6146b7cbb6eb2b8507a85
                                                        • Instruction ID: 4f1aaac30373af7a786909edf03acd4fac9d6a039f8d9495eedf865a7040ef78
                                                        • Opcode Fuzzy Hash: d0b61f1a9a78ef113e505d0d96d210997038224b20d6146b7cbb6eb2b8507a85
                                                        • Instruction Fuzzy Hash: FE813274E00118AFCB11EF95D481ADEBBF9AF48354F60816AE414B7391D738AE45CB98
                                                        Function 0045CAF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B
                                                        • FlushFileBuffers.KERNEL32(?), ref: 0045CD29
                                                        Strings
                                                        • EndOffset range exceeded, xrefs: 0045CC5D
                                                        • NumRecs range exceeded, xrefs: 0045CC26
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: File$BuffersFlush
                                                        • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                        • API String ID: 3593489403-659731555
                                                        • Opcode ID: d939363beb06294c04024bff94b21a6467ba92a5d66437e220945c3c4c737606
                                                        • Instruction ID: 31f4abf116af19d9e5b678acab2297332ff925687264b8022cc2431fdfe05cd7
                                                        • Opcode Fuzzy Hash: d939363beb06294c04024bff94b21a6467ba92a5d66437e220945c3c4c737606
                                                        • Instruction Fuzzy Hash: 95617234A002948FDB25DF25C891BDAB7B5AF49305F0084DAED899B352D674AEC8CF54
                                                        Function 0048594C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485985
                                                        • SetActiveWindow.USER32(?,00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485997
                                                        Strings
                                                        • Will not restart Windows automatically., xrefs: 00485AB6
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window$ActiveForeground
                                                        • String ID: Will not restart Windows automatically.
                                                        • API String ID: 307657957-4169339592
                                                        • Opcode ID: be9e79a92d4cbd7749be1cdc5a7306ec2766f47bc379b306d56f71ee2a24a86a
                                                        • Instruction ID: f83d4e2d24e7b328884665d644b63d6f540d85ee55f206053ba059ac37762111
                                                        • Opcode Fuzzy Hash: be9e79a92d4cbd7749be1cdc5a7306ec2766f47bc379b306d56f71ee2a24a86a
                                                        • Instruction Fuzzy Hash: 5E411830204A40DFD715FB64DC85BAE7BE89B25308F5549B7E880D73A2D67C9848D71E
                                                        Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,004021FC), ref: 004020CB
                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                        • String ID: xG
                                                        • API String ID: 296031713-1680491909
                                                        • Opcode ID: 8a1b0c97779530802f6e75208112804f7cf0878e20f69beeec594c015193d3cc
                                                        • Instruction ID: 61fc07f4a870d1560c8aa4f523a2630168574f360eba5de965793f91e9822c8e
                                                        • Opcode Fuzzy Hash: 8a1b0c97779530802f6e75208112804f7cf0878e20f69beeec594c015193d3cc
                                                        • Instruction Fuzzy Hash: CF41D4B2E00311DFEB10CF6ADD8521A77A4F7A8324B15457BD854A77E2D379A841CB88
                                                        Function 00402210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,004023A2,?,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00402264
                                                        • RtlLeaveCriticalSection.KERNEL32(0049E420,004023A9,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 0040239C
                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                        • String ID: xG
                                                        • API String ID: 2227675388-1680491909
                                                        • Opcode ID: 516a01566f6fa97a58202262a60b760063bbc93ebcd6563af1bfd8e8ff5819dd
                                                        • Instruction ID: a7f1ddd27809ec1fb1f78192554481e1e37dc5ace792b3115cdc1432e5ebb8f4
                                                        • Opcode Fuzzy Hash: 516a01566f6fa97a58202262a60b760063bbc93ebcd6563af1bfd8e8ff5819dd
                                                        • Instruction Fuzzy Hash: 2841B031600210CFDB14DB76EE8DB6936A4AB51318F24827FD800A72F2C3BD9945CB9D
                                                        Function 0046E1B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Failed to proceed to next wizard page; showing wizard., xrefs: 0046E2E4
                                                        • Failed to proceed to next wizard page; aborting., xrefs: 0046E2D0
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                        • API String ID: 0-1974262853
                                                        • Opcode ID: b84a3cec68bf4d58160dea60fe7a8e472097943ab73cda54103478f521773ca7
                                                        • Instruction ID: 70d08a633ec7b89d525ec852f300456f6342c088b46b0ce34def68a00de2c099
                                                        • Opcode Fuzzy Hash: b84a3cec68bf4d58160dea60fe7a8e472097943ab73cda54103478f521773ca7
                                                        • Instruction Fuzzy Hash: 1C31B074604240DFD711DB9AD985F9977F9AB15304F6400FBF4049B3A2E738AE84DB1A
                                                        Function 0047B00C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                        • RegCloseKey.ADVAPI32(?,0047B0F2,?,?,00000001,00000000,00000000,0047B10D), ref: 0047B0DB
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047B066
                                                        • %s\%s_is1, xrefs: 0047B084
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen
                                                        • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                        • API String ID: 47109696-1598650737
                                                        • Opcode ID: e7b8ccf8f87229eb16ad655606291e1919e24a7166246f3390c419fcdb8798a6
                                                        • Instruction ID: 72e7e3a815698905cf2a8865a6f5f2f162ab337690929d3c45f1fbd164993866
                                                        • Opcode Fuzzy Hash: e7b8ccf8f87229eb16ad655606291e1919e24a7166246f3390c419fcdb8798a6
                                                        • Instruction Fuzzy Hash: 46214370B042545FDB01DF66C8527DEBBE8EB49704F90847AE408E7381D77899018B95
                                                        Function 004508A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 00450935
                                                        • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450966
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ExecuteMessageSendShell
                                                        • String ID: open
                                                        • API String ID: 812272486-2758837156
                                                        • Opcode ID: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
                                                        • Instruction ID: 9d2ddf54ec7714fdda98ff8d0cc6f814dd21c32a1b145895e499ae4a69db9d05
                                                        • Opcode Fuzzy Hash: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
                                                        • Instruction Fuzzy Hash: 2F212EB4E00604AFEB10DF6AC881B9EB7F8EB44705F10857AB401F7297D6789A45CA58
                                                        Function 00455A8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00455B28
                                                        • GetLastError.KERNEL32(0000003C,00000000,00455B71,?,?,?), ref: 00455B39
                                                          • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: DirectoryErrorExecuteLastShellSystem
                                                        • String ID: <
                                                        • API String ID: 893404051-4251816714
                                                        • Opcode ID: 8905fb652c31356344cf329a6b31199d683e67ad4c0ae43da576633582a19355
                                                        • Instruction ID: 999fafdfd618aac71dabfb14027d48496d6343d42a6da5b956ec7361bda3743f
                                                        • Opcode Fuzzy Hash: 8905fb652c31356344cf329a6b31199d683e67ad4c0ae43da576633582a19355
                                                        • Instruction Fuzzy Hash: 48216570A00609AFDB10DF65D8926AE7BF8EF05345F50443BF844E7291D7789E49CB58
                                                        Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,)), ref: 004025C7
                                                        • RtlLeaveCriticalSection.KERNEL32(0049E420,0040263D), ref: 00402630
                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                        • String ID: )
                                                        • API String ID: 2227675388-1084416617
                                                        • Opcode ID: 662812d5b2f770babba1450f84ee1e78b681317e28eec64c8fceec8e84081569
                                                        • Instruction ID: 917976a40c8b6a40365e5f884633a4dcf06f5f23cdaa1afef62ceea8ee6a87c6
                                                        • Opcode Fuzzy Hash: 662812d5b2f770babba1450f84ee1e78b681317e28eec64c8fceec8e84081569
                                                        • Instruction Fuzzy Hash: F61101317042046FEB25EB7A9F1A62A6AD4D795758B24087FF404F33D2D9FD9C02826C
                                                        Function 0049999A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004999D5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Window
                                                        • String ID: /INITPROCWND=$%x $@
                                                        • API String ID: 2353593579-4169826103
                                                        • Opcode ID: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
                                                        • Instruction ID: 16850a3933f6126195f36b65bc9072021203f0d8c6b6540213bbd0006db66c27
                                                        • Opcode Fuzzy Hash: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
                                                        • Instruction Fuzzy Hash: 8B11AF71A042498FDB01DBA9D851BAEBBF9EB98304F50847FE804E7292D63D9D058B58
                                                        Function 00447904 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                          • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                        • SysFreeString.OLEAUT32(?), ref: 004479B6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: String$AllocByteCharFreeMultiWide
                                                        • String ID: NIL Interface Exception$Unknown Method
                                                        • API String ID: 3952431833-1023667238
                                                        • Opcode ID: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
                                                        • Instruction ID: 6ea0978f5b97d4648a43087cb94c4cadf7395b3a3abdd2f7dcac649bd3e58428
                                                        • Opcode Fuzzy Hash: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
                                                        • Instruction Fuzzy Hash: A6119371A04244AFEB10DFA58C92AAEBBACEB49704F91407EF504E7281D7789D01CB69
                                                        Function 0049920C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004992D4,?,004992C8,00000000,004992AF), ref: 0049927A
                                                        • CloseHandle.KERNEL32(00499314,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004992D4,?,004992C8,00000000), ref: 00499291
                                                          • Part of subcall function 00499164: GetLastError.KERNEL32(00000000,004991FC,?,?,?,?), ref: 00499188
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateErrorHandleLastProcess
                                                        • String ID: D
                                                        • API String ID: 3798668922-2746444292
                                                        • Opcode ID: 88c7c106073c59e43622e581ba34cc6405f60efbaf8114b77a08c1ff8f12a465
                                                        • Instruction ID: 28a6660038b4d88ad00b798bd9ba61154fa8ff357054911c5ced557c69a1e98d
                                                        • Opcode Fuzzy Hash: 88c7c106073c59e43622e581ba34cc6405f60efbaf8114b77a08c1ff8f12a465
                                                        • Instruction Fuzzy Hash: B8015EB1604248BFDB00DB96CC42A9F7BACDF49714F51447AF504E72C1D6789E048A28
                                                        Function 0042E1F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E208
                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042E248
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Value$EnumQuery
                                                        • String ID: Inno Setup: No Icons
                                                        • API String ID: 1576479698-2016326496
                                                        • Opcode ID: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
                                                        • Instruction ID: a539eabee655ef144818f3097a210d44f5522b7a792cb7edb349fa40b75ec101
                                                        • Opcode Fuzzy Hash: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
                                                        • Instruction Fuzzy Hash: 8C01DB3178D371E9F73545637D42B7B578C9B42B60F64027BF941BA2C0DA589C04927E
                                                        Function 0049A6E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00455E14: GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
                                                          • Part of subcall function 00455E14: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29
                                                        • SetForegroundWindow.USER32(?), ref: 0049A71A
                                                        Strings
                                                        • Restarting Windows., xrefs: 0049A6F7
                                                        • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049A745
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentForegroundOpenTokenWindow
                                                        • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                        • API String ID: 3179053593-4147564754
                                                        • Opcode ID: 6c228afe96513d1b648d31e82109bfef35f458f72cadce48cdb377948eb0a094
                                                        • Instruction ID: 5122ca49785e6841ab91457b0b89b6e488dcfd7854ae65d0270566c1c2237fbf
                                                        • Opcode Fuzzy Hash: 6c228afe96513d1b648d31e82109bfef35f458f72cadce48cdb377948eb0a094
                                                        • Instruction Fuzzy Hash: EA01D4746041446FEB01FBA5D842B5C2BE99B94309F50447BF400AB2D3DA7CD959875E
                                                        Function 0049AE88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0047F300: FreeLibrary.KERNEL32(74350000,00483DC7), ref: 0047F316
                                                          • Part of subcall function 0047EFD8: GetTickCount.KERNEL32 ref: 0047F022
                                                          • Part of subcall function 00457B24: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 00457B43
                                                        • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049B7DF), ref: 0049AEDD
                                                        • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049B7DF), ref: 0049AEE3
                                                        Strings
                                                        • Detected restart. Removing temporary directory., xrefs: 0049AE97
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                        • String ID: Detected restart. Removing temporary directory.
                                                        • API String ID: 1717587489-3199836293
                                                        • Opcode ID: 26e41c90d6ec0bd6f477af004ca483f81e3a2e9df910ec18de9b319d8cd1f6a8
                                                        • Instruction ID: 3c913c32d0756031035703f4f4cddf398d0ed36f6509ee9f01125c758f9cf03b
                                                        • Opcode Fuzzy Hash: 26e41c90d6ec0bd6f477af004ca483f81e3a2e9df910ec18de9b319d8cd1f6a8
                                                        • Instruction Fuzzy Hash: DAE055722082843EDE0277A6BC1382B7F8CD34532D761047BF80481852D92C4820C27E
                                                        Function 00477208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 0047722D
                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 00477244
                                                          • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateErrorFileHandleLast
                                                        • String ID: CreateFile
                                                        • API String ID: 2528220319-823142352
                                                        • Opcode ID: 96b09a4e5d9e1a8f79d5c2eaa295b53471bf617f106a3b112787a0400d74c430
                                                        • Instruction ID: 90e4e6ff62ef8f0e28f50a913bfb33107960128ee808bbf2bf0dc207e29e0456
                                                        • Opcode Fuzzy Hash: 96b09a4e5d9e1a8f79d5c2eaa295b53471bf617f106a3b112787a0400d74c430
                                                        • Instruction Fuzzy Hash: A6E06D306883447BEA20EA69DCC6F4A77889B04768F108152FA58AF3E3C5B9EC408658
                                                        Function 00455EA4 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000003.00000002.2582012127.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000003.00000002.2581988822.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582084668.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582105887.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582125195.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000003.00000002.2582146465.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_3_2_400000_Setup.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastSleep
                                                        • String ID:
                                                        • API String ID: 1458359878-0
                                                        • Opcode ID: 6a5dd68216f633a44ec124f5b7bc5ae83bc60a54fdb172d1fd1805aed014b2ac
                                                        • Instruction ID: 9465cf589d0d0c12c73eacd3b1eef521cbdc8b34a4c5067471d78d0fd9128cb0
                                                        • Opcode Fuzzy Hash: 6a5dd68216f633a44ec124f5b7bc5ae83bc60a54fdb172d1fd1805aed014b2ac
                                                        • Instruction Fuzzy Hash: 08F02B32B05A14774F20A7BB989357FA28CDE44376710512BFD04D7343D939DE4586A8