Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
startswinstall.exe

Overview

General Information

Sample name:startswinstall.exe
Analysis ID:1528044
MD5:f01c08e45eb4832131baae55d52fdf22
SHA1:74378a7dba31d7114a5d2eacc772e6290f5067ab
SHA256:362689dd85da2ad70f9d47a156ed0284ff40db0fbb783d658f8c7f901287f064
Infos:

Detection

Score:19
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • startswinstall.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\startswinstall.exe" -install MD5: F01C08E45EB4832131BAAE55D52FDF22)
    • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • startswinstall.exe (PID: 4524 cmdline: "C:\Users\user\Desktop\startswinstall.exe" /install MD5: F01C08E45EB4832131BAAE55D52FDF22)
    • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • startswinstall.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\startswinstall.exe" /load MD5: F01C08E45EB4832131BAAE55D52FDF22)
    • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.9% probability
Source: startswinstall.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: startswinstall.exeStatic PE information: certificate valid
Source: startswinstall.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdbZ source: startswinstall.exe
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdb source: startswinstall.exe
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_0024D9D5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_0024D9D5
Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: startswinstall.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: startswinstall.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: startswinstall.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: startswinstall.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: startswinstall.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: startswinstall.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: startswinstall.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: startswinstall.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: startswinstall.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: startswinstall.exeString found in binary or memory: http://ocsp.digicert.com0
Source: startswinstall.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: startswinstall.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: startswinstall.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: startswinstall.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_002753EF GetAsyncKeyState,GetAsyncKeyState,SendMessageW,0_2_002753EF
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00270152 MessageBeep,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,0_2_00270152
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00270152 MessageBeep,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,3_2_00270152
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0039C1310_2_0039C131
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0039E3170_2_0039E317
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_002773F50_2_002773F5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0038F5000_2_0038F500
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_002655F40_2_002655F4
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0039DB1D0_2_0039DB1D
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_002B0BD00_2_002B0BD0
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0039DC3D0_2_0039DC3D
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00385CF70_2_00385CF7
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00296DB10_2_00296DB1
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00385F5C0_2_00385F5C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00282F9D0_2_00282F9D
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0025AF9F0_2_0025AF9F
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0039C1313_2_0039C131
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0039E3173_2_0039E317
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_002773F53_2_002773F5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0038F5003_2_0038F500
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_002655F43_2_002655F4
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0039DB1D3_2_0039DB1D
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_002B0BD03_2_002B0BD0
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0039DC3D3_2_0039DC3D
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00385CF73_2_00385CF7
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00296DB13_2_00296DB1
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00385F5C3_2_00385F5C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00282F9D3_2_00282F9D
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0025AF9F3_2_0025AF9F
Source: C:\Users\user\Desktop\startswinstall.exeCode function: String function: 0037FC60 appears 91 times
Source: C:\Users\user\Desktop\startswinstall.exeCode function: String function: 0037F9B4 appears 80 times
Source: C:\Users\user\Desktop\startswinstall.exeCode function: String function: 0037F980 appears 229 times
Source: startswinstall.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean19.winEXE@6/3@1/0
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0024F022 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,0_2_0024F022
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00241CB0 FindResourceW,LoadResource,LockResource,SizeofResource,0_2_00241CB0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
Source: startswinstall.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\startswinstall.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: startswinstall.exeString found in binary or memory: <StopOnError>0</StopOnError>
Source: startswinstall.exeString found in binary or memory: <StopOnError>0</StopOnError>
Source: startswinstall.exeString found in binary or memory: <StopOnCancel>0</StopOnCancel>
Source: startswinstall.exeString found in binary or memory: <StopOnCancel>0</StopOnCancel>
Source: unknownProcess created: C:\Users\user\Desktop\startswinstall.exe "C:\Users\user\Desktop\startswinstall.exe" -install
Source: C:\Users\user\Desktop\startswinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\startswinstall.exe "C:\Users\user\Desktop\startswinstall.exe" /install
Source: C:\Users\user\Desktop\startswinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\startswinstall.exe "C:\Users\user\Desktop\startswinstall.exe" /load
Source: C:\Users\user\Desktop\startswinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wdi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wdi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wdi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeAutomated click: OK
Source: C:\Users\user\Desktop\startswinstall.exeAutomated click: OK
Source: C:\Users\user\Desktop\startswinstall.exeAutomated click: OK
Source: startswinstall.exeStatic PE information: certificate valid
Source: startswinstall.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: startswinstall.exeStatic file information: File size 1989960 > 1048576
Source: startswinstall.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x16ce00
Source: startswinstall.exeStatic PE information: More than 200 imports for USER32.dll
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: startswinstall.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: startswinstall.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdbZ source: startswinstall.exe
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdb source: startswinstall.exe
Source: startswinstall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: startswinstall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: startswinstall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: startswinstall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: startswinstall.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0037F949 push ecx; ret 0_2_0037F95C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0037F949 push ecx; ret 3_2_0037F95C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00298EA9 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,0_2_00298EA9
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0029852C __EH_prolog3_GS,GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,InvalidateRect,InflateRect,RedrawWindow,InvalidateRect,InflateRect,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,NotifyWinEvent,NotifyWinEvent,SetCapture,RedrawWindow,SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,3_2_0029852C
Source: C:\Users\user\Desktop\startswinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\startswinstall.exeAPI coverage: 4.0 %
Source: C:\Users\user\Desktop\startswinstall.exeAPI coverage: 4.5 %
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_0024D9D5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_0024D9D5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00386B83 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00386B83
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00249FFC OutputDebugStringA,GetLastError,0_2_00249FFC
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00391D0F mov eax, dword ptr fs:[00000030h]0_2_00391D0F
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00397EA5 mov eax, dword ptr fs:[00000030h]0_2_00397EA5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00391D0F mov eax, dword ptr fs:[00000030h]3_2_00391D0F
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00397EA5 mov eax, dword ptr fs:[00000030h]3_2_00397EA5
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0037FA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0037FA5C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_00386B83 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00386B83
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_0037FA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0037FA5C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 3_2_00386B83 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00386B83
Source: C:\Users\user\Desktop\startswinstall.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,0_2_00250F0A
Source: C:\Users\user\Desktop\startswinstall.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,3_2_00250F0A
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0038063C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0038063C
Source: C:\Users\user\Desktop\startswinstall.exeCode function: 0_2_0039799C _free,_free,_free,GetTimeZoneInformation,_free,0_2_0039799C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528044 Sample: startswinstall.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 19 19 198.187.3.20.in-addr.arpa 2->19 21 AI detected suspicious sample 2->21 7 startswinstall.exe 1 2 2->7         started        9 startswinstall.exe 2 2->9         started        11 startswinstall.exe 2 2->11         started        signatures3 process4 process5 13 conhost.exe 7->13         started        15 conhost.exe 9->15         started        17 conhost.exe 11->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
startswinstall.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
198.187.3.20.in-addr.arpa
unknown
unknownfalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1528044
    Start date and time:2024-10-07 14:47:29 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 9s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Cmdline fuzzy
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:startswinstall.exe
    Detection:CLEAN
    Classification:clean19.winEXE@6/3@1/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 75%
    • Number of executed functions: 48
    • Number of non-executed functions: 349
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • VT rate limit hit for: startswinstall.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    \Device\ConDrv

    Download File
    Process:C:\Users\user\Desktop\startswinstall.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):41
    Entropy (8bit):4.11073699294092
    Encrypted:false
    SSDEEP:3:cgastdXJLYPevn:cFstdXJJ
    MD5:6F1927B8283C7F6C608C2966B58977F8
    SHA1:C4E32AF459AB64890452B0EF07F0F0DDB0D80DF1
    SHA-256:28448A9C716438BDF4E927F0541A1A511ACBB13C12129EE2BDC343C5E8CAF413
    SHA-512:A817F9C31C226CA0957115E3F0B8D618EA01225DFDCC00E55DC96B98E794C71C4D745401EC2FFC88E81085CB5AD7D77269EB14E22AA93769EC25F416E3806EB7
    Malicious:false
    Reputation:low
    Preview:Fatal Error: AdminInstall failed to run..

    Static File Info

    General

    File type:PE32 executable (console) Intel 80386, for MS Windows
    Entropy (8bit):6.568257392883244
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:startswinstall.exe
    File size:1'989'960 bytes
    MD5:f01c08e45eb4832131baae55d52fdf22
    SHA1:74378a7dba31d7114a5d2eacc772e6290f5067ab
    SHA256:362689dd85da2ad70f9d47a156ed0284ff40db0fbb783d658f8c7f901287f064
    SHA512:6fc8ebe34e88ed716d87e43d9e51b0ae9f2620d1b24b5118240a85d3b693df666f4bc9accaa9d3026af15db6ccc5ae6ca4a26094514228d9ad8f6380202a62df
    SSDEEP:49152:73qovEkkPUZ9hlCtw7drEvD81kjerY3EYhGT:bqovJkPUZb4a7drEvD81kje003
    TLSH:79957E31BA414077C66336307D48F639F3ADAD34C63E85FB12D6BFA82921742891796B
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.#8..Mk..Mk..MkH.Nj..MkH.Ij2.MkH.Hj..MkH.Kj..MkH.Lj2.Mk..Lk..Mk..Ij..Mk..Nj..Mk..Hjp.Mk..Dj..Mk...k..Mk...k..Mk..Oj..MkRich..M

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x53f93f
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x64C015D0 [Tue Jul 25 18:34:56 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:1bcd554e03d47a7bf638d9a7523798d7

    Authenticode Signature

    Signature Valid:true
    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
    Signature Validation Error:The operation completed successfully
    Error Number:0
    Not Before, Not After
    • 02/05/2023 02:00:00 04/05/2026 01:59:59
    Subject Chain
    • CN=Dassault Systemes SolidWorks Corp., O=Dassault Systemes SolidWorks Corp., L=Waltham, S=Massachusetts, C=US
    Version:3
    Thumbprint MD5:CD37A7CCE53415A4C0EEB927185DD1B6
    Thumbprint SHA-1:DCBFBB4055B20974CBADAF823B98037E985026FB
    Thumbprint SHA-256:1D033A2D42F63C3317DA1F878D6CF6BAF8C1A0C9E6E839CC4354E4C8E78C015C
    Serial:07C255707CD5BA7392A53C1175F464F0

    Entrypoint Preview

    Instruction
    call 00007F4938C4BDBAh
    jmp 00007F4938C4AEE9h
    mov ecx, dword ptr [ebp-0Ch]
    mov dword ptr fs:[00000000h], ecx
    pop ecx
    pop edi
    pop edi
    pop esi
    pop ebx
    mov esp, ebp
    pop ebp
    push ecx
    ret
    mov ecx, dword ptr [ebp-10h]
    xor ecx, ebp
    call 00007F4938C4AAADh
    jmp 00007F4938C4B050h
    mov ecx, dword ptr [ebp-14h]
    xor ecx, ebp
    call 00007F4938C4AA9Ch
    jmp 00007F4938C4B03Fh
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]
    push ebx
    push esi
    push edi
    mov dword ptr [eax], ebp
    mov ebp, eax
    mov eax, dword ptr [005BDFE4h]
    xor eax, ebp
    push eax
    push dword ptr [ebp-04h]
    mov dword ptr [ebp-04h], FFFFFFFFh
    lea eax, dword ptr [ebp-0Ch]
    mov dword ptr fs:[00000000h], eax
    ret
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]
    push ebx
    push esi
    push edi
    mov dword ptr [eax], ebp
    mov ebp, eax
    mov eax, dword ptr [005BDFE4h]
    xor eax, ebp
    push eax
    mov dword ptr [ebp-10h], eax
    push dword ptr [ebp-04h]
    mov dword ptr [ebp-04h], FFFFFFFFh
    lea eax, dword ptr [ebp-0Ch]
    mov dword ptr fs:[00000000h], eax
    ret
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]
    push ebx
    push esi
    push edi
    mov dword ptr [eax], ebp
    mov ebp, eax
    mov eax, dword ptr [005BDFE4h]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1b99380x140.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c70000xb40.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x1e34000x2948.reloc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c80000x21300.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x1a1e540x70.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x1a1f800x18.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a1ec80x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x16e0000x944.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x16cd170x16ce00f5616487fa350c35424f26c9306b62bcFalse0.5365459864251456data6.500029737438513IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x16e0000x4ebc20x4ec00bb0100a462965ea2eaec950944ad30a4False0.28639322916666665data5.0268861359196695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x1bd0000x9a580x56005cea81d77fa5cd4455c12da56cd024f5False0.24005268895348839data4.624722438330439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x1c70000xb400xc007b880d2afa7a639a06d2761239a7c9e0False0.3509114583333333data4.540270833073978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x1c80000x213000x21400e5e02426b2ca0b1c1316519b8f6083aeFalse0.46404340930451127data6.5701353321292055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    XML0x1c71400x413XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.35282837967401726
    RT_STRING0x1c78d00x3cdataEnglishUnited States0.5833333333333334
    RT_VERSION0x1c75580x374dataEnglishUnited States0.41289592760180993
    RT_MANIFEST0x1c79100x22fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (499), with CRLF line terminatorsEnglishUnited States0.5295169946332737

    Imports

    DLLImport
    KERNEL32.dllGetStdHandle, ExitProcess, QueryPerformanceFrequency, VirtualQuery, VirtualAlloc, GetSystemInfo, HeapQueryInformation, GetModuleHandleExW, LCMapStringW, ExitThread, CreateThread, GetCommandLineA, GetFileType, SetStdHandle, RtlUnwind, OutputDebugStringW, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetTimeZoneInformation, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetStringTypeW, InitializeSListHead, GetConsoleCP, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetTempFileNameW, Sleep, SearchPathW, GetProfileIntW, GetTickCount, VerifyVersionInfoW, VerSetConditionMask, GetWindowsDirectoryW, FindResourceExW, lstrcpyW, VirtualProtect, GlobalFindAtomW, GlobalFlags, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetLocaleInfoW, GetCurrentDirectoryW, GlobalAddAtomW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetPrivateProfileIntW, ResumeThread, SetThreadPriority, CreateEventW, GetSystemDirectoryW, EncodePointer, SystemTimeToTzSpecificLocalTime, GetFileTime, GetFileSizeEx, GetFileAttributesExW, GetFileAttributesW, FileTimeToLocalFileTime, lstrcmpiW, LoadLibraryA, DuplicateHandle, CloseHandle, WriteFile, UnlockFile, SetFilePointer, SetEndOfFile, ReadFile, LockFile, GetVolumeInformationW, GetFullPathNameW, GetFileSize, FlushFileBuffers, FindFirstFileW, FindClose, DeleteFileW, CreateFileW, CompareStringW, GetCurrentProcessId, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSection, FileTimeToSystemTime, GlobalGetAtomNameW, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, SetErrorMode, CompareStringA, lstrcmpW, lstrcmpA, GlobalDeleteAtom, LoadLibraryW, LoadLibraryExW, FreeLibrary, GetVersionExW, GetCurrentThreadId, GetCurrentThread, OutputDebugStringA, CopyFileW, FormatMessageW, MulDiv, GlobalFree, GlobalUnlock, GlobalLock, GlobalSize, GlobalAlloc, SetLastError, WideCharToMultiByte, WaitForSingleObject, GetModuleFileNameW, GetCurrentProcess, GetCommandLineW, GetModuleHandleW, LocalFree, GetProcAddress, MultiByteToWideChar, GetModuleHandleA, GetTempPathW, GetProcessHeap, DeleteCriticalSection, DecodePointer, SizeofResource, HeapAlloc, FindResourceW, LoadResource, RaiseException, HeapReAlloc, LockResource, GetLastError, HeapSize, InitializeCriticalSectionEx, HeapFree, FreeLibraryAndExitThread, WriteConsoleW
    USER32.dllDrawFocusRect, WindowFromPoint, ReleaseCapture, SetCapture, GetNextDlgGroupItem, LoadImageW, TrackMouseEvent, MapDialogRect, GetAsyncKeyState, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamW, OffsetRect, SetRectEmpty, SendDlgItemMessageA, IntersectRect, InflateRect, GetMenuItemInfoW, DestroyMenu, GetMonitorInfoW, MonitorFromWindow, WinHelpW, GetScrollInfo, SetScrollInfo, LoadIconW, GetTopWindow, GetClassLongW, EqualRect, CopyRect, MapWindowPoints, AdjustWindowRectEx, RemovePropW, GetPropW, SetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, ScrollWindow, RedrawWindow, SetForegroundWindow, GetForegroundWindow, SetActiveWindow, TrackPopupMenu, SetMenu, GetMenu, GetCapture, IsIconic, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, DestroyWindow, IsChild, IsMenu, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, CallWindowProcW, DefWindowProcW, GetMessageTime, GetMessagePos, RegisterWindowMessageW, DestroyIcon, IsDialogMessageW, SetWindowLongW, CheckDlgButton, GetDlgItem, SetWindowPos, MoveWindow, ShowWindow, IsWindow, GetScrollPos, SetScrollPos, SetFocus, FillRect, ScreenToClient, EndPaint, BeginPaint, GetWindowDC, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, InvalidateRect, UpdateWindow, KillTimer, SetTimer, RealChildWindowFromPoint, GetWindow, GetClassNameW, GetDesktopWindow, PtInRect, DrawIconEx, GetIconInfo, MessageBeep, GetMenuStringW, GetMenuState, GetSubMenu, ClientToScreen, GetWindowRect, SetWindowTextW, GetDlgCtrlID, DeleteMenu, SetCursor, ShowOwnedPopups, CallNextHookEx, SetWindowsHookExW, GetCursorPos, ValidateRect, GetKeyState, GetActiveWindow, IsWindowVisible, PeekMessageW, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, CreatePopupMenu, GetMenuDefaultItem, MapVirtualKeyW, GetKeyNameTextW, LoadMenuW, SetLayeredWindowAttributes, EnumDisplayMonitors, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateW, SetClassLongW, SetWindowRgn, SetParent, DrawEdge, DrawFrameControl, IsZoomed, GetSystemMenu, BringWindowToTop, SetCursorPos, IsRectEmpty, GetMenuItemID, GetMenuItemCount, InsertMenuW, AppendMenuW, RemoveMenu, PostMessageW, PostQuitMessage, GetWindowTextW, GetWindowTextLengthW, UnhookWindowsHookEx, SendMessageW, EnableWindow, IsWindowEnabled, MessageBoxW, GetWindowLongW, GetParent, GetWindowThreadProcessId, GetLastActivePopup, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, LoadCursorW, CharUpperW, GetFocus, CheckMenuItem, EnableMenuItem, InsertMenuItemW, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoW, LoadBitmapW, GetClientRect, CopyImage, SystemParametersInfoW, GetMessageW, TranslateMessage, DispatchMessageW, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, PostThreadMessageW, WaitMessage, GetKeyboardLayout, IsCharLowerW, MapVirtualKeyExW, ToUnicodeEx, GetKeyboardState, CreateAcceleratorTableW, DestroyAcceleratorTable, CopyAcceleratorTableW, SetRect, LockWindowUpdate, SetMenuDefaultItem, GetDoubleClickTime, ModifyMenuW, RegisterClipboardFormatW, CharUpperBuffW, IsClipboardFormatAvailable, GetUpdateRect, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, SubtractRect, CreateMenu, GetWindowRgn, DestroyCursor, TranslateAcceleratorW, LoadAcceleratorsW, MonitorFromPoint, UpdateLayeredWindow, UnionRect, DrawIcon, FrameRect, CopyIcon
    GDI32.dllGetClipBox, GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextColor, SetTextAlign, GetObjectW, MoveToEx, TextOutW, ExtTextOutW, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateFontIndirectW, GetTextExtentPoint32W, ExcludeClipRect, CreateRectRgnIndirect, PatBlt, SetRectRgn, DPtoLP, GetTextMetricsW, EnumFontFamiliesExW, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, GetBkColor, CreateCompatibleBitmap, CreateDIBitmap, EnumFontFamiliesW, GetTextCharsetInfo, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, GetTextColor, CreatePolygonRgn, Polygon, Polyline, CreateRoundRectRgn, LPtoDP, Rectangle, GetRgnBox, OffsetRgn, RoundRect, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, ExtFloodFill, SetPaletteEntries, SetPixelV, GetWindowOrgEx, GetViewportOrgEx, GetTextFaceW, Escape, CreateSolidBrush, CreateRectRgn, CreatePen, CreateHatchBrush, CreateCompatibleDC, BitBlt, DeleteObject, CreateBitmap, DeleteDC, GetDeviceCaps, CreateDCW, CombineRgn, CreatePatternBrush, CopyMetaFileW
    MSIMG32.dllTransparentBlt, AlphaBlend
    WINSPOOL.DRVClosePrinter, OpenPrinterW, DocumentPropertiesW
    ADVAPI32.dllRegEnumValueW, RegSetValueExW, RegDeleteValueW, RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegQueryValueExW
    SHELL32.dllCommandLineToArgvW, SHFileOperationW, ShellExecuteExW, SHGetFileInfoW, ShellExecuteW, SHAppBarMessage, SHBrowseForFolderW, DragFinish, DragQueryFileW, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetPathFromIDListW
    SHLWAPI.dllPathFindFileNameW, PathRemoveFileSpecW, PathAppendW, PathFindExtensionW, PathIsUNCW, StrFormatKBSizeW, PathStripToRootW
    UxTheme.dllDrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, GetThemeSysColor, GetCurrentThemeName, DrawThemeBackground, GetThemeColor, IsThemeBackgroundPartiallyTransparent, GetWindowTheme, IsAppThemed, GetThemePartSize
    ole32.dllOleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleLockRunning, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleGetClipboard, DoDragDrop, CreateStreamOnHGlobal, CoInitializeEx, CoInitialize, CoDisconnectObject, CoCreateGuid, CoUninitialize, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance
    OLEAUT32.dllLoadTypeLib, VarBstrFromDate, VariantChangeType, VariantCopy, VariantClear, VariantInit, VariantTimeToSystemTime, SystemTimeToVariantTime, SysStringLen, SysAllocStringLen, SysAllocString, SysFreeString
    gdiplus.dllGdipCreateFromHDC, GdipDrawImageRectI, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown, GdipSetInterpolationMode, GdipCreateBitmapFromHBITMAP, GdipCreateBitmapFromStream
    OLEACC.dllLresultFromObject, CreateStdAccessibleObject, AccessibleObjectFromWindow
    IMM32.dllImmReleaseContext, ImmGetOpenStatus, ImmGetContext
    WINMM.dllPlaySoundW

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 7, 2024 14:48:54.632013083 CEST5358731162.159.36.2192.168.2.5
    Oct 7, 2024 14:48:55.124469995 CEST6532053192.168.2.51.1.1.1
    Oct 7, 2024 14:48:55.133389950 CEST53653201.1.1.1192.168.2.5

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Oct 7, 2024 14:48:55.124469995 CEST192.168.2.51.1.1.10x3603Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 7, 2024 14:48:55.133389950 CEST1.1.1.1192.168.2.50x3603Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:08:48:20
    Start date:07/10/2024
    Path:C:\Users\user\Desktop\startswinstall.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\startswinstall.exe" -install
    Imagebase:0x240000
    File size:1'989'960 bytes
    MD5 hash:F01C08E45EB4832131BAAE55D52FDF22
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:1
    Start time:08:48:20
    Start date:07/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:08:48:22
    Start date:07/10/2024
    Path:C:\Users\user\Desktop\startswinstall.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\startswinstall.exe" /install
    Imagebase:0x240000
    File size:1'989'960 bytes
    MD5 hash:F01C08E45EB4832131BAAE55D52FDF22
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:4
    Start time:08:48:23
    Start date:07/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:08:48:25
    Start date:07/10/2024
    Path:C:\Users\user\Desktop\startswinstall.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\startswinstall.exe" /load
    Imagebase:0x240000
    File size:1'989'960 bytes
    MD5 hash:F01C08E45EB4832131BAAE55D52FDF22
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:6
    Start time:08:48:25
    Start date:07/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:2.3%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:1.7%
      Total number of Nodes:1028
      Total number of Limit Nodes:11
      execution_graph 49323 298458 49324 298477 49323->49324 49325 29847f 49324->49325 49329 2984cb 49324->49329 49334 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49325->49334 49327 298487 49330 2984c9 49327->49330 49335 24a380 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49327->49335 49329->49330 49458 2885fe 50 API calls 49329->49458 49332 2984a0 49332->49330 49336 29852c 49332->49336 49334->49327 49335->49332 49342 298538 __EH_prolog3_GS 49336->49342 49337 29858e 49338 2985cd 49337->49338 49339 298597 GetParent 49337->49339 49341 298661 49338->49341 49349 2985d5 49338->49349 49480 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49339->49480 49459 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49341->49459 49342->49337 49342->49339 49479 295c40 9 API calls __floor_pentium4 49342->49479 49345 2985a6 49481 24a310 RaiseException 49345->49481 49346 29860e 49357 29863b 49346->49357 49358 29864c 49346->49358 49348 2985b1 49348->49338 49352 2985b7 GetParent 49348->49352 49349->49346 49484 295c40 9 API calls __floor_pentium4 49349->49484 49482 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49352->49482 49353 298605 UpdateWindow 49353->49346 49356 2985c6 49483 2571a5 182 API calls 49356->49483 49485 267b0a 49357->49485 49489 288663 52 API calls 49358->49489 49362 29865c 49428 298ae8 49362->49428 49363 2986e6 49365 298d09 49363->49365 49381 298716 49363->49381 49503 29d9b2 183 API calls 49365->49503 49367 298d17 49368 298d2f 49367->49368 49504 24a380 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49367->49504 49368->49428 49505 295c40 9 API calls __floor_pentium4 49368->49505 49369 298669 49369->49363 49372 2986ba GetAsyncKeyState 49369->49372 49369->49428 49372->49363 49373 2986c9 49372->49373 49373->49363 49374 298d4e UpdateWindow 49384 298d6a 49374->49384 49375 29881a 49460 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49375->49460 49377 298827 49378 29883a 49377->49378 49379 298ea3 49377->49379 49386 29893c 49378->49386 49395 298860 49378->49395 49511 2471ca 49379->49511 49381->49375 49490 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49381->49490 49391 298e56 SetCapture 49384->49391 49392 298da6 49384->49392 49385 29879c InvalidateRect 49385->49375 49393 2987c5 49385->49393 49461 295c40 9 API calls __floor_pentium4 49386->49461 49389 298944 UpdateWindow 49390 298960 49389->49390 49404 298987 49390->49404 49407 2989fb 49390->49407 49508 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49391->49508 49506 295c40 9 API calls __floor_pentium4 49392->49506 49393->49375 49402 2987f8 InflateRect RedrawWindow 49393->49402 49395->49428 49491 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49395->49491 49396 298cf8 49396->49428 49509 29c2a7 58 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49396->49509 49398 2988ba InvalidateRect 49412 2988e7 49398->49412 49398->49428 49401 298e89 49403 298e92 RedrawWindow 49401->49403 49402->49375 49403->49428 49408 2989cd SetCapture 49404->49408 49409 2989c0 InflateRect 49404->49409 49406 298dfb UpdateWindow 49406->49396 49417 298e0a 49406->49417 49407->49396 49462 31c316 56 API calls 49407->49462 49492 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49408->49492 49409->49408 49411 2989df 49414 267b0a 161 API calls 49411->49414 49415 29891e InflateRect 49412->49415 49412->49428 49416 2989ea SetCursor 49414->49416 49415->49403 49416->49396 49417->49396 49507 2928a2 RaiseException 49417->49507 49419 298e2c 49419->49396 49420 298e32 NotifyWinEvent NotifyWinEvent 49419->49420 49420->49396 49421 298a41 49463 31cd5d 49421->49463 49510 37f95e 5 API calls __floor_pentium4 49428->49510 49458->49330 49459->49369 49460->49377 49461->49389 49462->49421 49464 31cd69 __EH_prolog3_GS 49463->49464 49514 31cc82 49464->49514 49466 31cd7d 49467 31cda0 GetCursorPos SetRect 49466->49467 49468 31cd96 CopyRect 49466->49468 49469 31cdc3 49467->49469 49468->49469 49470 31cdd7 IsRectEmpty 49469->49470 49471 31cdce 49469->49471 49470->49471 49472 31cde2 InflateRect 49470->49472 49524 248b33 56 API calls 49471->49524 49472->49471 49474 31ce3a Concurrency::details::ExternalContextBase::~ExternalContextBase 49525 37f95e 5 API calls __floor_pentium4 49474->49525 49475 31cdf7 49475->49474 49477 31ce25 DoDragDrop 49475->49477 49477->49474 49479->49337 49480->49345 49481->49348 49482->49356 49483->49338 49484->49353 49486 267b20 SetCursor 49485->49486 49487 267b19 49485->49487 49486->49358 49596 27d209 49487->49596 49489->49362 49490->49385 49491->49398 49492->49411 49503->49367 49504->49368 49505->49374 49506->49406 49507->49419 49508->49396 49509->49401 49861 381fe3 RaiseException 49511->49861 49513 2471e3 49515 31cc8e __EH_prolog3 49514->49515 49526 24e41c 49515->49526 49519 31ccc6 49520 31cd07 49519->49520 49521 31cccf GetProfileIntW GetProfileIntW 49519->49521 49540 25610c LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49520->49540 49521->49520 49523 31cd0e Concurrency::details::ExternalContextBase::~ExternalContextBase 49523->49466 49524->49475 49541 24bbbb 49526->49541 49529 256098 49530 2560a5 49529->49530 49531 256106 49529->49531 49533 2560b3 49530->49533 49595 256074 InitializeCriticalSection 49530->49595 49532 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 49531->49532 49537 25610b 49532->49537 49535 2560f4 EnterCriticalSection 49533->49535 49536 2560c2 EnterCriticalSection 49533->49536 49535->49519 49538 2560ec LeaveCriticalSection 49536->49538 49539 2560d9 InitializeCriticalSection 49536->49539 49538->49535 49539->49538 49540->49523 49546 24bfad 49541->49546 49543 24bbca 49544 24bbe4 49543->49544 49561 24bf56 7 API calls 3 library calls 49543->49561 49544->49529 49548 24bfb9 __EH_prolog3 49546->49548 49547 24c032 49550 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 49547->49550 49548->49547 49549 24bffa 49548->49549 49557 24bfe0 49548->49557 49586 24bcac TlsAlloc InitializeCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49548->49586 49579 24c052 EnterCriticalSection 49549->49579 49552 24c037 49550->49552 49556 24c028 Concurrency::details::ExternalContextBase::~ExternalContextBase 49556->49543 49557->49547 49562 24bdbb EnterCriticalSection 49557->49562 49558 24bff4 49558->49547 49558->49549 49559 24c00c 49587 24c0fa 34 API calls 3 library calls 49559->49587 49561->49544 49569 24bde0 49562->49569 49563 24bea0 LeaveCriticalSection 49563->49558 49564 24be84 _memcpy_s 49564->49563 49565 24be34 GlobalHandle GlobalUnlock 49568 246af4 Concurrency::details::ExternalContextBase::~ExternalContextBase 26 API calls 49565->49568 49566 24be1f 49588 246af4 49566->49588 49571 24be53 GlobalReAlloc 49568->49571 49569->49564 49569->49565 49569->49566 49572 24be60 49571->49572 49573 24be64 GlobalLock 49572->49573 49574 24beb7 49572->49574 49573->49564 49575 24bebc GlobalHandle GlobalLock 49574->49575 49576 24becb LeaveCriticalSection 49574->49576 49575->49576 49593 2471e4 RaiseException std::_Xinvalid_argument 49576->49593 49580 24c096 LeaveCriticalSection 49579->49580 49581 24c06b 49579->49581 49583 24c006 49580->49583 49581->49580 49582 24c070 TlsGetValue 49581->49582 49582->49580 49584 24c07c 49582->49584 49583->49556 49583->49559 49584->49580 49585 24c088 LeaveCriticalSection 49584->49585 49585->49583 49586->49557 49587->49556 49589 246b07 Concurrency::details::ExternalContextBase::~ExternalContextBase 49588->49589 49590 246b0e GlobalAlloc 49589->49590 49594 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49589->49594 49590->49572 49592 246b19 49594->49592 49595->49533 49597 27d22a _memcpy_s 49596->49597 49606 27d2b1 49596->49606 49599 27d25a VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 49597->49599 49607 27da08 49599->49607 49600 27d2c4 49600->49486 49602 27d2a3 49684 27d4d4 49602->49684 49772 37f3a0 49606->49772 49779 37f980 49607->49779 49609 27da14 GetSysColor 49610 27da29 GetSysColor 49609->49610 49611 27da35 GetSysColor 49609->49611 49610->49611 49613 27da58 49611->49613 49614 27da4c GetSysColor 49611->49614 49780 2549bd 49613->49780 49614->49613 49616 27da6e 22 API calls 49617 27dba1 GetSysColor 49616->49617 49618 27db98 49616->49618 49619 27dbb3 GetSysColorBrush 49617->49619 49618->49619 49620 27de20 49619->49620 49621 27dbcf GetSysColorBrush 49619->49621 49623 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 49620->49623 49621->49620 49622 27dbe2 GetSysColorBrush 49621->49622 49622->49620 49624 27dbf5 49622->49624 49625 27de25 49623->49625 49788 2555a8 49624->49788 49627 27dc02 CreateSolidBrush 49793 2554a1 49627->49793 49630 2555a8 57 API calls 49631 27dc20 CreateSolidBrush 49630->49631 49632 2554a1 56 API calls 49631->49632 49633 27dc31 49632->49633 49634 2555a8 57 API calls 49633->49634 49635 27dc3e CreateSolidBrush 49634->49635 49636 2554a1 56 API calls 49635->49636 49637 27dc4f 49636->49637 49638 2555a8 57 API calls 49637->49638 49639 27dc5c CreateSolidBrush 49638->49639 49640 2554a1 56 API calls 49639->49640 49641 27dc70 49640->49641 49642 2555a8 57 API calls 49641->49642 49643 27dc7d CreateSolidBrush 49642->49643 49644 2554a1 56 API calls 49643->49644 49645 27dc8e 49644->49645 49646 2555a8 57 API calls 49645->49646 49647 27dc9b CreateSolidBrush 49646->49647 49648 2554a1 56 API calls 49647->49648 49649 27dcac 49648->49649 49650 2555a8 57 API calls 49649->49650 49651 27dcb9 CreateSolidBrush 49650->49651 49652 2554a1 56 API calls 49651->49652 49653 27dcca 49652->49653 49654 2555a8 57 API calls 49653->49654 49655 27dcd7 CreatePen 49654->49655 49656 2554a1 56 API calls 49655->49656 49657 27dcf0 49656->49657 49658 2555a8 57 API calls 49657->49658 49659 27dcfd CreatePen 49658->49659 49660 2554a1 56 API calls 49659->49660 49661 27dd14 49660->49661 49662 2555a8 57 API calls 49661->49662 49663 27dd21 CreatePen 49662->49663 49664 2554a1 56 API calls 49663->49664 49665 27dd38 49664->49665 49666 27dd4f 49665->49666 49669 2555a8 57 API calls 49665->49669 49667 27ddbc 49666->49667 49668 27dd58 CreateSolidBrush 49666->49668 49799 27cc59 7 API calls 2 library calls 49667->49799 49670 2554a1 56 API calls 49668->49670 49669->49666 49672 27ddba 49670->49672 49805 2ad857 49672->49805 49673 27ddc6 49673->49620 49674 27ddca 49673->49674 49675 2554a1 56 API calls 49674->49675 49677 27dde3 CreatePatternBrush 49675->49677 49679 2554a1 56 API calls 49677->49679 49681 27ddf4 49679->49681 49800 254abe 49681->49800 49682 27de1a Concurrency::details::ExternalContextBase::~ExternalContextBase 49682->49602 49685 27d4e3 __EH_prolog3_GS 49684->49685 49686 2549bd 57 API calls 49685->49686 49687 27d4f2 GetDeviceCaps 49686->49687 49689 27d533 49687->49689 49688 27d56e 49690 27d58c 49688->49690 49695 25561c 56 API calls 49688->49695 49689->49688 49691 25561c 56 API calls 49689->49691 49692 27d5aa 49690->49692 49696 25561c 56 API calls 49690->49696 49694 27d567 DeleteObject 49691->49694 49693 27d5c8 49692->49693 49700 25561c 56 API calls 49692->49700 49697 27d5e6 49693->49697 49704 25561c 56 API calls 49693->49704 49694->49688 49698 27d585 DeleteObject 49695->49698 49699 27d5a3 DeleteObject 49696->49699 49701 27d604 49697->49701 49707 25561c 56 API calls 49697->49707 49698->49690 49699->49692 49703 27d5c1 DeleteObject 49700->49703 49702 27d622 49701->49702 49709 25561c 56 API calls 49701->49709 49705 27d640 49702->49705 49713 25561c 56 API calls 49702->49713 49703->49693 49706 27d5df DeleteObject 49704->49706 49710 27d65e 49705->49710 49716 25561c 56 API calls 49705->49716 49706->49697 49708 27d5fd DeleteObject 49707->49708 49708->49701 49712 27d61b DeleteObject 49709->49712 49711 27d67c 49710->49711 49717 25561c 56 API calls 49710->49717 49853 27d15c 49711->49853 49712->49702 49715 27d639 DeleteObject 49713->49715 49715->49705 49719 27d657 DeleteObject 49716->49719 49720 27d675 DeleteObject 49717->49720 49718 27d694 _memcpy_s 49721 27d6a1 GetTextCharsetInfo 49718->49721 49719->49710 49720->49711 49722 27d6d9 lstrcpyW 49721->49722 49724 27d776 CreateFontIndirectW 49722->49724 49725 27d70a 49722->49725 49727 2554a1 56 API calls 49724->49727 49725->49724 49726 27d713 EnumFontFamiliesW 49725->49726 49728 27d744 EnumFontFamiliesW 49726->49728 49729 27d72f lstrcpyW 49726->49729 49732 27d788 __vsnwprintf_s_l 49727->49732 49730 27d763 lstrcpyW 49728->49730 49729->49724 49730->49724 49733 27d7c7 CreateFontIndirectW 49732->49733 49734 2554a1 56 API calls 49733->49734 49735 27d7d9 49734->49735 49736 27d15c SystemParametersInfoW 49735->49736 49737 27d7f4 CreateFontIndirectW 49736->49737 49738 2554a1 56 API calls 49737->49738 49739 27d81c CreateFontIndirectW 49738->49739 49740 2554a1 56 API calls 49739->49740 49741 27d848 CreateFontIndirectW 49740->49741 49742 2554a1 56 API calls 49741->49742 49743 27d869 GetSystemMetrics lstrcpyW CreateFontIndirectW 49742->49743 49744 2554a1 56 API calls 49743->49744 49745 27d8a5 GetStockObject 49744->49745 49746 27d8cf GetObjectW 49745->49746 49747 27d948 GetStockObject 49745->49747 49746->49747 49749 27d8e0 lstrcpyW CreateFontIndirectW 49746->49749 49856 255721 49747->49856 49751 2554a1 56 API calls 49749->49751 49753 27d92f CreateFontIndirectW 49751->49753 49754 2554a1 56 API calls 49753->49754 49754->49747 49773 37f3ab IsProcessorFeaturePresent 49772->49773 49774 37f3a9 49772->49774 49776 37fa98 49773->49776 49774->49600 49860 37fa5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 49776->49860 49778 37fb7b 49778->49600 49779->49609 49781 2549c9 __EH_prolog3 49780->49781 49782 2549ec GetWindowDC 49781->49782 49822 25545f 49782->49822 49784 254a02 Concurrency::details::ExternalContextBase::~ExternalContextBase 49784->49616 49789 2555b1 49788->49789 49790 2555ae 49788->49790 49831 25561c 49789->49831 49790->49627 49792 2555b6 DeleteObject 49792->49627 49794 2554ae 49793->49794 49795 2554c3 49793->49795 49836 256001 56 API calls 2 library calls 49794->49836 49795->49630 49797 2554b8 49837 256396 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49797->49837 49799->49673 49801 2555a8 57 API calls 49800->49801 49802 254afe 49801->49802 49803 37f3a0 __floor_pentium4 5 API calls 49802->49803 49804 254b16 49803->49804 49804->49672 49806 2ad860 49805->49806 49807 27de08 49805->49807 49806->49807 49838 27f34a 27 API calls 49806->49838 49817 254c2e 49807->49817 49809 2ad873 49839 27f34a 27 API calls 49809->49839 49811 2ad87d 49840 27f34a 27 API calls 49811->49840 49813 2ad887 49841 27f34a 27 API calls 49813->49841 49815 2ad891 49842 27f34a 27 API calls 49815->49842 49843 2555df 49817->49843 49819 254c5e ReleaseDC 49847 254a77 49819->49847 49823 25546c 49822->49823 49827 2549fe 49822->49827 49829 255f8e 56 API calls 2 library calls 49823->49829 49825 255477 49830 256396 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 49825->49830 49827->49784 49828 25542b RaiseException std::_Xinvalid_argument 49827->49828 49829->49825 49830->49827 49832 255627 49831->49832 49834 25562e 49831->49834 49835 256001 56 API calls 2 library calls 49832->49835 49834->49792 49835->49834 49836->49797 49837->49795 49838->49809 49839->49811 49840->49813 49841->49815 49842->49807 49844 2555f2 49843->49844 49845 2555eb 49843->49845 49844->49819 49852 255f8e 56 API calls 2 library calls 49845->49852 49848 254aa5 49847->49848 49849 254ab1 49847->49849 49850 2555df 56 API calls 49848->49850 49849->49682 49851 254aaa DeleteDC 49850->49851 49851->49849 49852->49844 49854 27d16b SystemParametersInfoW 49853->49854 49854->49718 49859 256001 56 API calls 2 library calls 49856->49859 49858 25572b 49859->49858 49860->49778 49861->49513 49862 299e3d 49869 285a66 49862->49869 49865 267b0a 161 API calls 49866 299e64 49865->49866 49868 27d4d4 104 API calls 49866->49868 49867 299e6b 49868->49867 49876 25acb4 49869->49876 49872 267b0a 161 API calls 49873 285a79 49872->49873 49880 27d2ee 8 API calls 49873->49880 49875 285a80 49875->49865 49875->49867 49877 25acc6 49876->49877 49881 25a443 49877->49881 49880->49875 49895 248b33 56 API calls 49881->49895 49883 25a44b 49884 25a459 49883->49884 49896 24cc50 8 API calls 49883->49896 49897 256f22 GetWindowLongW 49884->49897 49887 25a460 49888 25a467 49887->49888 49889 25a481 49887->49889 49898 25972e 52 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49888->49898 49900 2592e8 50 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49889->49900 49892 25a46c 49899 25c19d 182 API calls 49892->49899 49893 25a488 49893->49872 49895->49883 49896->49884 49897->49887 49898->49892 49899->49889 49900->49893 49901 245da0 GetModuleHandleW 49902 245de5 GetCommandLineW 49901->49902 49903 245dfa 49901->49903 49960 24a41e SetErrorMode SetErrorMode 49902->49960 49905 245d70 76 API calls 49903->49905 49907 24614d 49905->49907 49908 245e04 49971 248573 49908->49971 49916 245d70 76 API calls 49920 24609d messages 49916->49920 49919 245e76 49921 246056 49919->49921 49922 245e9e 49919->49922 50029 246915 49921->50029 49923 246915 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 49922->49923 49926 245ea5 49923->49926 49933 245fc8 49926->49933 49934 245ec8 49926->49934 49935 246169 49926->49935 49927 24607a 49931 246084 49927->49931 49932 24604c 49927->49932 49928 24606b 50113 241d60 76 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49928->50113 49930 246076 49930->49927 50033 241ed0 49931->50033 49932->49916 49933->49932 49936 245ff5 49933->49936 50090 242590 49934->50090 50114 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49935->50114 50111 243800 126 API calls 2 library calls 49936->50111 49941 246000 49945 24600e 49941->49945 49949 245d70 76 API calls 49941->49949 49942 246173 50115 242c90 38 API calls 4 library calls 49942->50115 50112 2449f0 25 API calls messages 49945->50112 49947 246178 49949->49945 49951 246039 messages 49951->49920 49953 245ef7 49953->49942 49954 245f57 49953->49954 49957 245f3c 49953->49957 50109 2429b0 25 API calls 2 library calls 49954->50109 50110 243370 129 API calls 3 library calls 49957->50110 49959 245fc3 49959->49933 49961 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 49960->49961 49962 24a43b 49961->49962 49963 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 49962->49963 49964 24a449 49963->49964 49965 24a464 49964->49965 50116 24a47c 49964->50116 49967 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 49965->49967 49968 24a469 49967->49968 49969 245df6 49968->49969 50157 24f43e 58 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49968->50157 49969->49903 49969->49908 49972 248588 49971->49972 50212 2428c0 49972->50212 49974 248591 49975 2428c0 26 API calls 49974->49975 49976 24859f 49975->49976 49977 2428c0 26 API calls 49976->49977 49978 2485ad 49977->49978 49979 2428c0 26 API calls 49978->49979 49980 2485bb 49979->49980 49981 2428c0 26 API calls 49980->49981 49982 245e0c 49981->49982 49983 249250 49982->49983 49984 24925d 49983->49984 49985 245e40 49984->49985 50218 245b70 49984->50218 49987 2465e0 49985->49987 49991 246621 49987->49991 49988 246706 50356 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 49988->50356 49990 246710 49991->49988 49992 242590 72 API calls 49991->49992 49993 246648 49992->49993 49994 24665a 49993->49994 50353 242a40 38 API calls 4 library calls 49993->50353 49996 24668a 49994->49996 50354 242950 38 API calls 49994->50354 49998 246695 GetModuleFileNameW 49996->49998 50000 2466bb ___crtDownlevelLCIDToLocaleName 49996->50000 49998->50000 50001 245e4a 50000->50001 50355 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50000->50355 50001->49932 50002 2462b0 50001->50002 50003 2462fb 50002->50003 50004 2463d3 50003->50004 50012 24630a 50003->50012 50357 2429b0 25 API calls 2 library calls 50003->50357 50361 242c90 38 API calls 4 library calls 50004->50361 50005 246370 PathRemoveFileSpecW 50009 246380 ___crtDownlevelLCIDToLocaleName 50005->50009 50010 2463c9 50009->50010 50011 246399 50009->50011 50360 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50010->50360 50014 245e69 50011->50014 50359 242a40 38 API calls 4 library calls 50011->50359 50012->50005 50358 242950 38 API calls 50012->50358 50013 2463d8 50017 245030 50014->50017 50018 245051 50017->50018 50019 2450d8 50017->50019 50020 2450cd 50018->50020 50022 24505d 50018->50022 50019->49919 50363 242a40 38 API calls 4 library calls 50020->50363 50023 2450e3 50022->50023 50024 24508a 50022->50024 50028 245071 50022->50028 50364 242c90 38 API calls 4 library calls 50023->50364 50362 2429b0 25 API calls 2 library calls 50024->50362 50027 2450e8 50028->49919 50032 24691c 50029->50032 50031 24605d 50031->49927 50031->49928 50032->50031 50365 3871f0 50032->50365 50034 241f08 50033->50034 50035 242387 50034->50035 50036 241f12 50034->50036 50415 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50035->50415 50039 242590 72 API calls 50036->50039 50038 242391 50416 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50038->50416 50041 241f31 50039->50041 50043 241f44 50041->50043 50404 242a40 38 API calls 4 library calls 50041->50404 50042 24239b 50417 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50042->50417 50376 246180 50043->50376 50047 2423a5 50418 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50047->50418 50049 2423af 50050 241f5a 50050->50038 50051 241f8d 50050->50051 50052 242590 72 API calls 50051->50052 50053 241fa9 50052->50053 50054 241fbc 50053->50054 50405 242a40 38 API calls 4 library calls 50053->50405 50054->50042 50056 241fcf 50054->50056 50057 242590 72 API calls 50056->50057 50058 241feb 50057->50058 50059 241ffe 50058->50059 50406 242a40 38 API calls 4 library calls 50058->50406 50061 246180 39 API calls 50059->50061 50062 242011 50061->50062 50391 242d70 50062->50391 50064 2420e6 ___crtDownlevelLCIDToLocaleName 50064->50047 50065 24217d ___crtDownlevelLCIDToLocaleName 50064->50065 50071 24215c 50064->50071 50409 242950 38 API calls 50064->50409 50065->50047 50074 2421f3 50065->50074 50084 242214 ___crtDownlevelLCIDToLocaleName 50065->50084 50411 242950 38 API calls 50065->50411 50066 242025 ___crtDownlevelLCIDToLocaleName 50066->50047 50066->50064 50076 2420c5 50066->50076 50407 242950 38 API calls 50066->50407 50068 242323 50069 242327 WaitForSingleObject 50068->50069 50070 242332 50068->50070 50069->50070 50070->49920 50086 245d70 50070->50086 50410 2429b0 25 API calls 2 library calls 50071->50410 50412 2429b0 25 API calls 2 library calls 50074->50412 50408 2429b0 25 API calls 2 library calls 50076->50408 50078 24228a 50414 2429b0 25 API calls 2 library calls 50078->50414 50083 2422ab 50083->50047 50085 2422b7 ShellExecuteExW 50083->50085 50084->50047 50084->50078 50084->50085 50413 242950 38 API calls 50084->50413 50085->50068 50085->50070 50087 245d7e __vswprintf_c_l 50086->50087 50494 386a91 50087->50494 50089 245d98 50089->49920 50091 2425a4 50090->50091 50105 24267d 50090->50105 50091->50105 50707 24710b 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50091->50707 50093 2425ba 50094 2425c4 FindResourceW 50093->50094 50093->50105 50095 2425df LoadResource 50094->50095 50094->50105 50096 2425ef LockResource 50095->50096 50095->50105 50097 242601 SizeofResource 50096->50097 50096->50105 50098 242613 50097->50098 50099 242654 50098->50099 50098->50105 50708 242950 38 API calls 50098->50708 50709 384956 25 API calls 3 library calls 50099->50709 50102 24266d 50710 241ba0 RaiseException std::_Xinvalid_argument 50102->50710 50105->49953 50108 242a40 38 API calls 4 library calls 50105->50108 50108->49953 50109->49957 50110->49959 50111->49941 50112->49951 50113->49930 50114->49942 50115->49947 50117 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 50116->50117 50118 24a499 GetModuleFileNameW 50117->50118 50119 24a4c1 50118->50119 50120 24a4ca PathFindExtensionW 50119->50120 50191 255445 RaiseException std::_Xinvalid_argument 50119->50191 50122 24a4e2 50120->50122 50123 24a4dd 50120->50123 50158 24a3d9 50122->50158 50192 255445 RaiseException std::_Xinvalid_argument 50123->50192 50126 24a4ff 50127 24a508 50126->50127 50193 255445 RaiseException std::_Xinvalid_argument 50126->50193 50129 24a51a 50127->50129 50194 38939f 26 API calls 3 library calls 50127->50194 50132 24a643 50129->50132 50146 24a555 50129->50146 50179 247116 50129->50179 50201 2471e4 RaiseException std::_Xinvalid_argument 50132->50201 50133 24a542 50195 38939f 26 API calls 3 library calls 50133->50195 50134 247116 71 API calls 50136 24a57d 50134->50136 50150 24a58d 50136->50150 50196 38939f 26 API calls 3 library calls 50136->50196 50137 24a634 50139 37f3a0 __floor_pentium4 5 API calls 50137->50139 50145 24a641 50139->50145 50143 24a618 50200 241ba0 RaiseException std::_Xinvalid_argument 50143->50200 50144 24a5db 50198 241ba0 RaiseException std::_Xinvalid_argument 50144->50198 50145->49965 50146->50132 50146->50134 50146->50150 50150->50132 50156 24a5ed 50150->50156 50197 38736c 25 API calls 2 library calls 50150->50197 50156->50132 50156->50137 50199 38932a 25 API calls 2 library calls 50156->50199 50157->49969 50159 24a3e2 PathFindFileNameW 50158->50159 50160 24a418 50158->50160 50161 24a3fb 50159->50161 50168 24a3f1 50159->50168 50162 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 50160->50162 50202 387296 25 API calls 2 library calls 50161->50202 50164 24a41d SetErrorMode SetErrorMode 50162->50164 50167 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 50164->50167 50165 24a409 50203 241ba0 RaiseException std::_Xinvalid_argument 50165->50203 50170 24a43b 50167->50170 50168->50126 50171 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 50170->50171 50172 24a449 50171->50172 50173 24a464 50172->50173 50174 24a47c 75 API calls 50172->50174 50175 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 50173->50175 50174->50173 50176 24a469 50175->50176 50177 24a475 50176->50177 50204 24f43e 58 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50176->50204 50177->50126 50180 247177 50179->50180 50181 247122 50179->50181 50182 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 50180->50182 50181->50180 50183 247129 50181->50183 50184 24717c 50182->50184 50185 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 50183->50185 50184->50133 50186 24712e 50185->50186 50205 241cb0 FindResourceW 50186->50205 50188 24713a 50190 247140 50188->50190 50211 242ee0 26 API calls 2 library calls 50188->50211 50190->50133 50194->50129 50195->50146 50196->50150 50197->50144 50199->50143 50202->50165 50204->50177 50206 241cd5 50205->50206 50207 241cd9 LoadResource 50205->50207 50206->50188 50208 241ce6 50207->50208 50209 241cef LockResource 50207->50209 50208->50188 50209->50208 50210 241cfc SizeofResource 50209->50210 50210->50208 50211->50190 50213 2428cd 50212->50213 50214 2428de 50212->50214 50213->49974 50217 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50214->50217 50216 2428e8 50217->50216 50219 245b9d 50218->50219 50220 245ba7 50219->50220 50221 245d58 50219->50221 50224 242590 72 API calls 50220->50224 50272 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50221->50272 50223 245d62 50227 245bc5 50224->50227 50225 245bef 50252 386f55 50225->50252 50227->50225 50271 242a40 38 API calls 4 library calls 50227->50271 50228 245c04 50230 386f55 47 API calls 50228->50230 50236 245c2f 50228->50236 50231 245c16 50230->50231 50234 386f55 47 API calls 50231->50234 50231->50236 50233 245c48 50233->49984 50235 245c28 50234->50235 50235->50236 50237 386f55 47 API calls 50235->50237 50262 24931b 50236->50262 50238 245c86 50237->50238 50238->50236 50239 386f55 47 API calls 50238->50239 50240 245c9c 50239->50240 50240->50236 50241 386f55 47 API calls 50240->50241 50242 245cb2 50241->50242 50242->50236 50243 386f55 47 API calls 50242->50243 50244 245ccd 50243->50244 50244->50236 50245 386f55 47 API calls 50244->50245 50246 245ce8 50245->50246 50246->50236 50247 386f55 47 API calls 50246->50247 50248 245d03 50247->50248 50248->50236 50249 386f55 47 API calls 50248->50249 50250 245d1e 50249->50250 50250->50236 50251 386f55 47 API calls 50250->50251 50251->50236 50253 386f63 50252->50253 50257 386f86 50252->50257 50254 386f69 50253->50254 50253->50257 50273 386e09 14 API calls __dosmaperr 50254->50273 50275 386f9e 47 API calls 3 library calls 50257->50275 50258 386f99 50258->50228 50259 386f6e 50274 386d2f 25 API calls _memcpy_s 50259->50274 50261 386f79 50261->50228 50263 249327 __EH_prolog3 50262->50263 50264 249355 50263->50264 50265 249332 50263->50265 50318 24960a 38 API calls 50264->50318 50276 2484ff 50265->50276 50268 24933a 50284 24936c 50268->50284 50270 249348 Concurrency::details::ExternalContextBase::~ExternalContextBase 50270->50233 50271->50225 50272->50223 50273->50259 50274->50261 50275->50258 50277 24850b __EH_prolog3 50276->50277 50319 246bc9 50277->50319 50282 248539 Concurrency::details::ExternalContextBase::~ExternalContextBase 50282->50268 50345 37f980 50284->50345 50286 249378 lstrcmpA 50287 249399 lstrcmpA 50286->50287 50314 24938d Concurrency::details::ExternalContextBase::~ExternalContextBase 50286->50314 50288 2493b5 CompareStringA 50287->50288 50287->50314 50289 2493d4 CompareStringA 50288->50289 50288->50314 50290 2493f0 CompareStringA 50289->50290 50289->50314 50291 24940c CompareStringA 50290->50291 50290->50314 50292 249428 CompareStringA 50291->50292 50291->50314 50293 249444 CompareStringA 50292->50293 50292->50314 50294 249460 CompareStringA 50293->50294 50293->50314 50295 24947c CompareStringA 50294->50295 50294->50314 50296 249498 50295->50296 50295->50314 50346 3893fe 47 API calls 2 library calls 50296->50346 50298 2494a5 50299 2494ac 50298->50299 50300 2494ff lstrcmpA 50298->50300 50347 2450f0 74 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50299->50347 50301 249521 lstrcmpA 50300->50301 50302 24950f 50300->50302 50305 249540 CompareStringA 50301->50305 50306 249531 50301->50306 50349 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50302->50349 50308 249558 50305->50308 50309 24956b CompareStringA 50305->50309 50350 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50306->50350 50307 2494b5 50307->50314 50348 249a40 38 API calls 50307->50348 50351 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50308->50351 50312 249584 50309->50312 50309->50314 50352 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50312->50352 50314->50270 50316 2494d7 50317 245030 38 API calls 50316->50317 50317->50314 50318->50270 50320 246bf7 50319->50320 50323 246bd8 50319->50323 50339 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50320->50339 50322 246c01 50324 248cc7 50323->50324 50325 24852b 50324->50325 50326 248cd3 50324->50326 50325->50282 50328 248a4b 50325->50328 50326->50325 50340 249112 76 API calls 50326->50340 50329 248a8d 50328->50329 50330 248a58 50328->50330 50344 246dcb 26 API calls 50329->50344 50341 248e34 WideCharToMultiByte 50330->50341 50333 248a60 50333->50329 50334 248a67 50333->50334 50342 246f2c 40 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50334->50342 50336 248a6f WideCharToMultiByte 50343 246fde 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50336->50343 50338 248a8b 50338->50282 50339->50322 50340->50325 50341->50333 50342->50336 50343->50338 50344->50338 50345->50286 50346->50298 50347->50307 50348->50316 50349->50314 50350->50314 50351->50314 50352->50314 50353->49994 50354->49996 50355->49988 50356->49990 50357->50012 50358->50005 50359->50014 50360->50004 50361->50013 50362->50028 50363->50019 50364->50027 50366 392ef2 50365->50366 50367 392f30 50366->50367 50368 392f1b HeapAlloc 50366->50368 50372 392f04 __dosmaperr 50366->50372 50375 386e09 14 API calls __dosmaperr 50367->50375 50370 392f2e 50368->50370 50368->50372 50371 392f35 50370->50371 50371->50032 50372->50367 50372->50368 50374 39ae37 EnterCriticalSection LeaveCriticalSection __dosmaperr 50372->50374 50374->50372 50375->50371 50377 2461cb 50376->50377 50378 2462a8 50377->50378 50386 2461da 50377->50386 50419 2429b0 25 API calls 2 library calls 50377->50419 50423 242c90 38 API calls 4 library calls 50378->50423 50379 246240 PathAppendW 50383 246255 ___crtDownlevelLCIDToLocaleName 50379->50383 50384 24629e 50383->50384 50385 24626e 50383->50385 50422 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50384->50422 50388 24628a 50385->50388 50421 242a40 38 API calls 4 library calls 50385->50421 50386->50379 50420 242950 38 API calls 50386->50420 50387 2462ad 50388->50050 50392 242df1 50391->50392 50394 242d82 __vswprintf_c_l 50391->50394 50403 242dfb 50392->50403 50431 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50392->50431 50424 386b3b 50394->50424 50395 242e17 50432 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 50395->50432 50398 242e21 50400 242dd2 50427 386b5f 50400->50427 50403->50066 50404->50043 50405->50054 50406->50059 50407->50076 50408->50064 50409->50071 50410->50065 50411->50074 50412->50084 50413->50078 50414->50083 50415->50038 50416->50042 50417->50047 50418->50049 50419->50386 50420->50379 50421->50388 50422->50378 50423->50387 50433 384cd4 50424->50433 50472 384e5b 50427->50472 50429 386b7e 50429->50392 50430 242950 38 API calls 50430->50400 50431->50395 50432->50398 50434 384cfc 50433->50434 50435 384d14 50433->50435 50448 386e09 14 API calls __dosmaperr 50434->50448 50435->50434 50437 384d1c 50435->50437 50450 38528d 50437->50450 50439 384d01 50449 386d2f 25 API calls _memcpy_s 50439->50449 50441 384d0c 50443 37f3a0 __floor_pentium4 5 API calls 50441->50443 50442 384d2c __vsnwprintf_s_l 50458 385804 50 API calls 3 library calls 50442->50458 50444 242da3 50443->50444 50444->50395 50444->50400 50444->50430 50447 384db3 50459 385310 50447->50459 50448->50439 50449->50441 50451 3852ad 50450->50451 50457 3852a4 50450->50457 50451->50457 50462 393552 37 API calls 3 library calls 50451->50462 50453 3852cd 50463 3937a4 37 API calls __cftof 50453->50463 50455 3852e3 50464 3937d1 47 API calls __cftof 50455->50464 50457->50442 50458->50447 50465 392eb8 50459->50465 50461 385320 50461->50441 50462->50453 50463->50455 50464->50457 50466 392eec _free 50465->50466 50467 392ec3 HeapFree 50465->50467 50466->50461 50467->50466 50468 392ed8 50467->50468 50471 386e09 14 API calls __dosmaperr 50468->50471 50470 392ede GetLastError 50470->50466 50471->50470 50473 384e7b 50472->50473 50474 384e66 50472->50474 50476 384ebf 50473->50476 50479 384e89 50473->50479 50488 386e09 14 API calls __dosmaperr 50474->50488 50492 386e09 14 API calls __dosmaperr 50476->50492 50478 384e6b 50489 386d2f 25 API calls _memcpy_s 50478->50489 50490 384b4d 50 API calls 5 library calls 50479->50490 50482 384e76 50482->50429 50483 384ea1 50485 384ecf 50483->50485 50491 386e09 14 API calls __dosmaperr 50483->50491 50485->50429 50487 384eb7 50493 386d2f 25 API calls _memcpy_s 50487->50493 50488->50478 50489->50482 50490->50483 50491->50487 50492->50487 50493->50485 50495 386ac1 50494->50495 50496 386ad6 50494->50496 50512 386e09 14 API calls __dosmaperr 50495->50512 50496->50495 50498 386ada 50496->50498 50504 384a06 50498->50504 50499 386ac6 50513 386d2f 25 API calls _memcpy_s 50499->50513 50503 386ad1 50503->50089 50505 384a12 __fread_nolock 50504->50505 50514 38717a EnterCriticalSection 50505->50514 50507 384a20 50515 38534e 50507->50515 50511 384a3e 50511->50089 50512->50499 50513->50503 50514->50507 50529 39431b 50515->50529 50518 38528d __cftof 47 API calls 50519 385388 __vsnwprintf_s_l 50518->50519 50540 3855c0 50519->50540 50522 385310 __vsnwprintf_s_l 14 API calls 50523 3853d9 50522->50523 50553 3943ce 50523->50553 50526 37f3a0 __floor_pentium4 5 API calls 50527 384a2d 50526->50527 50528 384a55 LeaveCriticalSection __fread_nolock 50527->50528 50528->50511 50557 387f33 50529->50557 50531 39432c 50564 39d47b 50531->50564 50533 394332 50534 385371 50533->50534 50535 394383 50533->50535 50534->50518 50573 392ef2 15 API calls 2 library calls 50535->50573 50537 39438d 50538 392eb8 _free 14 API calls 50537->50538 50539 394396 50538->50539 50539->50534 50579 386750 50540->50579 50542 3853cc 50542->50522 50543 3855e0 50586 386e09 14 API calls __dosmaperr 50543->50586 50545 3855e5 50587 386d2f 25 API calls _memcpy_s 50545->50587 50547 3855d1 __vsnwprintf_s_l 50547->50542 50547->50543 50588 38595d 48 API calls 2 library calls 50547->50588 50589 3861c1 48 API calls __vsnwprintf_s_l 50547->50589 50590 3859e0 48 API calls __vsnwprintf_s_l 50547->50590 50591 385a07 50 API calls 4 library calls 50547->50591 50592 385cf7 50 API calls 2 library calls 50547->50592 50554 3943d9 50553->50554 50555 3853fb 50553->50555 50554->50555 50595 387e28 50554->50595 50555->50526 50558 387f3f 50557->50558 50559 387f54 50557->50559 50574 386e09 14 API calls __dosmaperr 50558->50574 50559->50531 50561 387f44 50575 386d2f 25 API calls _memcpy_s 50561->50575 50563 387f4f 50563->50531 50565 39d488 50564->50565 50566 39d495 50564->50566 50576 386e09 14 API calls __dosmaperr 50565->50576 50569 39d4a1 50566->50569 50577 386e09 14 API calls __dosmaperr 50566->50577 50568 39d48d 50568->50533 50569->50533 50571 39d4c2 50578 386d2f 25 API calls _memcpy_s 50571->50578 50573->50537 50574->50561 50575->50563 50576->50568 50577->50571 50578->50568 50580 386768 50579->50580 50581 386755 50579->50581 50580->50547 50593 386e09 14 API calls __dosmaperr 50581->50593 50583 38675a 50594 386d2f 25 API calls _memcpy_s 50583->50594 50585 386765 50585->50547 50586->50545 50587->50542 50588->50547 50589->50547 50590->50547 50591->50547 50592->50547 50593->50583 50594->50585 50596 387e40 50595->50596 50600 387e65 50595->50600 50597 387f33 __fread_nolock 25 API calls 50596->50597 50596->50600 50598 387e5e 50597->50598 50601 395c6e 50598->50601 50600->50555 50602 395c7a __fread_nolock 50601->50602 50603 395c9a 50602->50603 50604 395c82 50602->50604 50606 395d35 50603->50606 50610 395ccc 50603->50610 50671 386df6 14 API calls __dosmaperr 50604->50671 50676 386df6 14 API calls __dosmaperr 50606->50676 50607 395c87 50672 386e09 14 API calls __dosmaperr 50607->50672 50626 388f2e EnterCriticalSection 50610->50626 50611 395d3a 50677 386e09 14 API calls __dosmaperr 50611->50677 50614 395cd2 50616 395cee 50614->50616 50617 395d03 50614->50617 50615 395d42 50678 386d2f 25 API calls _memcpy_s 50615->50678 50673 386e09 14 API calls __dosmaperr 50616->50673 50627 395d60 50617->50627 50621 395cfe 50675 395d2d LeaveCriticalSection 50621->50675 50622 395cf3 50674 386df6 14 API calls __dosmaperr 50622->50674 50625 395c8f 50625->50600 50626->50614 50628 395d82 50627->50628 50667 395d9e 50627->50667 50629 395d86 50628->50629 50632 395dd6 50628->50632 50693 386df6 14 API calls __dosmaperr 50629->50693 50631 395d8b 50694 386e09 14 API calls __dosmaperr 50631->50694 50634 395de9 50632->50634 50696 396e12 27 API calls __fread_nolock 50632->50696 50679 395907 50634->50679 50636 395d93 50695 386d2f 25 API calls _memcpy_s 50636->50695 50640 395dff 50642 395e28 50640->50642 50645 395e03 50640->50645 50641 395e3e 50643 395e52 50641->50643 50644 395e97 WriteFile 50641->50644 50698 3954f5 51 API calls 4 library calls 50642->50698 50648 395e5d 50643->50648 50649 395e87 50643->50649 50647 395ebb GetLastError 50644->50647 50660 395e75 50644->50660 50654 395e1e 50645->50654 50697 39589f 6 API calls 50645->50697 50647->50660 50650 395e62 50648->50650 50651 395e77 50648->50651 50686 395978 50649->50686 50650->50654 50655 395e67 50650->50655 50700 395b3c 8 API calls 2 library calls 50651->50700 50657 395f0b 50654->50657 50658 395ee1 50654->50658 50654->50667 50699 395a53 7 API calls __floor_pentium4 50655->50699 50657->50667 50704 386e09 14 API calls __dosmaperr 50657->50704 50661 395ee8 50658->50661 50662 395eff 50658->50662 50660->50654 50701 386e09 14 API calls __dosmaperr 50661->50701 50703 386dd3 14 API calls 2 library calls 50662->50703 50666 395eed 50702 386df6 14 API calls __dosmaperr 50666->50702 50667->50621 50668 395f23 50705 386df6 14 API calls __dosmaperr 50668->50705 50671->50607 50672->50625 50673->50622 50674->50621 50675->50625 50676->50611 50677->50615 50678->50625 50680 39d47b __fread_nolock 25 API calls 50679->50680 50681 395918 50680->50681 50685 39596e 50681->50685 50706 393552 37 API calls 3 library calls 50681->50706 50683 39593b 50684 395955 GetConsoleMode 50683->50684 50683->50685 50684->50685 50685->50640 50685->50641 50691 395987 50686->50691 50687 395a38 50688 37f3a0 __floor_pentium4 5 API calls 50687->50688 50689 395a51 50688->50689 50689->50654 50690 3959f7 WriteFile 50690->50691 50692 395a3a GetLastError 50690->50692 50691->50687 50691->50690 50692->50687 50693->50631 50694->50636 50695->50667 50696->50634 50697->50654 50698->50654 50699->50660 50700->50660 50701->50666 50702->50667 50703->50667 50704->50668 50705->50667 50706->50683 50707->50093 50708->50099 50709->50102 50711 391dd1 50714 391cab 50711->50714 50715 391cb9 50714->50715 50716 391ccb 50714->50716 50742 3803b3 GetModuleHandleW 50715->50742 50726 391b52 50716->50726 50720 391cbe 50720->50716 50743 391d51 GetModuleHandleExW 50720->50743 50721 391d04 50725 391d0e 50727 391b5e __fread_nolock 50726->50727 50749 395377 EnterCriticalSection 50727->50749 50729 391b68 50750 391bbe 50729->50750 50731 391b75 50754 391b93 50731->50754 50734 391d0f 50759 397ea5 GetPEB 50734->50759 50737 391d3e 50740 391d51 __cftof 3 API calls 50737->50740 50738 391d1e GetPEB 50738->50737 50739 391d2e GetCurrentProcess TerminateProcess 50738->50739 50739->50737 50741 391d46 ExitProcess 50740->50741 50742->50720 50744 391d70 GetProcAddress 50743->50744 50745 391d93 50743->50745 50748 391d85 50744->50748 50746 391d99 FreeLibrary 50745->50746 50747 391cca 50745->50747 50746->50747 50747->50716 50748->50745 50749->50729 50752 391bca __fread_nolock 50750->50752 50751 391c2b __cftof 50751->50731 50752->50751 50757 3928ce 14 API calls __cftof 50752->50757 50758 3953bf LeaveCriticalSection 50754->50758 50756 391b81 50756->50721 50756->50734 50757->50751 50758->50756 50760 397ebf 50759->50760 50762 391d19 50759->50762 50763 39489a 5 API calls __dosmaperr 50760->50763 50762->50737 50762->50738 50763->50762

      Executed Functions

      Function 00241CB0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 658 241cb0-241cd3 FindResourceW 659 241cd5-241cd8 658->659 660 241cd9-241ce4 LoadResource 658->660 661 241ce6-241cee 660->661 662 241cef-241cfa LockResource 660->662 662->661 663 241cfc-241d0c SizeofResource 662->663 664 241d22-241d24 663->664 665 241d0e 663->665 664->661 667 241d26-241d34 664->667 666 241d10-241d12 665->666 666->661 668 241d14-241d20 666->668 668->664 668->666
      APIs
      • FindResourceW.KERNELBASE(?,?,00000006), ref: 00241CC8
      • LoadResource.KERNEL32(?,00000000), ref: 00241CDC
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoad
      • String ID:
      • API String ID: 2619053042-0
      • Opcode ID: 131e26b35f17bb069b757185fb362803551cecaaad9caf48433e98359f9f0863
      • Instruction ID: 1bb28264d461fe0ec052ae26a8cf9ac88532867d3be546150671d5eb8141bde1
      • Opcode Fuzzy Hash: 131e26b35f17bb069b757185fb362803551cecaaad9caf48433e98359f9f0863
      • Instruction Fuzzy Hash: 9D012D77B202365BDB211FAAEC8457AB39CEB84366B014537FD49D7100D531DC7087A0
      Function 00391D0F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 776 391d0f-391d1c call 397ea5 779 391d3e-391d4a call 391d51 ExitProcess 776->779 780 391d1e-391d2c GetPEB 776->780 780->779 781 391d2e-391d38 GetCurrentProcess TerminateProcess 780->781 781->779
      APIs
      • GetCurrentProcess.KERNEL32(?,?,00391D0E,?,?,?,?,?,00384D2C), ref: 00391D31
      • TerminateProcess.KERNEL32(00000000,?,00391D0E,?,?,?,?,?,00384D2C), ref: 00391D38
      • ExitProcess.KERNEL32 ref: 00391D4A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Process$CurrentExitTerminate
      • String ID:
      • API String ID: 1703294689-0
      • Opcode ID: 7223cc0ffee0b5a16cb0662e98e2692317c9d933044a4d92148f6bea8d9f78ea
      • Instruction ID: 75bd31ac3016342e096d40eae5dc093b44d6f726afea24e4fcc91b03f1a48621
      • Opcode Fuzzy Hash: 7223cc0ffee0b5a16cb0662e98e2692317c9d933044a4d92148f6bea8d9f78ea
      • Instruction Fuzzy Hash: 91E0B631100109ABCF176BA4DE4DA683B6DEB85741F014814F8159A171CB35DD42CA50
      Function 0027DA08 Relevance: 79.0, APIs: 43, Strings: 2, Instructions: 298COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __EH_prolog3.LIBCMT ref: 0027DA0F
      • GetSysColor.USER32(00000016), ref: 0027DA18
      • GetSysColor.USER32(0000000F), ref: 0027DA2B
      • GetSysColor.USER32(00000015), ref: 0027DA42
      • GetSysColor.USER32(0000000F), ref: 0027DA4E
      • GetDeviceCaps.GDI32(?,0000000C), ref: 0027DA76
      • GetSysColor.USER32(0000000F), ref: 0027DA84
      • GetSysColor.USER32(00000010), ref: 0027DA92
      • GetSysColor.USER32(00000015), ref: 0027DAA0
      • GetSysColor.USER32(00000016), ref: 0027DAAE
      • GetSysColor.USER32(00000014), ref: 0027DABC
      • GetSysColor.USER32(00000012), ref: 0027DACA
      • GetSysColor.USER32(00000011), ref: 0027DAD8
      • GetSysColor.USER32(00000006), ref: 0027DAE3
      • GetSysColor.USER32(0000000D), ref: 0027DAEE
      • GetSysColor.USER32(0000000E), ref: 0027DAF9
      • GetSysColor.USER32(00000005), ref: 0027DB04
      • GetSysColor.USER32(00000008), ref: 0027DB12
      • GetSysColor.USER32(00000009), ref: 0027DB1D
      • GetSysColor.USER32(00000007), ref: 0027DB28
      • GetSysColor.USER32(00000002), ref: 0027DB33
      • GetSysColor.USER32(00000003), ref: 0027DB3E
      • GetSysColor.USER32(0000001B), ref: 0027DB4C
      • GetSysColor.USER32(0000001C), ref: 0027DB5A
      • GetSysColor.USER32(0000000A), ref: 0027DB68
      • GetSysColor.USER32(0000000B), ref: 0027DB76
      • GetSysColor.USER32(00000013), ref: 0027DB84
      • GetSysColor.USER32(0000001A), ref: 0027DBAD
      • GetSysColorBrush.USER32(00000010), ref: 0027DBBE
      • GetSysColorBrush.USER32(00000014), ref: 0027DBD1
      • GetSysColorBrush.USER32(00000005), ref: 0027DBE4
      • CreateSolidBrush.GDI32(?), ref: 0027DC05
      • CreateSolidBrush.GDI32(00000010), ref: 0027DC23
      • CreateSolidBrush.GDI32(?), ref: 0027DC41
      • CreateSolidBrush.GDI32(?), ref: 0027DC62
      • CreateSolidBrush.GDI32(?), ref: 0027DC80
      • CreateSolidBrush.GDI32(?), ref: 0027DC9E
      • CreateSolidBrush.GDI32(?), ref: 0027DCBC
      • CreatePen.GDI32(00000000,00000001), ref: 0027DCE2
      • CreatePen.GDI32(00000000,00000001), ref: 0027DD06
      • CreatePen.GDI32(00000000,00000001), ref: 0027DD2A
      • CreateSolidBrush.GDI32(?), ref: 0027DDA8
      • CreatePatternBrush.GDI32(00000000), ref: 0027DDE6
        • Part of subcall function 002555A8: DeleteObject.GDI32(00000000), ref: 002555B7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
      • String ID: {&$PW%
      • API String ID: 3754413814-2158479433
      • Opcode ID: a0ed5d299dd354bab07f255341b5ad4d187858516fd352aad2399e1091c826b4
      • Instruction ID: 92146675ee44af219daa78ce3ae26006d6d578390fcb5f289a1b43907124015b
      • Opcode Fuzzy Hash: a0ed5d299dd354bab07f255341b5ad4d187858516fd352aad2399e1091c826b4
      • Instruction Fuzzy Hash: 5EC1C170A00A26AFDB06AFB0CD297ADBBB5FF09702F404518F60997191DB39A525DF90
      Function 0027D4D4 Relevance: 72.1, APIs: 35, Strings: 6, Instructions: 370stringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 85 27d4d4-27d531 call 37f9b4 call 2549bd GetDeviceCaps 90 27d533-27d542 85->90 91 27d54c 85->91 92 27d544-27d54a 90->92 93 27d54e 90->93 91->93 94 27d550-27d558 92->94 93->94 95 27d56e-27d576 94->95 96 27d55a-27d55e 94->96 98 27d58c-27d594 95->98 99 27d578-27d57c 95->99 96->95 97 27d560-27d568 call 25561c DeleteObject 96->97 97->95 102 27d596-27d59a 98->102 103 27d5aa-27d5b2 98->103 99->98 101 27d57e-27d586 call 25561c DeleteObject 99->101 101->98 102->103 108 27d59c-27d5a4 call 25561c DeleteObject 102->108 104 27d5b4-27d5b8 103->104 105 27d5c8-27d5d0 103->105 104->105 110 27d5ba-27d5c2 call 25561c DeleteObject 104->110 111 27d5e6-27d5ee 105->111 112 27d5d2-27d5d6 105->112 108->103 110->105 117 27d604-27d60c 111->117 118 27d5f0-27d5f4 111->118 112->111 116 27d5d8-27d5e0 call 25561c DeleteObject 112->116 116->111 119 27d622-27d62a 117->119 120 27d60e-27d612 117->120 118->117 123 27d5f6-27d5fe call 25561c DeleteObject 118->123 125 27d640-27d648 119->125 126 27d62c-27d630 119->126 120->119 124 27d614-27d61c call 25561c DeleteObject 120->124 123->117 124->119 132 27d65e-27d666 125->132 133 27d64a-27d64e 125->133 126->125 131 27d632-27d63a call 25561c DeleteObject 126->131 131->125 134 27d67c-27d6d7 call 27d15c call 381da0 GetTextCharsetInfo 132->134 135 27d668-27d66c 132->135 133->132 138 27d650-27d658 call 25561c DeleteObject 133->138 149 27d6de-27d6e2 134->149 150 27d6d9-27d6dc 134->150 135->134 139 27d66e-27d676 call 25561c DeleteObject 135->139 138->132 139->134 151 27d6e5-27d6ec 149->151 152 27d6e4 149->152 150->151 153 27d6f0-27d708 lstrcpyW 151->153 154 27d6ee 151->154 152->151 155 27d776-27d7c0 CreateFontIndirectW call 2554a1 call 389559 call 37fee0 153->155 156 27d70a-27d711 153->156 154->153 169 27d7c7-27d8cd CreateFontIndirectW call 2554a1 call 27d15c CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 GetSystemMetrics lstrcpyW CreateFontIndirectW call 2554a1 GetStockObject 155->169 170 27d7c2-27d7c4 155->170 156->155 157 27d713-27d72d EnumFontFamiliesW 156->157 159 27d744-27d761 EnumFontFamiliesW 157->159 160 27d72f-27d742 lstrcpyW 157->160 162 27d763-27d768 159->162 163 27d76a 159->163 160->155 165 27d76f-27d770 lstrcpyW 162->165 163->165 165->155 183 27d8cf-27d8de GetObjectW 169->183 184 27d948-27d9ad GetStockObject call 255721 GetObjectW CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 call 27de26 169->184 170->169 183->184 186 27d8e0-27d943 lstrcpyW CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 183->186 197 27d9d8-27d9da 184->197 186->184 198 27d9af-27d9b6 197->198 199 27d9dc-27d9ec call 254abe 197->199 201 27da02-27da07 call 2471ca 198->201 202 27d9b8-27d9c2 call 259706 198->202 203 27d9f1-27da01 call 254c2e call 37f95e 199->203 202->197 210 27d9c4-27d9d4 202->210 210->197
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0027D4DE
        • Part of subcall function 002549BD: __EH_prolog3.LIBCMT ref: 002549C4
        • Part of subcall function 002549BD: GetWindowDC.USER32(00000000,00000004,0027DA6E,00000000), ref: 002549F0
      • GetDeviceCaps.GDI32(?,00000058), ref: 0027D4FE
      • DeleteObject.GDI32(00000000), ref: 0027D568
      • DeleteObject.GDI32(00000000), ref: 0027D586
      • DeleteObject.GDI32(00000000), ref: 0027D5A4
      • DeleteObject.GDI32(00000000), ref: 0027D5C2
      • DeleteObject.GDI32(00000000), ref: 0027D5E0
      • DeleteObject.GDI32(00000000), ref: 0027D5FE
      • DeleteObject.GDI32(00000000), ref: 0027D61C
      • DeleteObject.GDI32(00000000), ref: 0027D63A
      • DeleteObject.GDI32(00000000), ref: 0027D658
      • DeleteObject.GDI32(00000000), ref: 0027D676
      • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 0027D6AE
      • lstrcpyW.KERNEL32(?,?), ref: 0027D6FE
      • EnumFontFamiliesW.GDI32(?,00000000,0027CFFF,Segoe UI), ref: 0027D725
      • lstrcpyW.KERNEL32(?,Segoe UI), ref: 0027D738
      • EnumFontFamiliesW.GDI32(?,00000000,0027CFFF,Tahoma), ref: 0027D756
      • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 0027D770
      • CreateFontIndirectW.GDI32(?), ref: 0027D77A
      • CreateFontIndirectW.GDI32(?), ref: 0027D7CB
      • CreateFontIndirectW.GDI32(?), ref: 0027D80A
      • CreateFontIndirectW.GDI32(?), ref: 0027D836
      • CreateFontIndirectW.GDI32(?), ref: 0027D857
      • GetSystemMetrics.USER32(00000048), ref: 0027D876
      • lstrcpyW.KERNEL32(?,Marlett), ref: 0027D889
      • CreateFontIndirectW.GDI32(?), ref: 0027D893
      • GetStockObject.GDI32(00000011), ref: 0027D8BF
      • GetObjectW.GDI32(00000000,0000005C,?), ref: 0027D8D6
      • lstrcpyW.KERNEL32(?,Arial), ref: 0027D913
      • CreateFontIndirectW.GDI32(?), ref: 0027D91D
      • CreateFontIndirectW.GDI32(?), ref: 0027D936
      • GetStockObject.GDI32(00000011), ref: 0027D94A
      • GetObjectW.GDI32(?,0000005C,?), ref: 0027D95F
      • CreateFontIndirectW.GDI32(?), ref: 0027D96D
      • CreateFontIndirectW.GDI32(?), ref: 0027D98E
        • Part of subcall function 0027DE26: __EH_prolog3_GS.LIBCMT ref: 0027DE2D
        • Part of subcall function 0027DE26: GetTextMetricsW.GDI32(?,?), ref: 0027DE62
        • Part of subcall function 0027DE26: GetTextMetricsW.GDI32(?,?), ref: 0027DEA3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CapsCharsetDeviceH_prolog3InfoSystemWindow
      • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma$l:;
      • API String ID: 3506729969-435004317
      • Opcode ID: 39a1b1a4473a5ebb934f2395aea9455e1104d3625221f41ce8013fde942139a4
      • Instruction ID: d53f8b3811d630f2d0d8e53d71d0c01faad6701df79bea4fd599564476885ac1
      • Opcode Fuzzy Hash: 39a1b1a4473a5ebb934f2395aea9455e1104d3625221f41ce8013fde942139a4
      • Instruction Fuzzy Hash: 1BE18EB0A103599FDB12AFB0CC59BDEBBBCAF05305F008459E60EA7291DB749958CF15
      Function 0024936C Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 189stringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 214 24936c-24938b call 37f980 lstrcmpA 217 24938d-249394 214->217 218 249399-2493a7 lstrcmpA 214->218 219 2495b6-2495bb call 37f949 217->219 220 2493b5-2493ce CompareStringA 218->220 221 2493a9-2493b0 218->221 222 2493d4-2493ea CompareStringA 220->222 223 2495af 220->223 221->219 222->223 225 2493f0-249406 CompareStringA 222->225 223->219 227 24940c-249422 CompareStringA 225->227 228 2495a8 225->228 227->228 229 249428-24943e CompareStringA 227->229 228->223 230 249444-24945a CompareStringA 229->230 231 24959f-2495a6 229->231 230->231 232 249460-249476 CompareStringA 230->232 231->219 233 24947c-249492 CompareStringA 232->233 234 24958f-24959d 232->234 233->234 235 249498-2494aa call 3893fe 233->235 234->219 238 2494ac-2494c0 call 2450f0 235->238 239 2494ff-24950d lstrcmpA 235->239 251 2494f2-2494fa call 241d40 238->251 252 2494c2-2494ef call 249a40 call 245030 call 241d40 238->252 240 249521-24952f lstrcmpA 239->240 241 24950f-24951c call 25094d 239->241 244 249540-249556 CompareStringA 240->244 245 249531-24953e call 25094d 240->245 241->219 247 249558-24955e call 25094d 244->247 248 24956b-249582 CompareStringA 244->248 245->219 263 249565-249569 247->263 248->219 254 249584-24958d call 25094d 248->254 251->219 252->251 254->263 263->219
      APIs
      • __EH_prolog3.LIBCMT ref: 00249373
      • lstrcmpA.KERNEL32(?,003AF548,00000008,00249348,?,?,00000004,00245C48,?,?,?), ref: 00249383
      • lstrcmpA.KERNEL32(?,003AF54C,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0024939F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: lstrcmp$H_prolog3
      • String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$RestartByRestartManager$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde$ddenoshow
      • API String ID: 477540313-844245956
      • Opcode ID: 696c9c777fa5fd49df155fcbeaa7678ec205676cdc6968db0c7d2bc3f1071bc6
      • Instruction ID: fcf71736e3b90768682930ee66fc5047b495e028e6edcab762ddd03efad0c357
      • Opcode Fuzzy Hash: 696c9c777fa5fd49df155fcbeaa7678ec205676cdc6968db0c7d2bc3f1071bc6
      • Instruction Fuzzy Hash: 3951D6B0AA4706BEEB269F708D8EF7B3A6CEB13B49F100118F155A61D1C6B49D54CB21
      Function 00241ED0 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 394synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 268 241ed0-241f0c call 246cac 271 242387-24238c call 241c60 268->271 272 241f12-241f33 call 242590 268->272 274 242391-242396 call 241c60 271->274 280 241f44-241f74 call 246180 272->280 281 241f35-241f3f call 242a40 272->281 279 24239b-2423a0 call 241c60 274->279 285 2423a5-2423af call 241c60 279->285 288 241f76-241f79 280->288 289 241f7e-241f87 call 246cac 280->289 281->280 288->289 289->274 293 241f8d-241fab call 242590 289->293 297 241fbc-241fc9 call 246cac 293->297 298 241fad-241fb7 call 242a40 293->298 297->279 302 241fcf-241fed call 242590 297->302 298->297 306 241ffe-24203c call 246180 call 242d70 302->306 307 241fef-241ff9 call 242a40 302->307 313 242046-24205a 306->313 314 24203e-242041 306->314 307->306 315 242064-24206b 313->315 316 24205c-24205f 313->316 314->313 317 242071-24209d call 3847a6 315->317 318 2420fb-242102 315->318 316->315 317->285 330 2420a3-2420a5 317->330 319 242195-242199 318->319 320 242108-242134 call 3847a6 318->320 322 24222c-242230 319->322 323 24219f-2421cb call 3847a6 319->323 320->285 334 24213a-24213c 320->334 326 2422c4 322->326 327 242236-242262 call 3847a6 322->327 323->285 339 2421d1-2421d3 323->339 331 2422c7-242321 ShellExecuteExW 326->331 327->285 347 242268-24226a 327->347 330->285 335 2420ab-2420ba 330->335 336 242334-242348 331->336 337 242323-242325 331->337 334->285 340 242142-242151 334->340 341 2420bc-2420c8 call 242950 335->341 342 2420cb-2420d3 335->342 348 242352-242367 336->348 349 24234a-24234d 336->349 345 242327-24232c WaitForSingleObject 337->345 346 242332 337->346 339->285 350 2421d9-2421e8 339->350 351 242162-24216a 340->351 352 242153-24215f call 242950 340->352 341->342 343 2420d5 342->343 344 2420da-2420ec call 2429b0 342->344 343->344 344->285 374 2420f2-2420f7 344->374 345->346 346->336 347->285 357 242270-24227f 347->357 360 242371-242384 348->360 361 242369-24236c 348->361 349->348 358 2421f9-242201 350->358 359 2421ea-2421f6 call 242950 350->359 354 242171-242183 call 2429b0 351->354 355 24216c 351->355 352->351 354->285 381 242189-242192 354->381 355->354 366 242290-242298 357->366 367 242281-24228d call 242950 357->367 370 242203 358->370 371 242208-24221a call 2429b0 358->371 359->358 361->360 377 24229f-2422b1 call 2429b0 366->377 378 24229a 366->378 367->366 370->371 371->285 384 242220-242229 371->384 374->318 377->285 385 2422b7-2422c2 377->385 378->377 381->319 384->322 385->331
      APIs
        • Part of subcall function 00242590: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425CE
        • Part of subcall function 00242590: LoadResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425E1
        • Part of subcall function 00242590: LockResource.KERNEL32(00000000,?,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425F1
        • Part of subcall function 00242590: SizeofResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 00242605
      • ShellExecuteExW.SHELL32(?), ref: 00242319
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0024232C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$ExecuteFindLoadLockObjectShellSingleSizeofWait
      • String ID: /autoreboot$ /pushdeployment$ /skipcountdown$ /testinstall$/adminclient /new /source "%s" /norunsw$<$@$AdminDirector.xml$\sldim\sldim.exe
      • API String ID: 2787188216-2987903987
      • Opcode ID: a769efe9f164979e6bc3cac026d8864712f99075cb05dfef1d84018b588b31e5
      • Instruction ID: bd316de2f5de7a4517062b7237581496aa32531e1c1e2854915d81590d214df9
      • Opcode Fuzzy Hash: a769efe9f164979e6bc3cac026d8864712f99075cb05dfef1d84018b588b31e5
      • Instruction Fuzzy Hash: A5E12571A10206DFDB19DFA9C885BAEBBF5EF84310F544268F850A7391DB70A958CF50
      Function 00245DA0 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 331COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 386 245da0-245ddf GetModuleHandleW 387 245de5-245df8 GetCommandLineW call 24a41e 386->387 388 246143 386->388 394 245e04-245e58 call 248573 call 249250 call 2465e0 387->394 395 245dfa-245dff 387->395 389 246148-246168 call 245d70 388->389 402 2460f2 394->402 403 245e5e-245e8a call 2462b0 call 245030 394->403 395->389 405 2460f7-2460ff call 245d70 402->405 414 245e94-245e98 403->414 415 245e8c-245e8f 403->415 410 246104-246116 405->410 412 246120-246142 call 248743 410->412 413 246118-24611b 410->413 413->412 417 246056-246069 call 246915 414->417 418 245e9e-245eb3 call 246915 414->418 415->414 426 24607a 417->426 427 24606b-246078 call 241d60 417->427 424 245fc8-245fcb 418->424 425 245eb9-245ec2 call 246cac 418->425 428 245fcd-245fd8 424->428 439 245ec8-245ee6 call 242590 425->439 440 246169-24616e call 241c60 425->440 431 24607c-246082 426->431 427->431 432 245ff1-245ff3 428->432 433 245fda-245fe7 428->433 436 246084-246091 call 241ed0 431->436 437 2460eb-2460f0 431->437 441 245ff5-246002 call 243800 432->441 442 24604c-246051 432->442 433->432 438 245fe9-245fec 433->438 447 2460a7-2460b7 436->447 448 246093-246098 call 245d70 436->448 437->405 438->432 468 245ef7-245f36 439->468 469 245ee8-245ef2 call 242a40 439->469 451 246173-246178 call 242c90 440->451 456 246004-246011 call 245d70 441->456 457 246018-246028 441->457 442->405 453 2460c1-2460d1 447->453 454 2460b9-2460bc 447->454 460 24609d-2460a0 448->460 461 2460d3-2460d6 453->461 462 2460db-2460e9 call 37f6c7 453->462 454->453 456->457 465 246032-246047 call 2449f0 call 37f6c7 457->465 466 24602a-24602d 457->466 460->447 461->462 462->410 465->410 466->465 478 245f41-245f51 468->478 479 245f38-245f3a 468->479 469->468 478->451 483 245f57-245f73 call 2429b0 478->483 479->478 480 245f3c-245f3f 479->480 481 245f76-245f8a 480->481 484 245f8c-245f8f 481->484 485 245fb9-245fc6 call 243370 481->485 483->481 487 245f91-245fa0 484->487 485->428 491 245fa2-245fa5 487->491 492 245faa-245faf 487->492 491->492 492->487 493 245fb1-245fb7 492->493 493->485
      APIs
      • GetModuleHandleW.KERNEL32(00000000,ACDA73A4), ref: 00245DD5
      • GetCommandLineW.KERNEL32(00000000), ref: 00245DE7
        • Part of subcall function 0024A41E: SetErrorMode.KERNELBASE(00000000,00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A424
        • Part of subcall function 0024A41E: SetErrorMode.KERNELBASE(00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A430
        • Part of subcall function 00241C60: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?), ref: 00241C85
        • Part of subcall function 00241C60: GetLastError.KERNEL32(?,00000000,00000000,?), ref: 00241C8F
      Strings
      • 20230-40400-1100, xrefs: 00245ED3, 00245EEA
      • Fatal Error: Failed to generate AdminUninstaller, xrefs: 0024604C
      • Fatal Error: GetModuleHandle failed, xrefs: 00246143
      • xi@, xrefs: 00245E36
      • Fatal Error: AdminInstall failed to run, xrefs: 00246093
      • Fatal Error: Failed to generate AdminInstaller, xrefs: 002460EB
      • Fatal Error: Failed to determine application path, xrefs: 002460F2
      • Fatal Error: AdminUninstall failed to run, xrefs: 00246004
      • Fatal Error: MFC initialization failed, xrefs: 00245DFA
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Error$Mode$CommandCriticalHandleInitializeLastLineModuleSection
      • String ID: 20230-40400-1100$Fatal Error: AdminInstall failed to run$Fatal Error: AdminUninstall failed to run$Fatal Error: Failed to determine application path$Fatal Error: Failed to generate AdminInstaller$Fatal Error: Failed to generate AdminUninstaller$Fatal Error: GetModuleHandle failed$Fatal Error: MFC initialization failed$xi@
      • API String ID: 2847907607-2648580806
      • Opcode ID: 39a8ee02b146411dd1d04479cbfd0912edb28676982c11611630fbf1143f9725
      • Instruction ID: 3d0ad568d492ff79e434f4774099a3cc6312b23de408a10c307c1fd31e456596
      • Opcode Fuzzy Hash: 39a8ee02b146411dd1d04479cbfd0912edb28676982c11611630fbf1143f9725
      • Instruction Fuzzy Hash: EBC1F470A10606DFDB05DFA8C849B9EF7B4FF45314F148269E805AB292EB719D14CF92
      Function 0024BDBB Relevance: 15.1, APIs: 10, Instructions: 109memoryCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 494 24bdbb-24bdde EnterCriticalSection 495 24bde0-24bde6 494->495 496 24bdec-24bdf1 494->496 495->496 497 24be95-24be9b 495->497 498 24bdf3-24bdf5 496->498 499 24be0d-24be1d 496->499 500 24bea0-24beb6 LeaveCriticalSection 497->500 501 24be9d 497->501 502 24bdf8-24bdfb 498->502 503 24be34-24be5d GlobalHandle GlobalUnlock call 246af4 GlobalReAlloc 499->503 504 24be1f-24be32 call 246af4 GlobalAlloc 499->504 501->500 507 24be05-24be07 502->507 508 24bdfd-24be03 502->508 511 24be60-24be62 503->511 504->511 507->497 507->499 508->502 508->507 512 24be64-24be92 GlobalLock call 381da0 511->512 513 24beb7-24beba 511->513 512->497 515 24bebc-24bec5 GlobalHandle GlobalLock 513->515 516 24becb-24bed9 LeaveCriticalSection call 2471e4 513->516 515->516
      APIs
      • EnterCriticalSection.KERNEL32(004024A4,?,?,?), ref: 0024BDCD
      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?), ref: 0024BE2C
      • GlobalHandle.KERNEL32(00402498), ref: 0024BE35
      • GlobalUnlock.KERNEL32(00000000), ref: 0024BE3E
      • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0024BE57
      • GlobalLock.KERNEL32(00000000), ref: 0024BE65
      • LeaveCriticalSection.KERNEL32(004024A4,?,?,?), ref: 0024BEAA
      • GlobalHandle.KERNEL32(00000000), ref: 0024BEBE
      • GlobalLock.KERNEL32(00000000), ref: 0024BEC5
      • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0024BECE
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
      • String ID:
      • API String ID: 2667261700-0
      • Opcode ID: 4bdbaa1d854861856a46b5bfd55e5a9e35dd010110e42035e742f56a426b7697
      • Instruction ID: d7053bc72c5fbb37239cfb9c0827ab607f156a22545e300dfe4c7406735fdd06
      • Opcode Fuzzy Hash: 4bdbaa1d854861856a46b5bfd55e5a9e35dd010110e42035e742f56a426b7697
      • Instruction Fuzzy Hash: 7231C235600205EFDF1ACF68D889A9A7BB9FF85301F1480A8E905DB295DB70ED11CF50
      Function 0024CC50 Relevance: 12.0, APIs: 8, Instructions: 34COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0024CC56
      • GetSystemMetrics.USER32(0000000C), ref: 0024CC61
      • GetSystemMetrics.USER32(00000002), ref: 0024CC6C
      • GetSystemMetrics.USER32(00000003), ref: 0024CC7A
      • GetDC.USER32(00000000), ref: 0024CC88
      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0024CC93
      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0024CC9F
      • ReleaseDC.USER32(00000000,00000000), ref: 0024CCAB
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
      • String ID:
      • API String ID: 1031845853-0
      • Opcode ID: 9044c7f98d6e0367e92587a398c12c81fb2608a284f3501674007db93d596aa8
      • Instruction ID: f6bda7e6a1a661c383be45c495412233c4b7128b64ff028b6eea2a8c89ee4de4
      • Opcode Fuzzy Hash: 9044c7f98d6e0367e92587a398c12c81fb2608a284f3501674007db93d596aa8
      • Instruction Fuzzy Hash: 7FF01771A80720AFE7121FB1AD0DB667F68FB46712F004525F212DA1D0EBBA8405CFA0
      Function 0031CC82 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __EH_prolog3.LIBCMT ref: 0031CC89
        • Part of subcall function 00256098: EnterCriticalSection.KERNEL32(00402958,?,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 002560C9
        • Part of subcall function 00256098: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560DF
        • Part of subcall function 00256098: LeaveCriticalSection.KERNEL32(00402958,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560ED
        • Part of subcall function 00256098: EnterCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560FA
      • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 0031CCDC
      • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 0031CCF2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
      • String ID: DragDelay$DragMinDist$windows
      • API String ID: 3965097884-2101198082
      • Opcode ID: 509d18faac1d846b894119d2547234d9138053bac9e90a088738fa7c85a983cf
      • Instruction ID: 0ecd4c646215b1d92ef662fb46bf76979e24007ca5f2e29f0d9ec27b8013eb71
      • Opcode Fuzzy Hash: 509d18faac1d846b894119d2547234d9138053bac9e90a088738fa7c85a983cf
      • Instruction Fuzzy Hash: EF011EB0D40F059FDBA2EF34894AB1ABAF4FB09704F80493DE149EB691D7B464418F09
      Function 0024A47C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 145COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 598 24a47c-24a4bf call 24bbbb GetModuleFileNameW 601 24a4c5 call 255445 598->601 602 24a4c1-24a4c3 598->602 603 24a4ca-24a4db PathFindExtensionW 601->603 602->601 602->603 605 24a4e2-24a501 call 24a3d9 603->605 606 24a4dd call 255445 603->606 610 24a503 call 255445 605->610 611 24a508-24a50c 605->611 606->605 610->611 613 24a526-24a52a 611->613 614 24a50e-24a520 call 38939f 611->614 615 24a561-24a565 613->615 616 24a52c-24a53d call 247116 613->616 614->613 622 24a643-24a648 call 2471e4 614->622 620 24a567-24a57f call 247116 615->620 621 24a5a2-24a5ac 615->621 625 24a542-24a54a 616->625 639 24a581-24a593 call 38939f 620->639 640 24a59b 620->640 623 24a5fc-24a600 621->623 624 24a5ae-24a5cc 621->624 633 24a634-24a642 call 37f3a0 623->633 634 24a602-24a632 call 38932a call 241ba0 call 38939f 623->634 627 24a5d3-24a5f5 call 38736c call 241ba0 call 38939f 624->627 628 24a5ce 624->628 629 24a54c 625->629 630 24a54f-24a55b call 38939f 625->630 627->622 657 24a5f7-24a5f9 627->657 628->627 629->630 630->615 630->622 634->622 634->633 639->622 650 24a599 639->650 640->621 650->621 657->623
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 0024A4B7
      • PathFindExtensionW.SHLWAPI(?,?,?), ref: 0024A4D1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ExtensionFileFindModuleNamePath
      • String ID: .CHM$.HLP$.INI
      • API String ID: 2295281026-4017452060
      • Opcode ID: bce508e2ca7b623f9d1b38232a1cd771bbe9396e3fd87e3e8d768600381898f9
      • Instruction ID: 666dbc7768654f5c1c6171dcd1fee78f6f834adf6186b59ba253b281f5adaa90
      • Opcode Fuzzy Hash: bce508e2ca7b623f9d1b38232a1cd771bbe9396e3fd87e3e8d768600381898f9
      • Instruction Fuzzy Hash: 1A41D3B0A507099BDB25EF74CD45BAA73ECEF44300F4448AAA545C7181EBB4D954CF22
      Function 0027D209 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000000,00404478), ref: 0027D266
      • VerSetConditionMask.KERNEL32(00000000), ref: 0027D26E
      • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 0027D27F
      • GetSystemMetrics.USER32(00001000), ref: 0027D290
        • Part of subcall function 0027DA08: __EH_prolog3.LIBCMT ref: 0027DA0F
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000016), ref: 0027DA18
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000F), ref: 0027DA2B
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000015), ref: 0027DA42
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000F), ref: 0027DA4E
        • Part of subcall function 0027DA08: GetDeviceCaps.GDI32(?,0000000C), ref: 0027DA76
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000F), ref: 0027DA84
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000010), ref: 0027DA92
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000015), ref: 0027DAA0
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000016), ref: 0027DAAE
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000014), ref: 0027DABC
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000012), ref: 0027DACA
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000011), ref: 0027DAD8
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000006), ref: 0027DAE3
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000D), ref: 0027DAEE
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000E), ref: 0027DAF9
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000005), ref: 0027DB04
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000008), ref: 0027DB12
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000009), ref: 0027DB1D
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000007), ref: 0027DB28
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000002), ref: 0027DB33
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000003), ref: 0027DB3E
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000001B), ref: 0027DB4C
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000001C), ref: 0027DB5A
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000A), ref: 0027DB68
        • Part of subcall function 0027D4D4: __EH_prolog3_GS.LIBCMT ref: 0027D4DE
        • Part of subcall function 0027D4D4: GetDeviceCaps.GDI32(?,00000058), ref: 0027D4FE
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D568
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D586
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5A4
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5C2
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5E0
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5FE
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D61C
        • Part of subcall function 0027D2EE: GetSystemMetrics.USER32(00000031), ref: 0027D2FC
        • Part of subcall function 0027D2EE: GetSystemMetrics.USER32(00000032), ref: 0027D30A
        • Part of subcall function 0027D2EE: SetRectEmpty.USER32(004045E4), ref: 0027D31D
        • Part of subcall function 0027D2EE: EnumDisplayMonitors.USER32(00000000,00000000,0027D186,004045E4), ref: 0027D32D
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(00000030,00000000,004045E4,00000000), ref: 0027D33C
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(00001002,00000000,00404608,00000000), ref: 0027D369
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(00001012,00000000,0040460C,00000000), ref: 0027D37D
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(0000100A,00000000,0040461C,00000000), ref: 0027D3A3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
      • String ID:
      • API String ID: 551326122-0
      • Opcode ID: c1b93b1d3b7f1c8f8c51d5939208166897ce1801c4c0d69e95907377dd9c4a52
      • Instruction ID: 4b38c6a6b3f710e29ee6eeaeba048facd25981c92db8eeade7ae368acf725bc9
      • Opcode Fuzzy Hash: c1b93b1d3b7f1c8f8c51d5939208166897ce1801c4c0d69e95907377dd9c4a52
      • Instruction Fuzzy Hash: C5118AB0A003186BEB25AF75DC5AFEB77BCEF89700F00445DF64696181DBB44A058F90
      Function 00395D60 Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 682 395d60-395d7c 683 395f3b 682->683 684 395d82-395d84 682->684 685 395f3d-395f41 683->685 686 395da6-395dc7 684->686 687 395d86-395d99 call 386df6 call 386e09 call 386d2f 684->687 689 395dc9-395dcc 686->689 690 395dce-395dd4 686->690 704 395d9e-395da1 687->704 689->690 692 395dd6-395ddb 689->692 690->687 690->692 694 395ddd-395de9 call 396e12 692->694 695 395dec-395dfd call 395907 692->695 694->695 702 395dff-395e01 695->702 703 395e3e-395e50 695->703 705 395e28-395e34 call 3954f5 702->705 706 395e03-395e0b 702->706 707 395e52-395e5b 703->707 708 395e97-395eb9 WriteFile 703->708 704->685 720 395e39-395e3c 705->720 709 395ecd-395ed0 706->709 710 395e11-395e1e call 39589f 706->710 714 395e5d-395e60 707->714 715 395e87-395e90 call 395978 707->715 712 395ebb-395ec1 GetLastError 708->712 713 395ec4 708->713 722 395ed3-395ed8 709->722 729 395e21-395e23 710->729 712->713 721 395ec7-395ecc 713->721 716 395e62-395e65 714->716 717 395e77-395e85 call 395b3c 714->717 728 395e95 715->728 716->722 725 395e67-395e75 call 395a53 716->725 717->720 720->729 721->709 723 395eda-395edf 722->723 724 395f36-395f39 722->724 730 395f0b-395f17 723->730 731 395ee1-395ee6 723->731 724->685 725->720 728->720 729->721 737 395f19-395f1c 730->737 738 395f1e-395f31 call 386e09 call 386df6 730->738 734 395ee8-395efa call 386e09 call 386df6 731->734 735 395eff-395f06 call 386dd3 731->735 734->704 735->704 737->683 737->738 738->704
      APIs
        • Part of subcall function 003954F5: GetConsoleCP.KERNEL32(003874C1,00000000,00000000), ref: 0039553D
      • WriteFile.KERNEL32(?,00000000,003875A9,000000FF,00000000,0000010B,00000000,00000000,00000000,000000FF,?,003874C1,003F9328,0000000C,003875A9,000000FF), ref: 00395EB1
      • GetLastError.KERNEL32(?,003874C1,003F9328,0000000C,003875A9,000000FF), ref: 00395EBB
      • __dosmaperr.LIBCMT ref: 00395F00
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ConsoleErrorFileLastWrite__dosmaperr
      • String ID:
      • API String ID: 251514795-0
      • Opcode ID: cdccd65cb75114a38f6505f65056b8181b519d901ee1414fa3fffff8c19ae69e
      • Instruction ID: d730307bc01ce5929fc2253967f6051a242530b4ef61b5e04fd96f5df0dc9c64
      • Opcode Fuzzy Hash: cdccd65cb75114a38f6505f65056b8181b519d901ee1414fa3fffff8c19ae69e
      • Instruction Fuzzy Hash: A651C271E00A0AAFEF13AFA4C885BEEBBB9EF15350F150455E501AB151D731DE818BA1
      Function 0024A3D9 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • PathFindFileNameW.SHLWAPI(00000000,?,0024A4FF,?,?,00000104), ref: 0024A3E5
      • SetErrorMode.KERNELBASE(00000000,00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A424
      • SetErrorMode.KERNELBASE(00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A430
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorMode$FileFindNamePath
      • String ID:
      • API String ID: 3295048339-0
      • Opcode ID: 873fae54b74672de77b325694101ca59b96988c239d56a8ec8d63f29c9009c2c
      • Instruction ID: 5849ac5a19193ddf7ce0e9ca1feba33f68ba1e49922f7929743477994fa627a4
      • Opcode Fuzzy Hash: 873fae54b74672de77b325694101ca59b96988c239d56a8ec8d63f29c9009c2c
      • Instruction Fuzzy Hash: 2D11E970464204AFDF15BF64D84DB5D3B9CEF04324F108465F8598B652DB75C961CFA1
      Function 00395978 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON
      Download Yara Rule
      APIs
      • WriteFile.KERNELBASE(?,?,?,?,00000000,003874C1,00000000,00000000,?,00395E95,00000000,00000000,00000000,003875A9,0000010B,00000000), ref: 00395A14
      • GetLastError.KERNEL32(?,00395E95,00000000,00000000,00000000,003875A9,0000010B,00000000,00000000,00000000,000000FF,?,003874C1,003F9328,0000000C,003875A9), ref: 00395A3A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorFileLastWrite
      • String ID:
      • API String ID: 442123175-0
      • Opcode ID: 1e5ca086d2372218f5cd9dbfa372d83057368b913f56f1ced0dd2bbddb8efb2a
      • Instruction ID: ed7f2f880b46b6f9208d0ae0d356163b81a7ff5e703feb7e90399fa32761ac36
      • Opcode Fuzzy Hash: 1e5ca086d2372218f5cd9dbfa372d83057368b913f56f1ced0dd2bbddb8efb2a
      • Instruction Fuzzy Hash: 8B217C35A002199FDF1BCF29CC809E9B7B9EB49315F2441AAE946D7211E6309E82CF64
      Function 0024A41E Relevance: 3.0, APIs: 2, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • SetErrorMode.KERNELBASE(00000000,00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A424
      • SetErrorMode.KERNELBASE(00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A430
        • Part of subcall function 0024A47C: GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 0024A4B7
        • Part of subcall function 0024A47C: PathFindExtensionW.SHLWAPI(?,?,?), ref: 0024A4D1
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorMode$ExtensionFileFindModuleNamePath
      • String ID:
      • API String ID: 1764437154-0
      • Opcode ID: 141c340a98053c280693a1db3a00789eba749a9ef79b2b245b8599eb8822cbb7
      • Instruction ID: 2bbff0bb2b7a51680fbe568c9613100f0aaf6ca45b974661ac80b73f00d5fbd8
      • Opcode Fuzzy Hash: 141c340a98053c280693a1db3a00789eba749a9ef79b2b245b8599eb8822cbb7
      • Instruction Fuzzy Hash: BBF0B4745702449FCB15FF64D44DA097BA8EF05714F008499F8858B252C775C912CF92
      Function 0024BFAD Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0024BFB4
        • Part of subcall function 0024BCAC: TlsAlloc.KERNEL32(?,0024BFE0,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024BCCB
        • Part of subcall function 0024BCAC: InitializeCriticalSection.KERNEL32(004024A4,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024BCDC
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AllocCriticalH_prolog3InitializeSection
      • String ID:
      • API String ID: 2369468792-0
      • Opcode ID: 0492abe1c65c9c420ee422f1ca25ab8bae4651ab77c2a406be79a5d698e0db70
      • Instruction ID: 9bd18eba682cc092fd85d91e38f84aeece54808e9ae007b4d7756b0f971ba8f5
      • Opcode Fuzzy Hash: 0492abe1c65c9c420ee422f1ca25ab8bae4651ab77c2a406be79a5d698e0db70
      • Instruction Fuzzy Hash: AB019E30611203CFCB2AAF38CD9966D3660AF00350B10803AE8169B2A0EBB4CD21CF40
      Function 00248A4B Relevance: 1.5, APIs: 1, Instructions: 37COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00248E34: WideCharToMultiByte.KERNELBASE(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00248A60,00000000,?,00000000,?,00248539,00000000), ref: 00248E45
      • WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00248539,00000000,00000000,00000000), ref: 00248A7D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharMultiWide
      • String ID:
      • API String ID: 626452242-0
      • Opcode ID: 78803307a69a19b13210bb6edd518ec12e6ff73bd04a14fe0c7adf5e78933c71
      • Instruction ID: a587f0657801b850b0b0c8cd416bec20fd0ce24129d66bb3eba2b07ca00c14fb
      • Opcode Fuzzy Hash: 78803307a69a19b13210bb6edd518ec12e6ff73bd04a14fe0c7adf5e78933c71
      • Instruction Fuzzy Hash: C7F0EDB133452A7EEE0D6A98DC8AE7F764CDB01360F10022EF606865C1DEE09D254BF2
      Function 0024931B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00249322
        • Part of subcall function 002484FF: __EH_prolog3.LIBCMT ref: 00248506
        • Part of subcall function 0024936C: __EH_prolog3.LIBCMT ref: 00249373
        • Part of subcall function 0024936C: lstrcmpA.KERNEL32(?,003AF548,00000008,00249348,?,?,00000004,00245C48,?,?,?), ref: 00249383
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3$lstrcmp
      • String ID:
      • API String ID: 1628994602-0
      • Opcode ID: 792a0936ff4f7b4898a5abfb79701096de4f48efe0ff81ce755ef08ad19a0fc3
      • Instruction ID: 752b5324ab0f2bb94b0336cca78d9ba735ee0e28c0c3bba7b52811364b58e68d
      • Opcode Fuzzy Hash: 792a0936ff4f7b4898a5abfb79701096de4f48efe0ff81ce755ef08ad19a0fc3
      • Instruction Fuzzy Hash: 5DE0C93052011AEBCF1EAF60C856BAE7761BF16710F008458E9152A1D1CF755A60EE95
      Function 002484FF Relevance: 1.5, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00248506
        • Part of subcall function 00248A4B: WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00248539,00000000,00000000,00000000), ref: 00248A7D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharH_prolog3MultiWide
      • String ID:
      • API String ID: 354187267-0
      • Opcode ID: 37abadf0503b82bf5a4997250876ca8f7040c9786fbb2c829ac2a4cf1cd1cb88
      • Instruction ID: 0e21cb3664f0e508131eaa02cd8efecf55da99752c7eca66cca0a5653ed10f1e
      • Opcode Fuzzy Hash: 37abadf0503b82bf5a4997250876ca8f7040c9786fbb2c829ac2a4cf1cd1cb88
      • Instruction Fuzzy Hash: 44E0CD747209206BCF0F7F64C812B5D2511AF53B00F004019F5046F342CF7A0B239ADA
      Function 0027D15C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
      Download Yara Rule
      APIs
      • SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 0027D17C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: InfoParametersSystem
      • String ID:
      • API String ID: 3098949447-0
      • Opcode ID: e80f83166a2a9909dc30a80f8a8bc13508f45cf09cd2656ab5977410e62df7a4
      • Instruction ID: 2541ec600a9b7f3db9efc427c6b0e5b982e0a6c852f8aa6b75e9998d90f3e6f3
      • Opcode Fuzzy Hash: e80f83166a2a9909dc30a80f8a8bc13508f45cf09cd2656ab5977410e62df7a4
      • Instruction Fuzzy Hash: 9AD092B0264246AFE7059B44DC19BB237B8EB56761F908078E60D4F2A0D6B26C60CBA4
      Function 00248E34 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      • WideCharToMultiByte.KERNELBASE(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00248A60,00000000,?,00000000,?,00248539,00000000), ref: 00248E45
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharMultiWide
      • String ID:
      • API String ID: 626452242-0
      • Opcode ID: be30922135fe0d0b326fd9fed189581ebe2f86123117a9ac4241579a3fec03e8
      • Instruction ID: 1f86f84df34c642627d677079a014e62adc2a8b213a25c8f782f6a727f95445c
      • Opcode Fuzzy Hash: be30922135fe0d0b326fd9fed189581ebe2f86123117a9ac4241579a3fec03e8
      • Instruction Fuzzy Hash: 8BC048B52482197EFE022AE4AC09E7B3A5CD751720F104258BE2CC51E0D9619D2056B2
      Function 002555A8 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
      Download Yara Rule
      APIs
      • DeleteObject.GDI32(00000000), ref: 002555B7
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: DeleteObject
      • String ID:
      • API String ID: 1531683806-0
      • Opcode ID: 062176981ff33b33d688d1a52e515fe209da9e657cd1c7fd4fd0ba6b61e32aeb
      • Instruction ID: 404a8c0bd615379ee8b6e855bee1cba99dd145d7a716178b52c2084ad03372a3
      • Opcode Fuzzy Hash: 062176981ff33b33d688d1a52e515fe209da9e657cd1c7fd4fd0ba6b61e32aeb
      • Instruction Fuzzy Hash: 1CB092F0E22961AAEE41AB308A2C72A29585B51317F408894E40A81006EA3980199A48

      Non-executed Functions

      Function 002773F5 Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 564windowstringCOMMON
      Download Yara Rule
      APIs
      • SHGetDesktopFolder.SHELL32(?), ref: 00277443
      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00277521
      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00277555
      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 002775FE
      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 0027761D
      • lstrcmpiW.KERNEL32(?,?), ref: 00277639
      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0027771B
      • SendMessageW.USER32(?,0000100C,?,00000002), ref: 00277751
      • ClientToScreen.USER32(?,?), ref: 00277794
      • ScreenToClient.USER32(?,?), ref: 002777A9
      • SendMessageW.USER32(?,00001012,00000000,?), ref: 002777C4
      • SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 0027783A
      • SendMessageW.USER32(?,0000100C,?,00000002), ref: 00277866
      • SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 00277884
      • CreatePopupMenu.USER32 ref: 0027790B
      • TrackPopupMenu.USER32(00000000,00000102,?,?,00000000,?,00000000), ref: 0027795A
      • GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 00277975
      • GetParent.USER32(?), ref: 002779DC
      • GetParent.USER32(?), ref: 00277A2E
      • GetParent.USER32(?), ref: 00277A41
      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00277A59
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$MenuParent$ClientFileFromInfoListPathPopupScreen$CreateDefaultDesktopFolderItemTracklstrcmpi
      • String ID: $
      • API String ID: 312081018-3993045852
      • Opcode ID: 8b0ec0eab3d4f7ef5517351481970e00dd1665604021ae9903a21634028915b3
      • Instruction ID: 52b78405f096dee103e1f8a8aa92c26d473d4501403be69d3c9833697706b839
      • Opcode Fuzzy Hash: 8b0ec0eab3d4f7ef5517351481970e00dd1665604021ae9903a21634028915b3
      • Instruction Fuzzy Hash: E1229F71A1421AEFDB25CF64CD84AAEBBB9FF48310F148169E909E7260DB709D50CF90
      Function 00296DB1 Relevance: 35.1, APIs: 23, Instructions: 603windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0028840E: ReleaseCapture.USER32 ref: 00288445
        • Part of subcall function 0028840E: IsWindow.USER32(?), ref: 00288474
        • Part of subcall function 0028840E: DestroyWindow.USER32(?), ref: 00288484
      • SetRectEmpty.USER32(?), ref: 00296DDC
      • ReleaseCapture.USER32 ref: 00296DE2
      • SetCapture.USER32(?), ref: 00296DF5
      • GetCapture.USER32 ref: 00296E34
      • ReleaseCapture.USER32 ref: 00296E44
      • SetCapture.USER32(?), ref: 00296E57
      • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00296EF5
      • GetFocus.USER32 ref: 00296F7A
      • NotifyWinEvent.USER32(00008005,?,000000FC,00000000), ref: 00296FAE
      • InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 00297167
      • InflateRect.USER32(?,00000000,?), ref: 002971A9
      • RedrawWindow.USER32(?,?,00000000,00000401,?,?,00000000), ref: 002971BC
      • InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 00297253
      • InflateRect.USER32(?,00000000,?), ref: 00297295
      • RedrawWindow.USER32(?,?,00000000,00000401,?,?,00000000), ref: 002972A8
      • NotifyWinEvent.USER32(00008005,?,000000FC,00000001), ref: 0029737B
      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000), ref: 002973EB
      • InflateRect.USER32(00000000,00000000,?), ref: 0029742D
      • RedrawWindow.USER32(?,00000000,00000000,00000401,?,?,00000000), ref: 00297441
      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000), ref: 002974B7
      • InflateRect.USER32(00000000,00000000,?), ref: 002974F9
      • RedrawWindow.USER32(?,00000000,00000000,00000401,?,?,00000000), ref: 0029750C
      • UpdateWindow.USER32(?), ref: 00297515
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Window$Capture$Redraw$InflateInvalidate$Release$EventNotify$DestroyEmptyFocusUpdate
      • String ID:
      • API String ID: 985404702-0
      • Opcode ID: c6644762df740bce4a0b9666bd541765ae8d664c41d5d308fde60cb948cf3b85
      • Instruction ID: 769dff697edcd50da73489fb67d9d2cec678168bff09a7383d4f21997590caeb
      • Opcode Fuzzy Hash: c6644762df740bce4a0b9666bd541765ae8d664c41d5d308fde60cb948cf3b85
      • Instruction Fuzzy Hash: C932C371A302169FCF169F64C884ABE7BB9FF45310F190169EC19AB291DB34AD50CFA1
      Function 00270152 Relevance: 27.4, APIs: 18, Instructions: 384windowCOMMON
      Download Yara Rule
      APIs
      • MessageBeep.USER32 ref: 00270178
      • SendMessageW.USER32(?,000000B0,?,?), ref: 002701BF
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Message$BeepSend
      • String ID:
      • API String ID: 1008054038-0
      • Opcode ID: 29d7ae4e3aaecc44ed4fc65d29072843fa2032cca85451f8488484aa303548fe
      • Instruction ID: 44139e84a0f16f8efe7f0172b025f3972d0750b268f0ac21226d0eb6ec0790e9
      • Opcode Fuzzy Hash: 29d7ae4e3aaecc44ed4fc65d29072843fa2032cca85451f8488484aa303548fe
      • Instruction Fuzzy Hash: 36D12775A2010AFBDF21DB94C8C9EEEBBBDFB04310F104556E51AE2190D770AAA8DF50
      Function 002B0BD0 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 439windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002B0BD7
      • CreateCompatibleDC.GDI32(00000000), ref: 002B0C59
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 002B0C8D
      • SelectObject.GDI32(?,00000000), ref: 002B0CE6
      • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,?,?,00CC0020), ref: 002B0D0B
      • MulDiv.KERNEL32(?,000000FF,00000064), ref: 002B0EF0
      • MulDiv.KERNEL32(?,000000FF,00000064), ref: 002B0F0F
      • MulDiv.KERNEL32(000000FF,000000FF,00000064), ref: 002B0F2C
      • MulDiv.KERNEL32(000000FF,000000FF,00000064), ref: 002B0F48
      • MulDiv.KERNEL32(00000000,000000FF,00000064), ref: 002B0F62
      • MulDiv.KERNEL32(00000000,000000FF,00000064), ref: 002B0F7E
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 002B0FE8
      • DeleteObject.GDI32(?), ref: 002B0FFF
        • Part of subcall function 002810B1: FillRect.USER32(?,?,-000000A8), ref: 002810CD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
      • String ID: H$;$d
      • API String ID: 3910664508-318280298
      • Opcode ID: 4e7fdf1aba8a3df72655bf430ce793899f2e220a1a6a9ae57e360e49f5ba36ba
      • Instruction ID: 1d00bcac33d929a9b6fedd1ffb5b65fb379d104f9fc018e72685ca8be4e6d041
      • Opcode Fuzzy Hash: 4e7fdf1aba8a3df72655bf430ce793899f2e220a1a6a9ae57e360e49f5ba36ba
      • Instruction Fuzzy Hash: 15F10071A1021A9FCB169FA4CC95AFE7BB4FF44381F104619F942A6292DB34D970CF94
      Function 00298EA9 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 305windowCOMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 00298F3A
      • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00298F58
      • ReleaseCapture.USER32 ref: 00298F5E
      • SetCapture.USER32(?), ref: 00298F71
      • ReleaseCapture.USER32 ref: 00298FFE
      • SetCapture.USER32(?), ref: 00299011
      • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 002990FF
      • UpdateWindow.USER32(?), ref: 0029918B
      • SendMessageW.USER32(?,00000111,00000000,00000000), ref: 002991DA
      • IsWindow.USER32(?), ref: 002991E6
      • IsIconic.USER32(?), ref: 002991F1
      • IsZoomed.USER32(?), ref: 002991FC
      • IsWindow.USER32(?), ref: 0029921A
      • UpdateWindow.USER32(?), ref: 00299275
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
      • String ID: |G@
      • API String ID: 2500574155-1800327284
      • Opcode ID: 75b5976e3b5b04443b50d753d25946f347548d2a5f227d42af038f5d07d124d8
      • Instruction ID: 576b6f84a3d34386bfd7f7c04b2e9c22dd0482808df923bbdcc53eb324fc61ea
      • Opcode Fuzzy Hash: 75b5976e3b5b04443b50d753d25946f347548d2a5f227d42af038f5d07d124d8
      • Instruction Fuzzy Hash: 36C15F31A10615AFCF169F64CD94AAD7BB9BF49320F090179FC1AAB2A1CB349D60CF51
      Function 0024F022 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON
      Download Yara Rule
      APIs
      • CoInitialize.OLE32(00000000), ref: 0024F042
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Initialize
      • String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
      • API String ID: 2538663250-1403614551
      • Opcode ID: d5c3538dd025756c26ed7bcb048c300deae4e0cebb7872f0ce858dd90a9dec7b
      • Instruction ID: 6d3fe0d5fd24bb27d6bfadb1762dbf5b820890b0d4e92acc2e1a0549025affff
      • Opcode Fuzzy Hash: d5c3538dd025756c26ed7bcb048c300deae4e0cebb7872f0ce858dd90a9dec7b
      • Instruction Fuzzy Hash: 5E21F435260701AFE7656F30DD95BA376A8FBC0B55F40453DF506C2991EBB0D8008A20
      Function 002655F4 Relevance: 15.6, APIs: 10, Instructions: 597windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002655FB
      • _memcpy_s.LIBCMT ref: 00265783
      • _memcpy_s.LIBCMT ref: 002657F5
      • PathRemoveFileSpecW.SHLWAPI(?,?,00000000), ref: 0026592C
      • GetFocus.USER32 ref: 00265C15
      • IsWindowEnabled.USER32(00000000), ref: 00265C4B
      • EnableWindow.USER32(00000000,00000000), ref: 00265C63
      • EnableWindow.USER32(00000000,00000001), ref: 00265D04
      • IsWindow.USER32(00000000), ref: 00265D0B
      • SetFocus.USER32(00000000), ref: 00265D16
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$EnableFocus_memcpy_s$EnabledFileH_prolog3PathRemoveSpec
      • String ID:
      • API String ID: 2321674057-0
      • Opcode ID: 533e525a0d8479aec2e661cb4b0f8f123ffcae4cc3f798ae4c7ecb489c872082
      • Instruction ID: 41f942cb277dba555f4a7d17d2a42c15dd8b26fc86b2611ca37269afa81d3af6
      • Opcode Fuzzy Hash: 533e525a0d8479aec2e661cb4b0f8f123ffcae4cc3f798ae4c7ecb489c872082
      • Instruction Fuzzy Hash: 3A22F471A21626DFDB18DF68C881BAEB7B5FF84310F14816DE805AB291DB709C51CFA0
      Function 0024D9D5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 140fileCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0024D9DF
      • PathIsUNCW.SHLWAPI(?,?,?,00000000), ref: 0024DA95
      • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0024DAB9
      • GetFullPathNameW.KERNEL32(?,00000104,00000000,?,00000268,0024D62E,?,00000000,?,00000000,00000104,00000000,6I$,?,?), ref: 0024DA12
        • Part of subcall function 0024D993: GetLastError.KERNEL32(6I$,?,?,0024DACA,6I$,?), ref: 0024D99F
        • Part of subcall function 0024D314: PathStripToRootW.SHLWAPI(00000000,00000104,6I$,00000104,?,0024DA8E,?,?,00000000), ref: 0024D348
      • CharUpperW.USER32(?), ref: 0024DAE7
      • FindFirstFileW.KERNEL32(?,?), ref: 0024DAFF
      • FindClose.KERNEL32(00000000), ref: 0024DB0B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
      • String ID: 6I$
      • API String ID: 2323451338-3256832173
      • Opcode ID: f6c12b4e73e2f1acecbaa33388b20b79b96ba6d7596721d45c8d9abe9a2b52a8
      • Instruction ID: d305480b94538f0578a9ac552d7bb84ee91922d2c5be2a82b83b7cba71f889cd
      • Opcode Fuzzy Hash: f6c12b4e73e2f1acecbaa33388b20b79b96ba6d7596721d45c8d9abe9a2b52a8
      • Instruction Fuzzy Hash: 134184B1924225AFDF29FF60CC89EBE737CFF01314F100699B80992151EB71AE648E61
      Function 0039799C Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _free$InformationTimeZone
      • String ID: L=$L=
      • API String ID: 597776487-713417311
      • Opcode ID: dbe4b5fea7b8669173425242b2ba60407a404440d1a36a612999455a8c7d769c
      • Instruction ID: 8eaff38a3a985c3d6a739aa04ec22ea9282ddcb66b0928a1223b60c8bf577a7a
      • Opcode Fuzzy Hash: dbe4b5fea7b8669173425242b2ba60407a404440d1a36a612999455a8c7d769c
      • Instruction Fuzzy Hash: 9CC12A76A18205AFDF26AF79CC81AAE7BADEF45310F1544AAE4459B3C1E7308E01CB54
      Function 00250F0A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00249BE5,00248BEC,00000003,?,00000004,00248BEC), ref: 00250F1C
      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00250F2C
      • EncodePointer.KERNEL32(00000000,?,00249BE5,00248BEC,00000003,?,00000004,00248BEC), ref: 00250F35
      • DecodePointer.KERNEL32(00000000,?,?,00249BE5,00248BEC,00000003,?,00000004,00248BEC), ref: 00250F43
      • GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,00249BE5,00248BEC,00000003,?,00000004,00248BEC), ref: 00250F7A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
      • String ID: GetLocaleInfoEx$kernel32.dll
      • API String ID: 1461536855-1547310189
      • Opcode ID: a3981d8f68ead40cf0f516ffecf4f50be512b0922d1d0814fb0100259e772b5a
      • Instruction ID: 668d7e3aaeb82831feaa6229d1467b564eb99a4176d48d48f8c64e8572f2bdd6
      • Opcode Fuzzy Hash: a3981d8f68ead40cf0f516ffecf4f50be512b0922d1d0814fb0100259e772b5a
      • Instruction Fuzzy Hash: B1016936514316FFCF132FA0EE589AE3F6DEF09752B004420FD05A25A0CBB1C8209BA8
      Function 00282F9D Relevance: 6.5, APIs: 4, Instructions: 527COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Delete$H_prolog3
      • String ID:
      • API String ID: 487261545-0
      • Opcode ID: 0f7449ef12ea58ec38cfdfe6d15175f83ea202eace91c90227b44d785491d424
      • Instruction ID: 41ab2980a853404912572197a250b6d0349a0065a0fabb74b491981f52c105db
      • Opcode Fuzzy Hash: 0f7449ef12ea58ec38cfdfe6d15175f83ea202eace91c90227b44d785491d424
      • Instruction Fuzzy Hash: 67226975D11219DFCF25EFA8C98479DBBF4BF08700F2085AAE449A7291EB705AA4CF40
      Function 0039C131 Relevance: 6.3, Strings: 4, Instructions: 1340COMMONLIBRARYCODE
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
      • API String ID: 0-2761157908
      • Opcode ID: d0eaeff48e135b1d64592fa3eb41bc04af03a79ef332a94ce21a96cd505e5dbb
      • Instruction ID: fd529371c58cadbb2ee24dce22dbe12ef0be6df5e3ba5a0c95eecc1bd824859c
      • Opcode Fuzzy Hash: d0eaeff48e135b1d64592fa3eb41bc04af03a79ef332a94ce21a96cd505e5dbb
      • Instruction Fuzzy Hash: 3CC23A71E146288FDF26CE28DD817E9B7B9EB49304F1551EAD84EE7240E774AE818F40
      Function 00249FFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,00000000,?,0024DBCF,00000000,003EC300,00000014,00000268,0024D62E,?,00000000,?,00000000,00000104,00000000,6I$), ref: 0024A010
      • GetLastError.KERNEL32(?,00000000,?,0024DBCF,00000000,003EC300,00000014,00000268,0024D62E,?,00000000,?,00000000,00000104,00000000,6I$), ref: 0024A047
      Strings
      • IsolationAware function called after IsolationAwareCleanup, xrefs: 0024A00B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: DebugErrorLastOutputString
      • String ID: IsolationAware function called after IsolationAwareCleanup
      • API String ID: 4132100945-2690750368
      • Opcode ID: 705faf9d73553d8f4fc888d1be9e1c3f961f33dab7a2abada1611a5043a566dd
      • Instruction ID: 4fdbc8f8a8de1ac362b32b966fdb948e4ab48b06b2d85feaf12a38c67bfbf25c
      • Opcode Fuzzy Hash: 705faf9d73553d8f4fc888d1be9e1c3f961f33dab7a2abada1611a5043a566dd
      • Instruction Fuzzy Hash: C1F062352F032346DF3E5F99AE4472A76A8A619B40B246136E905D2161D670CC74C6E7
      Function 00386B83 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • IsDebuggerPresent.KERNEL32 ref: 00386C7B
      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00386C85
      • UnhandledExceptionFilter.KERNEL32(?), ref: 00386C92
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled$DebuggerPresent
      • String ID:
      • API String ID: 3906539128-0
      • Opcode ID: 484788119f0b951b2ac5875030eac44dec82cdf3883a447a10d4512ac940e1dc
      • Instruction ID: 1fb25e730aad5759b3e0f02ca4063b8429d88fa7c73772b98529288574d0fbfa
      • Opcode Fuzzy Hash: 484788119f0b951b2ac5875030eac44dec82cdf3883a447a10d4512ac940e1dc
      • Instruction Fuzzy Hash: 1031B57494131C9BCB62EF65DD89B9CBBB8BF08310F5041DAE41CA7250EB749B858F54
      Function 002753EF Relevance: 4.6, APIs: 3, Instructions: 66keyboardwindowCOMMON
      Download Yara Rule
      APIs
      • GetAsyncKeyState.USER32(00000011), ref: 0027541F
      • GetAsyncKeyState.USER32(00000010), ref: 0027542E
      • SendMessageW.USER32(00000000,00000300,00000000,00000000), ref: 00275479
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AsyncState$MessageSend
      • String ID:
      • API String ID: 2137877063-0
      • Opcode ID: 46568251e88c036e98556309f2bab6e6c5e4e24dc47366fdb3bf5779222d1c43
      • Instruction ID: 554da26477fcf4740e22e17bc013623b6bebcd882ada11640f5b28213fd2a3ab
      • Opcode Fuzzy Hash: 46568251e88c036e98556309f2bab6e6c5e4e24dc47366fdb3bf5779222d1c43
      • Instruction Fuzzy Hash: D111A731360B326FEAB54F158CA6F71A29D9B05B52F198025F60DDA0D0DAF0A8D09655
      Function 0038F500 Relevance: 3.4, APIs: 2, Instructions: 450COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 840bf85c37239ce49447a556704b22a5ce0914fff67d4f664180520e3074cd92
      • Instruction ID: c4cd8f6ea383bf17a5a2ceb2be93af410a8fb882573058878a4bf9bf073a9564
      • Opcode Fuzzy Hash: 840bf85c37239ce49447a556704b22a5ce0914fff67d4f664180520e3074cd92
      • Instruction Fuzzy Hash: B9F12E71E002199FDF15DFA8C9806ADB7B1FF88314F2582A9E815EB345D731AE41CB90
      Function 0025AF9F Relevance: 3.4, APIs: 2, Instructions: 395COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0025AFA9
      • RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 0025B195
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3RedrawWindow
      • String ID:
      • API String ID: 474685049-0
      • Opcode ID: 0ab20516e597e578e89e17f243ad1daf7e098fda7befd37523f5b41e243ba36f
      • Instruction ID: 4fba46942db2a9d521f5fdb7b9c6a31cef60413d15ecb28df54d7ebeab8c0bde
      • Opcode Fuzzy Hash: 0ab20516e597e578e89e17f243ad1daf7e098fda7befd37523f5b41e243ba36f
      • Instruction Fuzzy Hash: 2FE1F231A20216DFCF16DF24C894BBEB7B5AF48312F148059EC15AB291DB349C65CFA8
      Function 0039E317 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0039E312,?,?,00000008,?,?,0039EC43,00000000), ref: 0039E544
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID:
      • API String ID: 3997070919-0
      • Opcode ID: 4748e9c0c159f1306cd0292014a88439b3d104d92de0ec0cbc2c7646ac1ff0d9
      • Instruction ID: d25d1e10beb7da24d3148d44bdfe4011ca43114eb4ed20a13ed8a69aee19b08a
      • Opcode Fuzzy Hash: 4748e9c0c159f1306cd0292014a88439b3d104d92de0ec0cbc2c7646ac1ff0d9
      • Instruction Fuzzy Hash: 28B14C35610609DFDB1ACF2CC48AB657BE0FF45365F2A8658E899CF2A1C335E991CB40
      Function 00385CF7 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID: 0
      • API String ID: 0-4108050209
      • Opcode ID: 847986fcca90a3f0387e9b1ab47ddc69558a41e36fc79e6b7141f81b5bf98cc6
      • Instruction ID: 4f7193c37b845ff46addef848f4e2fef51ac4b49cccb07554bef347d50b69c12
      • Opcode Fuzzy Hash: 847986fcca90a3f0387e9b1ab47ddc69558a41e36fc79e6b7141f81b5bf98cc6
      • Instruction Fuzzy Hash: DD614770600F0497DF3BBE684899BFE739AAB51700F5509DAEC82DB291D721EE49C741
      Function 00385F5C Relevance: .2, Instructions: 239COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e3dda7e69ded3f15b1eb3a14f1391dd13cc0fab7ed50e42d422dace66d9cd2e8
      • Instruction ID: 09c2ab19d50ba17845b6ffacabea9bdd42d232b28b5bd5a6d71ef23a8a12667a
      • Opcode Fuzzy Hash: e3dda7e69ded3f15b1eb3a14f1391dd13cc0fab7ed50e42d422dace66d9cd2e8
      • Instruction Fuzzy Hash: 286179B0604B0597DF3BBA288897B7EB399AF41700F5105EDE642DF7C2DA219D41874A
      Function 0039DC3D Relevance: .1, Instructions: 104COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0ebfd12da55a15d599ff6f3f2addda8db7d63ceccc27825d2396329565ffcd52
      • Instruction ID: aef245871cb21381ec2cc04118a891f06a06b59fcf754b5cfdb8a798b2eafd06
      • Opcode Fuzzy Hash: 0ebfd12da55a15d599ff6f3f2addda8db7d63ceccc27825d2396329565ffcd52
      • Instruction Fuzzy Hash: 9321B373F204394B7B0CC57E8C532BDB6E1C68C641745823AE8A6EA2C1D968D917E2E4
      Function 0039DB1D Relevance: .1, Instructions: 81COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4c7be01e1a4c2ddca0e86feb47453871d6be46eef2aee34db893ab52ec535026
      • Instruction ID: c3a521bc814a8e29bd5ab68ffc163b4232b699f0b72f3fd2bfbda41c59acf2b2
      • Opcode Fuzzy Hash: 4c7be01e1a4c2ddca0e86feb47453871d6be46eef2aee34db893ab52ec535026
      • Instruction Fuzzy Hash: 3511CA23F30C255B675C817D8C1327A91D2DBD825070F533AD827E7384E8A4DE13D290
      Function 00397EA5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 338d8926ef5ca7594c14fb6a05f0e4520e13342b806cace1697f3fd9f54bee7a
      • Instruction ID: 89b47ee26bcaa59c1acbf591031ea91693495d0c20b65e8ec055b78db3ac283d
      • Opcode Fuzzy Hash: 338d8926ef5ca7594c14fb6a05f0e4520e13342b806cace1697f3fd9f54bee7a
      • Instruction Fuzzy Hash: 8BE08C32925268EBCB16DF88C904D8AF3ECEB44B00B160096F501D3140C270DE00C7D0
      Function 00291CF6 Relevance: 66.7, APIs: 19, Strings: 19, Instructions: 195COMMON
      Download Yara Rule
      APIs
      • OpenThemeData.UXTHEME(?,WINDOW,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291D12
      • OpenThemeData.UXTHEME(?,TOOLBAR,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291D31
      • OpenThemeData.UXTHEME(?,BUTTON,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291D50
      • OpenThemeData.UXTHEME(?,STATUS,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291D6F
      • OpenThemeData.UXTHEME(?,REBAR,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291D8E
      • OpenThemeData.UXTHEME(?,COMBOBOX,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291DAD
      • OpenThemeData.UXTHEME(?,PROGRESS,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291DCC
      • OpenThemeData.UXTHEME(?,HEADER,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291DEB
      • OpenThemeData.UXTHEME(?,SCROLLBAR,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291E0A
      • OpenThemeData.UXTHEME(?,EXPLORERBAR,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291E29
      • OpenThemeData.UXTHEME(?,TREEVIEW,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291E48
      • OpenThemeData.UXTHEME(?,STARTPANEL,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291E67
      • OpenThemeData.UXTHEME(?,TASKBAND,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291E86
      • OpenThemeData.UXTHEME(?,TASKBAR,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291EA5
      • OpenThemeData.UXTHEME(?,SPIN,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291EC4
      • OpenThemeData.UXTHEME(?,TAB,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291EE3
      • OpenThemeData.UXTHEME(?,TOOLTIP,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291F02
      • OpenThemeData.UXTHEME(?,TRACKBAR,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291F21
      • OpenThemeData.UXTHEME(00000000,MENU,?,?,00289D87,?,00289DD6,00000004,00267BAB,00000000,00000004,00267A2F), ref: 00291F3C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: DataOpenTheme
      • String ID: BUTTON$COMBOBOX$EXPLORERBAR$HEADER$MENU$PROGRESS$REBAR$SCROLLBAR$SPIN$STARTPANEL$STATUS$TAB$TASKBAND$TASKBAR$TOOLBAR$TOOLTIP$TRACKBAR$TREEVIEW$WINDOW
      • API String ID: 1744092376-1233129369
      • Opcode ID: 517eb406d5dae8ccfd3bb6e63f5fa6a8571b5b8768f0bbcf7b3e94a593d32390
      • Instruction ID: 36bd838f377415a8dec8c1aba9ef00857f4a339dacad9540bf7d145900caa8b2
      • Opcode Fuzzy Hash: 517eb406d5dae8ccfd3bb6e63f5fa6a8571b5b8768f0bbcf7b3e94a593d32390
      • Instruction Fuzzy Hash: 85618EB5BA07129BDB02AFB6DD09D5ABAACFE1CB447080555FD41C7611EBB8D8308B90
      Function 002E2294 Relevance: 39.0, APIs: 20, Strings: 2, Instructions: 490windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 002E229E
      • IsWindow.USER32(?), ref: 002E233A
      • GetMenuItemCount.USER32(00000001), ref: 002E24EB
      • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 002E251F
      • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 002E25AB
      • SendMessageW.USER32(?,0000041C,00000000,?), ref: 002E25E9
      • GetMenuItemCount.USER32(00000001), ref: 002E2668
      • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 002E267E
      • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 002E269C
      • GetMenuItemCount.USER32(00000001), ref: 002E270B
      • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 002E2721
      • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 002E273B
      • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 002E2501
        • Part of subcall function 00256E2D: GetDlgCtrlID.USER32(?), ref: 00256E38
      • GetWindow.USER32(?,00000005), ref: 002E27BF
      • AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 002E2830
      • GetWindow.USER32(00000000,00000002), ref: 002E2860
      • AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 002E28E1
      • GetMenuItemCount.USER32(?), ref: 002E2928
      • AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 002E293E
      • AppendMenuW.USER32(?,00000000,00000000,?), ref: 002E2955
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Menu$Append$CountItem$Window$MessageSend$CtrlH_prolog3_
      • String ID: ({<$8Y<
      • API String ID: 528922254-624170715
      • Opcode ID: 588171c9279a55b6ef900952b372760431576a1fc42f305213dc7818b960005b
      • Instruction ID: f03b18c7d10f2fc68a967fa777eee0b4cd769ec21b6447da41705d096f5d6732
      • Opcode Fuzzy Hash: 588171c9279a55b6ef900952b372760431576a1fc42f305213dc7818b960005b
      • Instruction Fuzzy Hash: 3512C035A50225DFDF29AF21CC55BADBBB9BF49310F144098E90AA72A2DF30AD54CF50
      Function 002606E8 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 240windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 002606EF
      • CreateRectRgnIndirect.GDI32(?), ref: 00260729
      • CopyRect.USER32(?,?), ref: 0026073D
      • InflateRect.USER32(?,?,?), ref: 00260753
      • IntersectRect.USER32(?,?,?), ref: 0026075F
      • CreateRectRgnIndirect.GDI32(?), ref: 00260769
      • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0026077E
      • CombineRgn.GDI32(?,?,?,00000003), ref: 00260798
      • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 002607E3
      • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 00260800
      • CopyRect.USER32(?,?), ref: 0026080B
      • InflateRect.USER32(?,?,?), ref: 00260821
      • IntersectRect.USER32(?,?,?), ref: 0026082D
      • SetRectRgn.GDI32(?,?,?,?,?), ref: 00260842
      • CombineRgn.GDI32(?,?,?,00000003), ref: 00260853
      • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0026086A
      • CombineRgn.GDI32(?,?,?,00000003), ref: 00260884
        • Part of subcall function 00260A49: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00260A90
        • Part of subcall function 00260A49: CreatePatternBrush.GDI32(00000000), ref: 00260A9D
        • Part of subcall function 00260A49: DeleteObject.GDI32(00000000), ref: 00260AA9
      • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 002608E1
        • Part of subcall function 00255BB4: SelectObject.GDI32(?,00000000), ref: 00255BD8
        • Part of subcall function 00255BB4: SelectObject.GDI32(?,00000000), ref: 00255BF0
      • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00260941
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Create$CombineObject$CopyIndirectInflateIntersectSelect$BitmapBrushDeleteH_prolog3_Pattern
      • String ID: p;;$p;;$p;;
      • API String ID: 3480991079-1993494660
      • Opcode ID: 9bc83fdd580ad0927fa979536d5daef5068fe3b655ed0a23b955958c1c05d652
      • Instruction ID: 6b65d896519efae7ccfe6d2f99bb748d5fec14b6f1582cdcbb9551c83a26e3a4
      • Opcode Fuzzy Hash: 9bc83fdd580ad0927fa979536d5daef5068fe3b655ed0a23b955958c1c05d652
      • Instruction Fuzzy Hash: 3691DF72910228AFDF06EFE4DC989EEBBB9BF09301F044129F906A3251DB349954DF64
      Function 00281842 Relevance: 36.3, APIs: 24, Instructions: 329fileCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0028184C
      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,003AF734,00000000,003B97E0,00000000,003B1CB8,00000000,?,00000A88,00282AA2,?,00000000,00000038,00281788), ref: 002818EC
      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,003B1CB8,00000000,?,00000A88,00282AA2,?,00000000,00000038,00281788), ref: 002819A3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: File$CreateH_prolog3_ModuleName
      • String ID:
      • API String ID: 3408945735-0
      • Opcode ID: 30b598ebc5098ce252a3d1831d0b522584d9e3c19036c14c164250ce592aa938
      • Instruction ID: 712ec9a0af694f38dc8bd5af8102e8f34573b3181d2e43ccfde96e97b4d29288
      • Opcode Fuzzy Hash: 30b598ebc5098ce252a3d1831d0b522584d9e3c19036c14c164250ce592aa938
      • Instruction Fuzzy Hash: 4DD18D76A21228AFDB26AF60CC45FAEB77CFB06310F000195F509A24D1DB749EA5CF52
      Function 0027EEEF Relevance: 34.7, APIs: 23, Instructions: 236windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0027EEF9
      • CopyImage.USER32 ref: 0027EF2F
        • Part of subcall function 0028246B: __EH_prolog3_GS.LIBCMT ref: 00282475
        • Part of subcall function 0028246B: GetObjectW.GDI32(?,00000018,?), ref: 0028249D
        • Part of subcall function 0028246B: GetObjectW.GDI32(?,00000054,?), ref: 002824E2
      • GetObjectW.GDI32(?,00000018,?), ref: 0027EF69
      • DeleteObject.GDI32(?), ref: 0027EFE6
      • CreateCompatibleDC.GDI32(00000000), ref: 0027F014
      • GetObjectW.GDI32(?,00000018,?), ref: 0027F030
      • GetObjectW.GDI32(?,00000018,?), ref: 0027F07A
      • SelectObject.GDI32(?,?), ref: 0027F09D
      • SelectObject.GDI32(?,?), ref: 0027F0D4
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0027F0FA
      • SelectObject.GDI32(?,00000000), ref: 0027F115
      • CreateCompatibleDC.GDI32(?), ref: 0027F145
      • SelectObject.GDI32(?,?), ref: 0027F163
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0027F1A2
      • SelectObject.GDI32(?,?), ref: 0027F1B7
      • BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0027F1ED
      • SelectObject.GDI32(?,?), ref: 0027F1FF
      • SelectObject.GDI32(?,00000000), ref: 0027F210
      • DeleteObject.GDI32(?), ref: 0027F221
      • DeleteObject.GDI32(?), ref: 0027F269
      • SelectObject.GDI32(?,?), ref: 0027F281
      • SelectObject.GDI32(?,00000000), ref: 0027F292
      • DeleteObject.GDI32(?), ref: 0027F29E
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Select$Delete$CompatibleCreate$H_prolog3_$BitmapCopyImage
      • String ID:
      • API String ID: 1780083495-0
      • Opcode ID: cef44b750cf2097a786350785f24146aaa6817adb510c98fcd143f41a36f3685
      • Instruction ID: 07778db2f94e53cd74b46f4cd9a8f9e56f49a7dc1c563fc31ced923ba7bab776
      • Opcode Fuzzy Hash: cef44b750cf2097a786350785f24146aaa6817adb510c98fcd143f41a36f3685
      • Instruction Fuzzy Hash: 0EA10C71914629EFDB629F65CD45BEDBBB8BF09301F0041A4E90DA2261DB705EA4CFA0
      Function 00258D57 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 184windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      • GetParent.USER32(?), ref: 00258D93
      • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00258DB6
      • GetWindowRect.USER32(?,00000000), ref: 00258DDB
      • GetWindowLongW.USER32(00000000,000000F0), ref: 00258E0A
      • MonitorFromWindow.USER32(00000000,00000001), ref: 00258E43
      • GetMonitorInfoW.USER32(00000000), ref: 00258E4A
      • CopyRect.USER32(?,?), ref: 00258E58
      • GetWindowRect.USER32(00000000,?), ref: 00258E65
      • MonitorFromWindow.USER32(00000000,00000002), ref: 00258E72
      • GetMonitorInfoW.USER32(00000000), ref: 00258E79
      • CopyRect.USER32(?,?), ref: 00258E87
      • GetParent.USER32(?), ref: 00258E92
      • GetClientRect.USER32(00000000,?), ref: 00258E9F
      • GetClientRect.USER32(00000000,?), ref: 00258EAA
      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00258EB8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
      • String ID: (
      • API String ID: 3610148278-3887548279
      • Opcode ID: 4166811a64b7c0e88d267612f61b4251cb93ca444432df77098e941e98bce53b
      • Instruction ID: 237e1ab5e7e482b6fddac2abb43a4e9fe7ad7ee6baa146c0c5928455acc3a444
      • Opcode Fuzzy Hash: 4166811a64b7c0e88d267612f61b4251cb93ca444432df77098e941e98bce53b
      • Instruction Fuzzy Hash: DA614B72D1020AAFDB01CFA8DD89AEEBBB9FF49315F240114F905F7290DB74A9058B64
      Function 0028A137 Relevance: 28.6, APIs: 19, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • CloseThemeData.UXTHEME(00000000,?,00289FF7), ref: 0028A143
      • CloseThemeData.UXTHEME(00000000,?,00289FF7), ref: 0028A152
      • CloseThemeData.UXTHEME(00000000,?,00289FF7), ref: 0028A161
      • CloseThemeData.UXTHEME(00000000,?,?,?,00289FF7), ref: 0028A170
      • CloseThemeData.UXTHEME(00000000,?,?,?,00289FF7), ref: 0028A17F
      • CloseThemeData.UXTHEME(?,?,?,?,00289FF7), ref: 0028A18E
      • CloseThemeData.UXTHEME(00000000,?,?,?,?,?,00289FF7), ref: 0028A19D
      • CloseThemeData.UXTHEME(?,?,?,?,?,?,00289FF7), ref: 0028A1AC
      • CloseThemeData.UXTHEME(00000000,?,?,?,?,?,?,?,00289FF7), ref: 0028A1BB
      • CloseThemeData.UXTHEME(?,?,?,?,?,?,?,?,00289FF7), ref: 0028A1CA
      • CloseThemeData.UXTHEME(00000000,?,?,?,?,?,?,?,?,?,00289FF7), ref: 0028A1D9
      • CloseThemeData.UXTHEME(?,?,?,?,?,?,?,?,?,?,00289FF7), ref: 0028A1E8
      • CloseThemeData.UXTHEME(00000000,?,?,?,?,?,?,?,?,?,?,?,00289FF7), ref: 0028A1F7
      • CloseThemeData.UXTHEME(?,?,?,?,?,?,?,?,?,?,?,?,00289FF7), ref: 0028A206
      • CloseThemeData.UXTHEME(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00289FF7), ref: 0028A215
      • CloseThemeData.UXTHEME(00000000), ref: 0028A224
      • CloseThemeData.UXTHEME(00000000), ref: 0028A233
      • CloseThemeData.UXTHEME(?), ref: 0028A242
      • CloseThemeData.UXTHEME(00000000), ref: 0028A251
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CloseDataTheme
      • String ID:
      • API String ID: 2797872399-0
      • Opcode ID: d260bc97dd5e8306e08d33f0a0afa132f69cd82085ab685e92de8c94548546e2
      • Instruction ID: 620cbcb6690d88fc394cb8ef45335020b517948fc8a58df6ff53bf83454c37d7
      • Opcode Fuzzy Hash: d260bc97dd5e8306e08d33f0a0afa132f69cd82085ab685e92de8c94548546e2
      • Instruction Fuzzy Hash: EB313134022A11DFE7766F15E91C756BBFABB01B06F44492DE0A7508F0CB7AA8A4DF11
      Function 00281202 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 257COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0028120C
      • CreateCompatibleDC.GDI32(00000000), ref: 00281254
      • GetObjectW.GDI32(?,00000018,?), ref: 00281275
      • SelectObject.GDI32(?,?), ref: 002812B0
      • CreateCompatibleDC.GDI32(?), ref: 002812DD
      • CreateDIBSection.GDI32(?,?), ref: 00281345
      • SelectObject.GDI32(?,00000000), ref: 0028135C
      • SelectObject.GDI32(?,00000000), ref: 0028136E
      • SelectObject.GDI32(?,00000000), ref: 00281385
      • DeleteObject.GDI32(?), ref: 00281391
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
      • String ID: (
      • API String ID: 1429849173-3887548279
      • Opcode ID: 9ebb506f56a48f151e39911aeaca2d5c1a9b8780b2a65533b1e76800206762ff
      • Instruction ID: 6733d2b2d96ba2d8ff16adb53bb34c0a63ffa53b51a6d14b27e0709363aab051
      • Opcode Fuzzy Hash: 9ebb506f56a48f151e39911aeaca2d5c1a9b8780b2a65533b1e76800206762ff
      • Instruction Fuzzy Hash: F9B13A74910229DBDF21EF65CC84BAEBBB9FF45300F0081EAE54DA6191DB704AA5CF21
      Function 00283654 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 218windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0028365B
      • TransparentBlt.MSIMG32(?,?,?,?,?,?,?,00000000,?,00000000,?,00000048,00280AE9,?,?,?), ref: 002836AD
      • CreateCompatibleDC.GDI32(?), ref: 002836ED
      • CreateCompatibleDC.GDI32(?), ref: 0028370E
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00283733
      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,H$;,?,00000000,00CC0020), ref: 00283789
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,H$;,00CC0020), ref: 002837B6
      • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 002837C7
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 002837FE
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0028382E
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,008800C6), ref: 0028385D
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00EE0086), ref: 00283878
        • Part of subcall function 00254A77: DeleteDC.GDI32(00000000), ref: 00254AAB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Create$Compatible$Bitmap$DeleteH_prolog3StretchTransparent
      • String ID: H$;$H$;$H$;$PW%
      • API String ID: 646174778-3333514450
      • Opcode ID: c6e446284f2cc9fc0c31e6517fe1d7c99574c92df6ca173a139db683cfa9f333
      • Instruction ID: bf13e3eb14c068e052e3c4c8bf64cc84b12b2b88d9522053e81d484eb2647c2a
      • Opcode Fuzzy Hash: c6e446284f2cc9fc0c31e6517fe1d7c99574c92df6ca173a139db683cfa9f333
      • Instruction Fuzzy Hash: 36815475821129AFCF12EFA0CD59EEEBB79FF19705F100118FA06621A1DB319E24DB64
      Function 002643BE Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 190COMMON
      Download Yara Rule
      APIs
      • GetDlgItem.USER32(?,00003020), ref: 002643E6
      • GetDlgItem.USER32(?,00003020), ref: 00264411
      • GetWindowRect.USER32(00000000,?), ref: 0026442C
      • MapDialogRect.USER32(?,?), ref: 00264454
      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,00000020,00000016), ref: 0026447E
      • GetDlgItem.USER32(?,00000001), ref: 0026448F
      • GetWindowRect.USER32(00000000,?), ref: 002644A1
      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 002644C5
      • GetWindowRect.USER32(?,?), ref: 002644DA
      • GetWindowRect.USER32(?,?), ref: 0026453D
      • GetDlgItem.USER32(?,00000001), ref: 00264554
      • GetWindowRect.USER32(00000000,?), ref: 00264563
      • GetDlgItem.USER32(?,00000001), ref: 0026458C
      • ShowWindow.USER32(00000000,00000000), ref: 0026459B
      • EnableWindow.USER32(00000000,00000000), ref: 002645A4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Rect$Item$DialogEnableShow
      • String ID:
      • API String ID: 763981185-3916222277
      • Opcode ID: a5df15a880c8dad702eca7b76c45b7b65eb55416dfde5883881d36c991a8768f
      • Instruction ID: a62b2eb9deffab030aef0852bc43b53e0db1f5144feb0a3c7139b73846cfef38
      • Opcode Fuzzy Hash: a5df15a880c8dad702eca7b76c45b7b65eb55416dfde5883881d36c991a8768f
      • Instruction Fuzzy Hash: 39613AB1E1020AAFEB15DFA5CD89EAFBBBDFF49700F100519F546A2250DB7499508B24
      Function 002A0F0D Relevance: 27.3, APIs: 18, Instructions: 277windowCOMMON
      Download Yara Rule
      APIs
      • RedrawWindow.USER32(?,?,00000000,00000105), ref: 002A0F48
      • PtInRect.USER32(?,?,?), ref: 002A0F55
      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 002A0F82
      • GetParent.USER32(?), ref: 002A0F9E
      • SendMessageW.USER32(?,?,?,00000000), ref: 002A0FC1
      • SendMessageW.USER32(?,?,?,003C6A00), ref: 002A1007
      • ReleaseCapture.USER32 ref: 002A101B
      • ReleaseCapture.USER32 ref: 002A1104
      • ReleaseCapture.USER32 ref: 002A116D
      • InvalidateRect.USER32(?,?,00000001), ref: 002A11B7
      • UpdateWindow.USER32(?), ref: 002A11C0
      • InvalidateRect.USER32(?,?,00000001), ref: 002A1205
      • UpdateWindow.USER32(?), ref: 002A120E
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CaptureMessageRectReleaseSendWindow$InvalidateUpdate$ParentRedraw
      • String ID:
      • API String ID: 3937359674-0
      • Opcode ID: 9475470ec9eb90639d34dbea0882c963bde0a8a13e2e3c71300685a8018ae343
      • Instruction ID: d604860c0296fbdf8e74edb5a5a94d1dc1879f4aab4be03c93c5f21a0a8b136e
      • Opcode Fuzzy Hash: 9475470ec9eb90639d34dbea0882c963bde0a8a13e2e3c71300685a8018ae343
      • Instruction Fuzzy Hash: EAB16271A11617DFDB099F65CC84AEDBBB9FF49320F140229E915E3260DB34A920CF91
      Function 00273467 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 236windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,0000120B,00000000,00000001), ref: 002734C0
      • GetClientRect.USER32(?,?), ref: 002734D9
      • GetSystemMetrics.USER32(00000015), ref: 002734F9
      • GetSystemMetrics.USER32(00000015), ref: 00273524
        • Part of subcall function 002B3E8D: __EH_prolog3.LIBCMT ref: 002B3E94
        • Part of subcall function 002757DD: RedrawWindow.USER32(?,00000000,00000000,00000105,?,00000000,00000001,00000001,00000000,?,002736B4,?,00000024,MFCPropertyGrid_AlphabeticMode,?,00000024), ref: 00275838
      • InvalidateRect.USER32(?,?,00000001), ref: 00273548
      • UpdateWindow.USER32(?), ref: 00273551
      • __EH_prolog3.LIBCMT ref: 002735C4
      Strings
      • MFCPropertyGrid_HeaderCtrl, xrefs: 0027366B
      • MFCPropertyGrid_DescriptionArea, xrefs: 002735FE
      • MFCPropertyGrid_AlphabeticMode, xrefs: 00273698
      • Value, xrefs: 0027367D
      • MFCPropertyGrid_VSDotNetLook, xrefs: 002736DF
      • MFCPropertyGrid_ModifiedProperties, xrefs: 002736BB
      • Property, xrefs: 00273682
      • MFCPropertyGrid_DescriptionRows, xrefs: 00273638
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3MetricsRectSystemWindow$ClientInvalidateMessageRedrawSendUpdate
      • String ID: MFCPropertyGrid_AlphabeticMode$MFCPropertyGrid_DescriptionArea$MFCPropertyGrid_DescriptionRows$MFCPropertyGrid_HeaderCtrl$MFCPropertyGrid_ModifiedProperties$MFCPropertyGrid_VSDotNetLook$Property$Value
      • API String ID: 1592221277-2695045869
      • Opcode ID: d99f27b003cd442da19d0c4e5f2e598db08a566a34e4c8e328e3fba8cbcf5da7
      • Instruction ID: 2fe1847b28ae2b00821b4e2bc14dd89d7895dff368577ef2a440d90ca3e95d3e
      • Opcode Fuzzy Hash: d99f27b003cd442da19d0c4e5f2e598db08a566a34e4c8e328e3fba8cbcf5da7
      • Instruction Fuzzy Hash: 68814E71A2021AAFCF05EFA4CD859EEB7B8FF48354F444129E915A7251DB30AE14CF60
      Function 00280B01 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 328windowCOMMON
      Download Yara Rule
      APIs
      • IsRectEmpty.USER32(?), ref: 00280B23
      • IsRectEmpty.USER32(?), ref: 00280B4F
      • IntersectRect.USER32(?,?,?), ref: 00280BC7
      • IntersectRect.USER32(?,?,?), ref: 00280C6B
      • IsRectEmpty.USER32(?), ref: 00280CA9
      • IsRectEmpty.USER32(?), ref: 00280CBB
      • SelectObject.GDI32(?), ref: 00280CD5
      • IsRectEmpty.USER32(?), ref: 00280CEE
      • IsRectEmpty.USER32(?), ref: 00280D07
      • AlphaBlend.MSIMG32(?,?,?,?,?,00000000,?,?,?,?,?), ref: 00280D81
      • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,00CC0020), ref: 00280DC7
      • SelectObject.GDI32(?), ref: 00280DD9
      • SetRectEmpty.USER32 ref: 00280E58
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Empty$IntersectObjectSelect$AlphaBlendStretch
      • String ID:
      • API String ID: 3434778532-3916222277
      • Opcode ID: 77d822714ca59178aa28ca7e778938e1f96b0f1eb3bb92817f83d72825ca651f
      • Instruction ID: ac87b7d05ae677bb12d757f886f917615ea70afc0137e6b2c0dce1363dd19cf9
      • Opcode Fuzzy Hash: 77d822714ca59178aa28ca7e778938e1f96b0f1eb3bb92817f83d72825ca651f
      • Instruction Fuzzy Hash: 6FD1017691120AAFCF45DFA8C9849EEBBBAFF08314F154219F805A7250D730E958CBA0
      Function 00278BE1 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 262windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00278BE8
      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00278C37
      • ClientToScreen.USER32(?,0000004E), ref: 00278C6C
      • SendMessageW.USER32(?,0000113E,00000000,00000004), ref: 00278CCB
      • SHGetDesktopFolder.SHELL32(?), ref: 00278CF1
      • GetParent.USER32(?), ref: 00278D1E
      • CreatePopupMenu.USER32 ref: 00278D68
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen
      • String ID: $
      • API String ID: 2088741424-3993045852
      • Opcode ID: c17de5c286d7d0c0d91a1e65398af2893ed54a8b79881c56136d314e0f4ab7f0
      • Instruction ID: 30c8a76ce0e56ae5af2b7eca8ca39b1b1ebdb393e87969a82f1f6981aa8829a3
      • Opcode Fuzzy Hash: c17de5c286d7d0c0d91a1e65398af2893ed54a8b79881c56136d314e0f4ab7f0
      • Instruction Fuzzy Hash: B2A19171A10219DFDB15DFA4CC88AAE7BB9FF48710F148129F509A72A0DB709C50CFA0
      Function 0027F68B Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 212COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0027F695
      • GetObjectW.GDI32(00000000,00000018,?), ref: 0027F6D3
      • CreateCompatibleDC.GDI32(00000000), ref: 0027F712
      • SelectObject.GDI32(?,00000000), ref: 0027F739
      • GetObjectW.GDI32(?,00000054,?), ref: 0027F77B
      • CreateDIBSection.GDI32(?,?), ref: 0027F7DD
      • CreateCompatibleDC.GDI32(?), ref: 0027F817
      • SelectObject.GDI32(?,00000000), ref: 0027F830
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Create$CompatibleSelect$H_prolog3_Section
      • String ID: (
      • API String ID: 1338481308-3887548279
      • Opcode ID: 0dd8e317436edc4774580c19eb83a4bfa3f257ca5449dd0609806b2a5ca57172
      • Instruction ID: 839705b41c90058a5993909f20b0902c484361edd32024d98c6d8034f929b824
      • Opcode Fuzzy Hash: 0dd8e317436edc4774580c19eb83a4bfa3f257ca5449dd0609806b2a5ca57172
      • Instruction Fuzzy Hash: 57A12775910719EFDB61DF24CD84BAABBB5FF09300F1084A9E94DA7251DB30AA94CF21
      Function 002FBD1B Relevance: 24.4, APIs: 16, Instructions: 386COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 002FBD22
      • GetCursorPos.USER32(?), ref: 002FBDE2
      • IsRectEmpty.USER32(?), ref: 002FBE16
      • IsRectEmpty.USER32(?), ref: 002FBE3D
      • IsRectEmpty.USER32(?), ref: 002FBE59
      • GetWindowRect.USER32(?,?), ref: 002FBE84
      • GetWindowRect.USER32(?,?), ref: 002FBEB1
      • PtInRect.USER32(?,?,?), ref: 002FBEFF
      • OffsetRect.USER32(?,?,00000000), ref: 002FBF17
        • Part of subcall function 003296F7: __EH_prolog3.LIBCMT ref: 003296FE
        • Part of subcall function 003296F7: SetRectEmpty.USER32 ref: 003297FE
        • Part of subcall function 003296F7: SetRectEmpty.USER32(?), ref: 00329805
      • SetRectEmpty.USER32(?), ref: 002FBF3E
      • OffsetRect.USER32(?,?,?), ref: 002FC0D7
      • IsRectEmpty.USER32(?), ref: 002FC0F7
      • IsRectEmpty.USER32(?), ref: 002FC120
      • PtInRect.USER32(?,00000000,00000000), ref: 002FC134
      • OffsetRect.USER32(?,00000000,?), ref: 002FC15E
      • IsRectEmpty.USER32(?), ref: 002FC17C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
      • String ID:
      • API String ID: 359163869-0
      • Opcode ID: f29949526c044c82661a1daca19adf33a9661b5b1279a56d6401d2cc021bc22e
      • Instruction ID: 33bb758bfb800231c7674ecc34cbe3dff2534693a3f822433106c5886f24d2a9
      • Opcode Fuzzy Hash: f29949526c044c82661a1daca19adf33a9661b5b1279a56d6401d2cc021bc22e
      • Instruction Fuzzy Hash: E5E1A131A10209DFDF16DFA4C988ABEBBB9FF45350F144169EA05AB256DB31D811CF50
      Function 00282063 Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0028206A
      • CreateCompatibleDC.GDI32(00000000), ref: 00282098
      • GetObjectW.GDI32(?,00000018,?), ref: 002820B1
      • SelectObject.GDI32(?,?), ref: 002820CD
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 002820EE
      • SelectObject.GDI32(?,00000000), ref: 002820FF
      • CreateCompatibleDC.GDI32(?), ref: 00282119
      • SelectObject.GDI32(?,?), ref: 0028212E
      • SelectObject.GDI32(?,00000000), ref: 0028213F
      • DeleteObject.GDI32(?), ref: 00282148
      • BitBlt.GDI32(?,00000000,00000000,000000FF,?,?,00000000,00000000,00CC0020), ref: 00282168
      • GetPixel.GDI32(?,0000002C,00000000), ref: 0028218E
      • SetPixel.GDI32(?,0000002C,00000000,00000000), ref: 002821D5
      • SelectObject.GDI32(?,?), ref: 002821FC
      • SelectObject.GDI32(?,00000000), ref: 00282206
      • DeleteObject.GDI32(?), ref: 0028220E
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
      • String ID:
      • API String ID: 3639146769-0
      • Opcode ID: 75bad47ca7f21e3945d911f7ad10e0214ee4396312f189f4e4fc89f6883e4e4c
      • Instruction ID: 97b964f51a04ecb9334ee3620ac23263ef8b39b7a7c842bba0422e354b7d1f07
      • Opcode Fuzzy Hash: 75bad47ca7f21e3945d911f7ad10e0214ee4396312f189f4e4fc89f6883e4e4c
      • Instruction Fuzzy Hash: E051803492122AEFCF12EFA4DC48AAEBB79FF09311F100014F915A21A1C7715D69DFA1
      Function 002873EC Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 441windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 00287466
      • GetCursorPos.USER32(?), ref: 00287495
      • ClientToScreen.USER32(?,?), ref: 002874B4
      • ScreenToClient.USER32(?,?), ref: 002875AE
      • SendMessageW.USER32(?,00000202,0000FFFF,?), ref: 002875D5
      • SendMessageW.USER32(?,00000202,00000000,?), ref: 00287627
      • GetParent.USER32(?), ref: 00287630
      • SetParent.USER32(?,?), ref: 00287645
      • GetWindowRect.USER32(?,?), ref: 002877C2
      • ClientToScreen.USER32(?,?), ref: 002877E1
      • OffsetRect.USER32(?,?,?), ref: 00287847
      • RedrawWindow.USER32(?,?,00000000,000005B1), ref: 002878B3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientRectScreenWindow$MessageParentSend$CursorOffsetRedraw
      • String ID: d<
      • API String ID: 2611947581-3402581688
      • Opcode ID: eb1f7235c27879ee24035ea0bdd04a6a3bf03366b5b7ce31839c9a689188ef14
      • Instruction ID: 14f0c0eb286d2477e90c9096e2724896349cd89c777c00690b7664563c4b10d4
      • Opcode Fuzzy Hash: eb1f7235c27879ee24035ea0bdd04a6a3bf03366b5b7ce31839c9a689188ef14
      • Instruction Fuzzy Hash: 8F022C75A116259FCF05DF64C898ABE7BF9BF89310F180069E806A73A1DB34AD05CF91
      Function 00250F83 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 162libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,00000000,000000F2,00000108,00249100,?,?), ref: 00250FB6
      • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00250FC6
      • EncodePointer.KERNEL32(00000000,?,00000000,000000F2,00000108,00249100,?,?), ref: 00250FCF
      • DecodePointer.KERNEL32(00000000,?,?,?,00000000,000000F2,00000108,00249100,?,?), ref: 00250FDD
      • GetUserDefaultUILanguage.KERNEL32(?,00000000,000000F2,00000108,00249100,?,?), ref: 00251007
      • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00251017
      • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00251046
      • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000F2), ref: 00251074
      • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00251084
      • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 002510BC
      • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 002510F2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
      • String ID: GetThreadPreferredUILanguages$kernel32.dll
      • API String ID: 404278886-1646127487
      • Opcode ID: 95a2f36a59857e10175f0a648f609c23196686ea0befd00b485989e8f1f2f91d
      • Instruction ID: 74831e73ee4f50721ccb539f3ca30139470b070fc711530b4036e6a854141bd7
      • Opcode Fuzzy Hash: 95a2f36a59857e10175f0a648f609c23196686ea0befd00b485989e8f1f2f91d
      • Instruction Fuzzy Hash: 0A512B7591021AAFCB11EFA8CD95EAF77BDEB48300F100165F905A7251DB74EA18CBA1
      Function 00268AA0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 154windowregistryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024BFAD: __EH_prolog3.LIBCMT ref: 0024BFB4
      • RegisterWindowMessageW.USER32(commdlg_LBSelChangedNotify,00247218), ref: 00268AF7
      • RegisterWindowMessageW.USER32(commdlg_ShareViolation), ref: 00268B07
      • RegisterWindowMessageW.USER32(commdlg_FileNameOK), ref: 00268B17
      • RegisterWindowMessageW.USER32(commdlg_ColorOK), ref: 00268B27
      • RegisterWindowMessageW.USER32(commdlg_help), ref: 00268B37
      • RegisterWindowMessageW.USER32(commdlg_SetRGBColor), ref: 00268B47
      • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00268C6D
        • Part of subcall function 0025C40E: SetWindowLongW.USER32(?,000000FC,002583D5), ref: 0025C452
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageWindow$Register$H_prolog3LongSend
      • String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
      • API String ID: 1550484310-3888057576
      • Opcode ID: d9715102ad07ae18dcf68a2837e225bbcdb230c9fa0d9b23cd2c8d4b5a1f6837
      • Instruction ID: 10c062d7a87661746b43e89bb649a621cf09051c35381ffef5f0c1d60e9dba59
      • Opcode Fuzzy Hash: d9715102ad07ae18dcf68a2837e225bbcdb230c9fa0d9b23cd2c8d4b5a1f6837
      • Instruction Fuzzy Hash: 92513C71A212059FCF1AAF64DD84ABE77B5FB85314F04022AFA01A7250DF749CA0DBA5
      Function 0026AF7B Relevance: 22.7, APIs: 15, Instructions: 173windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0026AF82
      • GetIconInfo.USER32(?,?), ref: 0026B023
      • GetObjectW.GDI32(?,00000018,?), ref: 0026B032
      • CreateCompatibleDC.GDI32(00000000), ref: 0026B061
      • CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 0026B07D
      • SelectObject.GDI32(?,00000000), ref: 0026B092
      • FillRect.USER32(?,?,-00000098), ref: 0026B0CD
      • DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 0026B0EE
      • SelectObject.GDI32(?,?), ref: 0026B0FF
      • DeleteObject.GDI32(?), ref: 0026B108
      • DeleteObject.GDI32(?), ref: 0026B11D
      • DeleteObject.GDI32(?), ref: 0026B126
      • DestroyIcon.USER32(?,0000006C,0026AA79,?,00000000,00000000,00000000,00000000,00000000), ref: 0026B179
      • DestroyIcon.USER32(?), ref: 0026B186
      • DestroyIcon.USER32(?), ref: 0026B191
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Icon$DeleteDestroy$Select$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
      • String ID:
      • API String ID: 2061919445-0
      • Opcode ID: 69cdcbf518be9cfdcb306f3a56862ada902a58dafe9c190158223c2bd579f1ba
      • Instruction ID: 6012c28abdeb56888877c476579f04e77d692fa1ae0a076b3ca09960b08f2366
      • Opcode Fuzzy Hash: 69cdcbf518be9cfdcb306f3a56862ada902a58dafe9c190158223c2bd579f1ba
      • Instruction Fuzzy Hash: 3061487191021AAFDB16DFA4D895AEEBBB9FF09300F148129F805A7260DB359C91CF61
      Function 00243370 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 258registryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00242590: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425CE
        • Part of subcall function 00242590: LoadResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425E1
        • Part of subcall function 00242590: LockResource.KERNEL32(00000000,?,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425F1
        • Part of subcall function 00242590: SizeofResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 00242605
      • RegEnumKeyExW.ADVAPI32(00000000,00000000,?,00000104,00000000,00000000,00000000,?,?,?,SolidWorks Installation Manager), ref: 002434A2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$EnumFindLoadLockSizeof
      • String ID: %s$ /autoreboot$ /pushdeployment$ /removedata$ /removeregistry$ /skipcountdown$/auto "%s" /interactive 0 /remove "%s" /adminclientuninstall$<$@$Software\Microsoft\Windows\CurrentVersion\Uninstall$SolidWorks Installation Manager
      • API String ID: 3933509807-1504943193
      • Opcode ID: 16265e903fe28c5081dd3b207e371689aebf3502bb9e8a8a2f7d26335abf08c4
      • Instruction ID: 84abb6d150bb63f201ed63721474c8bf725345ace0296e365fe52ef644767476
      • Opcode Fuzzy Hash: 16265e903fe28c5081dd3b207e371689aebf3502bb9e8a8a2f7d26335abf08c4
      • Instruction Fuzzy Hash: B0B191709112199BDB29DF64CC89BDAB7B4EF15314F1482D8E809AB2D2EB309F95CF50
      Function 002B05C7 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 251windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002B05CE
      • CreateCompatibleDC.GDI32(00000007), ref: 002B0634
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 002B066A
      • SelectObject.GDI32(?,00000000), ref: 002B06C3
      • BitBlt.GDI32(?,00000000,00000000,?,?,00000007,?,?,00CC0020), ref: 002B06E8
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 002B087E
        • Part of subcall function 002810B1: FillRect.USER32(?,?,-000000A8), ref: 002810CD
      • DeleteObject.GDI32(?), ref: 002B0895
        • Part of subcall function 00254A77: DeleteDC.GDI32(00000000), ref: 00254AAB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CompatibleCreateDeleteObject$BitmapFillH_prolog3RectSelect
      • String ID: H$;$H$;$`w&$`w&$`w&
      • API String ID: 810631364-1668710464
      • Opcode ID: d72272a900b130b0eb14e83e22fd91fadb4395492beebde2167bac8005df3dae
      • Instruction ID: 28ab20301ed38a4b8e3df2f570abf382a4e616210ab278f7df1becc4fba981f9
      • Opcode Fuzzy Hash: d72272a900b130b0eb14e83e22fd91fadb4395492beebde2167bac8005df3dae
      • Instruction Fuzzy Hash: F9916931A1021A9FDF16DFA8CC95AEEBBB4FF44341F004129F955EA291EB34D924DB60
      Function 0026712B Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 205COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00267132
        • Part of subcall function 002690D9: __EH_prolog3.LIBCMT ref: 002690E0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3
      • String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
      • API String ID: 431132790-2110171958
      • Opcode ID: bf9ad152ee787e622582784de2665fc4af2fc9d6deacb9f3e541188b85b10064
      • Instruction ID: c77fcff0d53193e227b42e3522e77fe09b239cdfc463dcc44f8b133b33164686
      • Opcode Fuzzy Hash: bf9ad152ee787e622582784de2665fc4af2fc9d6deacb9f3e541188b85b10064
      • Instruction Fuzzy Hash: 6451BA60A3C34799EF55BAB4AC177AE66E15F41318F300499F814FA2D2EF708DB0AB15
      Function 002A51CD Relevance: 21.1, APIs: 14, Instructions: 118timewindowCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32(?,0000EC13), ref: 002A520F
      • KillTimer.USER32(?,0000EC14), ref: 002A521D
        • Part of subcall function 002A5404: InvalidateRect.USER32(?,00000000,00000001), ref: 002A545E
        • Part of subcall function 002A5404: UpdateWindow.USER32(?), ref: 002A5467
        • Part of subcall function 002A55D0: KillTimer.USER32(?,0000EC13,?,?,002A4EC1), ref: 002A565E
      • GetCursorPos.USER32(?), ref: 002A5230
      • ScreenToClient.USER32(?,?), ref: 002A523D
      • GetClientRect.USER32(?,?), ref: 002A5259
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 002A526E
      • PtInRect.USER32(?,?,?), ref: 002A527E
      • SendMessageW.USER32(?,00000201,?,?), ref: 002A5297
      • SetTimer.USER32(?,0000EC14,000000C8,00000000), ref: 002A52B4
      • GetClientRect.USER32(?,?), ref: 002A52DA
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 002A52EF
      • PtInRect.USER32(?,?,?), ref: 002A52FF
      • SendMessageW.USER32(?,00000201,?,?), ref: 002A5318
      • SetTimer.USER32(?,0000EC13,000000C8,00000000), ref: 002A5335
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RectTimer$ClientKillWindow$MessagePointsSend$CursorInvalidateScreenUpdate
      • String ID:
      • API String ID: 2240750388-0
      • Opcode ID: 38416bd35e00ce1eb8f9561c0468556f9b1190b284cb92898ee9074fbd9ef546
      • Instruction ID: 089f551cf3e7dc704452619bc2f13dbd0838a1df5e810216e27b593e2597baa0
      • Opcode Fuzzy Hash: 38416bd35e00ce1eb8f9561c0468556f9b1190b284cb92898ee9074fbd9ef546
      • Instruction Fuzzy Hash: 6141AF72810A0AEFDF119FA1CD489AEFBB9FF1A300F048829F116A1071DB719964DF50
      Function 00263BA6 Relevance: 19.7, APIs: 13, Instructions: 249memorywindowCOMMON
      Download Yara Rule
      APIs
      • GlobalAlloc.KERNEL32(00000040,00000004,?), ref: 00263C87
      • GlobalLock.KERNEL32(00000000), ref: 00263C90
      • GlobalUnlock.KERNEL32(00000000), ref: 00263CA1
      • SetPropW.USER32(?,00000000), ref: 00263CB1
      • GlobalFree.KERNEL32(00000000), ref: 00263CBC
      • IsWindowEnabled.USER32(00000000), ref: 00263D64
      • EnableWindow.USER32(00000000,00000000), ref: 00263D70
      • GetCapture.USER32 ref: 00263D7D
      • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00263D8C
      • EnableWindow.USER32(00000000,00000001), ref: 00263E60
      • GetActiveWindow.USER32 ref: 00263E6A
      • SetActiveWindow.USER32(00000000), ref: 00263E76
      • EnableWindow.USER32(00000000,00000001), ref: 00263EB5
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Global$Enable$Active$AllocCaptureEnabledFreeLockMessagePropSendUnlock
      • String ID:
      • API String ID: 2841214920-0
      • Opcode ID: 0dc47bf272118dca161be8452b60ef51ed92f8732c8dc894eed1e775560cc364
      • Instruction ID: 54903a69fe9ed0a4fff340c4e50f8050b8d693b52957c99b14585db140f3506c
      • Opcode Fuzzy Hash: 0dc47bf272118dca161be8452b60ef51ed92f8732c8dc894eed1e775560cc364
      • Instruction Fuzzy Hash: 8591CE30B20302ABDB15EF74D849BAEBBA8BF05311F044119FA16E7291DB74D961CFA0
      Function 0039B5FF Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • ___free_lconv_mon.LIBCMT ref: 0039B643
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B219
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B22B
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B23D
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B24F
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B261
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B273
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B285
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B297
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B2A9
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B2BB
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B2CD
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B2DF
        • Part of subcall function 0039B1FC: _free.LIBCMT ref: 0039B2F1
      • _free.LIBCMT ref: 0039B638
        • Part of subcall function 00392EB8: HeapFree.KERNEL32(00000000,00000000,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?), ref: 00392ECE
        • Part of subcall function 00392EB8: GetLastError.KERNEL32(?,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?,?), ref: 00392EE0
      • _free.LIBCMT ref: 0039B65A
      • _free.LIBCMT ref: 0039B66F
      • _free.LIBCMT ref: 0039B67A
      • _free.LIBCMT ref: 0039B69C
      • _free.LIBCMT ref: 0039B6AF
      • _free.LIBCMT ref: 0039B6BD
      • _free.LIBCMT ref: 0039B6C8
      • _free.LIBCMT ref: 0039B700
      • _free.LIBCMT ref: 0039B707
      • _free.LIBCMT ref: 0039B724
      • _free.LIBCMT ref: 0039B73C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
      • String ID:
      • API String ID: 161543041-0
      • Opcode ID: befc24dbf58c89c4d2e31f615daedd0ad4f00aaa065502d3c8ee36beb739edce
      • Instruction ID: 25c440242522a8ea6cac88ffcb01b4b99252dfbe4549f929cd47e6ab438ee9cd
      • Opcode Fuzzy Hash: befc24dbf58c89c4d2e31f615daedd0ad4f00aaa065502d3c8ee36beb739edce
      • Instruction Fuzzy Hash: E8316D72A00A09AFEF22AA79E985B5BB3E9EF40350F514419F455DB261DF70FC80CB60
      Function 0026BB71 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 327windowCOMMON
      Download Yara Rule
      APIs
      • RealizePalette.GDI32(?), ref: 0026BBBB
      • InflateRect.USER32(?,000000FE,000000FE), ref: 0026BCBA
        • Part of subcall function 0026C351: __EH_prolog3.LIBCMT ref: 0026C358
        • Part of subcall function 0026C351: GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 0026C3CF
        • Part of subcall function 0026C351: CreatePalette.GDI32(00000000), ref: 0026C41C
      • InflateRect.USER32(?,000000FF,000000FF), ref: 0026BCE3
      • InflateRect.USER32(?,000000FF,000000FF), ref: 0026BD0C
      • GetNearestPaletteIndex.GDI32(?,?), ref: 0026BD35
      • FillRect.USER32(?,?,?), ref: 0026BD57
      • InflateRect.USER32(?,000000FE,000000FE), ref: 0026BD7E
      • FillRect.USER32(?,?,-00000098), ref: 0026BDEF
      • InflateRect.USER32(?,000000FF,000000FF), ref: 0026BE3A
      • InflateRect.USER32(?,000000FF,000000FF), ref: 0026BF01
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Inflate$Palette$Fill$CreateEntriesH_prolog3IndexNearestRealizeSystem
      • String ID: VW%
      • API String ID: 1028858568-697210052
      • Opcode ID: 97a5d6c9b9fd1e7bb573080aa733d07317e71dcb9a8885f145157ecde1217d18
      • Instruction ID: 436b671fce8edfa4e78c1894dd8f3e462c0df9226133375cecb4b6b01f791f13
      • Opcode Fuzzy Hash: 97a5d6c9b9fd1e7bb573080aa733d07317e71dcb9a8885f145157ecde1217d18
      • Instruction Fuzzy Hash: 73C18D31910219AFCF02EFA4CD84A9EBBB9FF05324F104669F815AB2A1DB71AD55CF50
      Function 00272390 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 160windowCOMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 002723B7
      • LoadCursorW.USER32(?,00007904), ref: 002723DD
      • LoadCursorW.USER32(?,00007905), ref: 00272410
      • SendMessageW.USER32(?,0000120A,00000000,00000006), ref: 00272470
      • SendMessageW.USER32(?,0000120A,00000001,00000006), ref: 002724A6
      • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 00272501
      • SendMessageW.USER32(?,00000418,00000000,?), ref: 0027252F
      • GetParent.USER32(?), ref: 0027256B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$CursorLoad$EmptyParentRect
      • String ID: Property$Value$d
      • API String ID: 2284761715-1409410049
      • Opcode ID: 6ad0e18414fb48e1d2104e592a27aa681bcbe70f127d544c48a326ff0af49001
      • Instruction ID: a912a2882bfbac9c14922538882cdda7ee57f28764031bad9a52c19853fd9c07
      • Opcode Fuzzy Hash: 6ad0e18414fb48e1d2104e592a27aa681bcbe70f127d544c48a326ff0af49001
      • Instruction Fuzzy Hash: BA51C171A11315EFDB16AF60DC89EAEBBB8FF49314F040169F50AA72A1DB745910CF81
      Function 00365129 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 129COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00365130
      • EqualRect.USER32(?,?), ref: 0036514C
      • EqualRect.USER32(?,?), ref: 00365161
      • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 003651B6
      • CreateRectRgn.GDI32(?,00000000,?,?), ref: 003651EA
      • CreateRectRgnIndirect.GDI32(?), ref: 003651F6
      • CombineRgn.GDI32(?,?,?,00000002), ref: 00365210
      • SetWindowRgn.USER32(?,?,00000000), ref: 0036521D
      • RedrawWindow.USER32(?,00000000,00000000,00000105,004041C8,?,?,?,?,00000058), ref: 0036529B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Create$EqualWindow$CombineH_prolog3IndirectRedraw
      • String ID: p;;$p;;
      • API String ID: 1583790776-1062217609
      • Opcode ID: eb5372c85ef27f01522b33d322eadb40aecb616c9e1a6720b1522be0503a7db3
      • Instruction ID: a7ac345ceca8e6303b00962a87dab83811daa8f812bf1657793a0153fc86acbb
      • Opcode Fuzzy Hash: eb5372c85ef27f01522b33d322eadb40aecb616c9e1a6720b1522be0503a7db3
      • Instruction Fuzzy Hash: 09510371900619AFDF02DFA4CD99BEF7BB9FB05300F048128BD09AA255CB70A955CBA0
      Function 0029F1D5 Relevance: 18.5, APIs: 12, Instructions: 468windowCOMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 0029F288
      • GetCursorPos.USER32(?), ref: 0029F2C5
      • GetParent.USER32(?), ref: 0029F34A
      • ReleaseCapture.USER32 ref: 0029F52E
      • GetParent.USER32(?), ref: 0029F53E
      • SendMessageW.USER32(?,00000363,00000000,00000000), ref: 0029F554
      • GetWindowRect.USER32(?,?), ref: 0029F59F
      • SetParent.USER32(?,00000000), ref: 0029F684
      • GetParent.USER32(?), ref: 0029F6EA
      • InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0029F6FC
      • GetParent.USER32(?), ref: 0029F705
      • UpdateWindow.USER32(?), ref: 0029F714
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$Rect$Window$CaptureCursorEmptyInvalidateMessageReleaseSendUpdate
      • String ID:
      • API String ID: 2800639987-0
      • Opcode ID: 53b586cec5f962d7fba3d2e24149067bb164050f1f9d7ba2bdbabef163152270
      • Instruction ID: 71fd9e4d6b4cce6c7cb1bc7d51403d9e1974b3f4898cd1691d6afe8e29c1c397
      • Opcode Fuzzy Hash: 53b586cec5f962d7fba3d2e24149067bb164050f1f9d7ba2bdbabef163152270
      • Instruction Fuzzy Hash: C0020C35A102199FCF45DFA4D9989AEBBB9FF89710F090069E806E7361CB34AD11CF91
      Function 0029940E Relevance: 18.4, APIs: 12, Instructions: 409timewindowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00299415
      • SetCursor.USER32(?,00000044,00299298), ref: 002994AE
        • Part of subcall function 002548B5: __EH_prolog3.LIBCMT ref: 002548BC
        • Part of subcall function 002548B5: GetDC.USER32(00000000), ref: 002548E8
        • Part of subcall function 002606E8: __EH_prolog3_GS.LIBCMT ref: 002606EF
        • Part of subcall function 002606E8: CreateRectRgnIndirect.GDI32(?), ref: 00260729
        • Part of subcall function 002606E8: CopyRect.USER32(?,?), ref: 0026073D
        • Part of subcall function 002606E8: InflateRect.USER32(?,?,?), ref: 00260753
        • Part of subcall function 002606E8: IntersectRect.USER32(?,?,?), ref: 0026075F
        • Part of subcall function 002606E8: CreateRectRgnIndirect.GDI32(?), ref: 00260769
        • Part of subcall function 002606E8: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0026077E
        • Part of subcall function 002606E8: CombineRgn.GDI32(?,?,?,00000003), ref: 00260798
        • Part of subcall function 002606E8: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 002607E3
        • Part of subcall function 002606E8: SetRectRgn.GDI32(?,?,00000004,?,?), ref: 00260800
        • Part of subcall function 00254A28: ReleaseDC.USER32(?,00000000), ref: 00254A5C
      • GetFocus.USER32 ref: 00299544
      • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 0029962F
      • TrackMouseEvent.USER32(?,?,00000000), ref: 00299666
      • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 002996E9
      • InvalidateRect.USER32(?,?,00000001,?), ref: 0029981B
      • InflateRect.USER32(?,00000000,?), ref: 0029985D
      • RedrawWindow.USER32(?,?,00000000,00000401), ref: 00299870
      • KillTimer.USER32(?,0000EC07), ref: 002998F2
      • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 0029990E
      • UpdateWindow.USER32(?), ref: 00299937
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Create$Timer$H_prolog3_IndirectInflateWindow$CombineCopyCursorEventFocusH_prolog3IntersectInvalidateKillMessageMouseRedrawReleaseSendTrackUpdate
      • String ID:
      • API String ID: 487985220-0
      • Opcode ID: 4d93d1867a2a2988bfa4c1d8a70ef7271e52ec054311ebe8077d1598c6a703c4
      • Instruction ID: ed2a56640a0974cac01e5161f169ba9b4d70e0ee7b0f50cd9cff9484c54bea4e
      • Opcode Fuzzy Hash: 4d93d1867a2a2988bfa4c1d8a70ef7271e52ec054311ebe8077d1598c6a703c4
      • Instruction Fuzzy Hash: AEF1A0715202129FDF169F68C884BAD77A9BF49324F18027DEC199B2A1DB309CA1CF61
      Function 002C7897 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216keyboardCOMMON
      Download Yara Rule
      APIs
      • GetKeyboardState.USER32(?), ref: 002C78B1
      • GetKeyboardLayout.USER32(?), ref: 002C78D6
      • MapVirtualKeyW.USER32(?,00000000), ref: 002C78F4
      • ToUnicodeEx.USER32(?,00000000), ref: 002C78FE
      • LoadAcceleratorsW.USER32(?,00000000), ref: 002C799D
      • LoadAcceleratorsW.USER32(?,00000000), ref: 002C7A47
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AcceleratorsKeyboardLoad$LayoutStateUnicodeVirtual
      • String ID: <D<$X;
      • API String ID: 1654504579-3627562721
      • Opcode ID: 5f058f8c851b0ecfcfac09d833b37ac4a1c684d58cf1bf5ddfeb744595fb0b05
      • Instruction ID: 0c5a8b782653cd422ab8d77957a950825328ac96332ba2e8d12dd24ca9cdce53
      • Opcode Fuzzy Hash: 5f058f8c851b0ecfcfac09d833b37ac4a1c684d58cf1bf5ddfeb744595fb0b05
      • Instruction Fuzzy Hash: F961CD72224206AFEB29AF64DC46FAE73ACEF05710F14416DF9059B291DF70AD208F61
      Function 0026934E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 142windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00269355
      • GetParent.USER32(?), ref: 002693ED
      • GetNextDlgGroupItem.USER32(?,00000000,00000000), ref: 00269410
      • GetNextDlgGroupItem.USER32(?,?,?), ref: 0026946D
      • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0026949B
      • GetParent.USER32(?), ref: 002694AB
      • GetWindowLongW.USER32(?,000000F4), ref: 002694C6
      • SendMessageW.USER32(00000000,00000111), ref: 002694D6
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: GroupItemLongMessageNextParentSendWindow$H_prolog3
      • String ID: 0U;
      • API String ID: 212963440-2918022327
      • Opcode ID: 2bdefce937c9089f2492a5ccc4f4fa10debe2a147249dc7708b72faf9feb9f62
      • Instruction ID: 0b0a7b7be8c3078cf1548f3ddd70c5f1de1bf77b0a10ef8c3185685ab21c201c
      • Opcode Fuzzy Hash: 2bdefce937c9089f2492a5ccc4f4fa10debe2a147249dc7708b72faf9feb9f62
      • Instruction Fuzzy Hash: 0441D272920215AFDF21AFB5CC45AAF76ACFB48301F100068F946E6190EE3089E1DB60
      Function 002ADE8E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002ADE95
      • GetObjectW.GDI32(?,00000018,?), ref: 002ADEAC
        • Part of subcall function 002ADDEB: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 002ADE62
      • CreateCompatibleDC.GDI32(00000000), ref: 002ADF2C
      • SelectObject.GDI32(?,?), ref: 002ADF3F
      • CreateCompatibleDC.GDI32(00000000), ref: 002ADF5D
      • SelectObject.GDI32(?,0000002C), ref: 002ADF72
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 002ADF91
      • SelectObject.GDI32(?,00000000), ref: 002ADF9F
      • SelectObject.GDI32(?,00000000), ref: 002ADFA9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Select$Create$Compatible$H_prolog3Section
      • String ID:
      • API String ID: 2431383920-3916222277
      • Opcode ID: 7f85ba1c48711a242437fbfdfc2926e2bfaa7d7b3fd435232fac2cb7a1a9d6ce
      • Instruction ID: 530f4f7a5936cd49e2e0416fb6f0ab191f82deb56e15adcea24e96f78dc1559b
      • Opcode Fuzzy Hash: 7f85ba1c48711a242437fbfdfc2926e2bfaa7d7b3fd435232fac2cb7a1a9d6ce
      • Instruction Fuzzy Hash: 97418F72D10119AFDF16AFA0DC45ABEBB79EF06311F014124F506BB1A1DBB04D69DBA0
      Function 002F5FD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 123COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 002F5FFA
      • MonitorFromPoint.USER32(003FD93C,?,00000002), ref: 002F602E
      • GetMonitorInfoW.USER32(00000000), ref: 002F6035
      • CopyRect.USER32(?,?), ref: 002F6047
      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002F6057
      • OffsetRect.USER32(?,?,00000000), ref: 002F607A
      • OffsetRect.USER32(?,?,00000000), ref: 002F609D
      • OffsetRect.USER32(?,00000000,?), ref: 002F60C2
      • OffsetRect.USER32(?,00000000,?), ref: 002F60E6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
      • String ID: (
      • API String ID: 4030222242-3887548279
      • Opcode ID: 427cf1a020897b800461d21e437b1066dbcc696e45e9b79971415876f8e90f28
      • Instruction ID: 29d5c931dc6bab13020f07b6c8a88859b41defc5c9704dea7d5d22b6e2e79676
      • Opcode Fuzzy Hash: 427cf1a020897b800461d21e437b1066dbcc696e45e9b79971415876f8e90f28
      • Instruction Fuzzy Hash: 1F413B71A1011AEFDB18DFA4D988DBEF7B9FB85744B20823DE50697600DB31AD15CB60
      Function 002A12BD Relevance: 16.8, APIs: 11, Instructions: 256COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(?,?,?), ref: 002A12F0
      • RedrawWindow.USER32(?,?,00000000,00000105), ref: 002A1311
      • ClientToScreen.USER32(?,?), ref: 002A1345
      • WindowFromPoint.USER32(?,?), ref: 002A1351
      • ReleaseCapture.USER32 ref: 002A1369
      • SetCapture.USER32(?), ref: 002A13FC
      • ReleaseCapture.USER32 ref: 002A142A
      • InvalidateRect.USER32(?,?,00000001), ref: 002A146C
      • UpdateWindow.USER32(?), ref: 002A1475
      • ClientToScreen.USER32(?,?), ref: 002A159D
      • SetCursorPos.USER32(?,?), ref: 002A15A9
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CaptureWindow$ClientRectReleaseScreen$CursorFromInvalidatePointRedrawUpdate
      • String ID:
      • API String ID: 1209641013-0
      • Opcode ID: a1b0ff9e67de976e4f477dc5fe1d53b211cf9d4f60d676f2b17aca8f6f001865
      • Instruction ID: 88b4c67e1495d4d626174bea75b97bb9ee743fb18aee9faa140fb01291630f80
      • Opcode Fuzzy Hash: a1b0ff9e67de976e4f477dc5fe1d53b211cf9d4f60d676f2b17aca8f6f001865
      • Instruction Fuzzy Hash: 7EA16E75B10616EFCB099F64C984AEDBBB9FF49320F14026AF91693250DF34A960CF91
      Function 00274164 Relevance: 16.6, APIs: 11, Instructions: 142windowCOMMON
      Download Yara Rule
      APIs
      • GetCapture.USER32 ref: 0027419E
      • ReleaseCapture.USER32 ref: 002741A8
      • GetClientRect.USER32(?,?), ref: 002741C1
      • GetSystemMetrics.USER32(00000015), ref: 002741DD
      • GetSystemMetrics.USER32(00000015), ref: 00274204
      • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 00274245
      • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 00274275
      • GetCapture.USER32 ref: 0027429E
      • ReleaseCapture.USER32 ref: 002742A8
      • GetClientRect.USER32(?,?), ref: 002742C1
      • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00274316
        • Part of subcall function 00276030: __EH_prolog3_GS.LIBCMT ref: 00276037
        • Part of subcall function 00276030: IsRectEmpty.USER32(?), ref: 00276052
        • Part of subcall function 00276030: InvertRect.USER32(?,?), ref: 00276068
        • Part of subcall function 00276030: SetRectEmpty.USER32(?), ref: 0027607B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
      • String ID:
      • API String ID: 174338775-0
      • Opcode ID: 2f574ce0be60ad7215b70f325094c6db47990ed0df88ffcf47586e281b8fc32f
      • Instruction ID: 53d76a56f04e0f50cddddc17b5a5cef3cc09ebe5b257f2eac88e1af8fbd4c4bc
      • Opcode Fuzzy Hash: 2f574ce0be60ad7215b70f325094c6db47990ed0df88ffcf47586e281b8fc32f
      • Instruction Fuzzy Hash: 38516171A10619EFCB05DFB4CD849ADBBB9FF49310F144169E81AA7251DB34AE10CF91
      Function 00287B10 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 291COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 00287B72
      • GetWindowRect.USER32(?,?), ref: 00287B7F
        • Part of subcall function 00287ADF: GetParent.USER32(?), ref: 00287AF7
      • GetWindowRect.USER32(?,?), ref: 00287BCB
      • IntersectRect.USER32(?,?,?), ref: 00287BDD
      • PtInRect.USER32(?,?,?), ref: 00287C5C
      • GetWindowRect.USER32(?,?), ref: 00287C97
      • PtInRect.USER32(?,?,?), ref: 00287CA7
      • GetWindowRect.USER32(?,?), ref: 00287E0F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Window$CursorIntersectParent
      • String ID: z<
      • API String ID: 1143452425-1035170313
      • Opcode ID: 512ff66801f7ade46955e00edfb7eda29fc29a9a4d13e6167038a32938113fb6
      • Instruction ID: 67e0d9aaedc386e6eb777110352541628cdb9727596d26ac6c3aca366ab4beea
      • Opcode Fuzzy Hash: 512ff66801f7ade46955e00edfb7eda29fc29a9a4d13e6167038a32938113fb6
      • Instruction Fuzzy Hash: 7AC1E175E1560ADFCF04EFA9D9849EDBBB9FF08300F204169E415E7254EB30AA65CB50
      Function 0026F555 Relevance: 15.3, APIs: 10, Instructions: 345windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0026F55C
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F577
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F589
      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0026F73D
      • MessageBeep.USER32(000000FF), ref: 0026F788
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F930
      • MessageBeep.USER32(000000FF), ref: 0026F94A
        • Part of subcall function 00270974: SendMessageW.USER32(?,000000B1,0000002E,000000FF), ref: 00270988
        • Part of subcall function 00270974: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 002709A0
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Message$Send$Beep$H_prolog3
      • String ID:
      • API String ID: 204075910-0
      • Opcode ID: eb55d7874dff669c6e0e3ad94cadf363896700cbe40c957513213c767bdb0df7
      • Instruction ID: 22d33b50a09fc08a1fefd8359b9cb306dbdcbba3b2a7711641a0e707ecf1b90f
      • Opcode Fuzzy Hash: eb55d7874dff669c6e0e3ad94cadf363896700cbe40c957513213c767bdb0df7
      • Instruction Fuzzy Hash: BDD16C7192111AEBCF49DFA4C985AFEBBB9FF08300F104529E556E7251DB30A954CFA0
      Function 0026F967 Relevance: 15.3, APIs: 10, Instructions: 345windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0026F96E
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F9B1
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026FAF2
      • MessageBeep.USER32(000000FF), ref: 0026FB56
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026FB71
      • SendMessageW.USER32(?,000000C2,00000001,00000000), ref: 0026FAB2
        • Part of subcall function 00270974: SendMessageW.USER32(?,000000B1,0000002E,000000FF), ref: 00270988
        • Part of subcall function 00270974: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 002709A0
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Message$Send$BeepH_prolog3LongWindow
      • String ID:
      • API String ID: 29510489-0
      • Opcode ID: f1c92556b012faf73c1f7b22ff89b2adc12e409c974afb78a9e31f3fb3f870f5
      • Instruction ID: deb972a0c878976b635335d38ff61c91f04f65c16675d0a10060ef7ce5b4c81d
      • Opcode Fuzzy Hash: f1c92556b012faf73c1f7b22ff89b2adc12e409c974afb78a9e31f3fb3f870f5
      • Instruction Fuzzy Hash: 03C17C71A2011AAFCF05EFA4C995EFEB7B9FF48300F144129F912A7191DB34A964CB60
      Function 002F657A Relevance: 15.3, APIs: 10, Instructions: 265COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 002F65AE
      • GetWindowRect.USER32(?,00000000), ref: 002F6605
      • CopyRect.USER32(00000000,?), ref: 002F661D
      • PtInRect.USER32(?,00000000,?), ref: 002F670B
      • PtInRect.USER32(?,00000000,?), ref: 002F673C
      • PtInRect.USER32(?,00000000,?), ref: 002F6778
      • PtInRect.USER32(?,00000000,?), ref: 002F67D4
      • PtInRect.USER32(?,00000000,?), ref: 002F6811
      • PtInRect.USER32(?,00000000,?), ref: 002F6858
      • PtInRect.USER32(?,00000000,?), ref: 002F688F
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$CopyParentWindow
      • String ID:
      • API String ID: 642869531-0
      • Opcode ID: f9d5d3a5547c1c3df327eedbf07c63a3a52b4f9c8926c4f592e222ce0b4a0d87
      • Instruction ID: af93d633612202ea0680fcb7643fcf92a806363cfaffe48ae136a9fab17e6142
      • Opcode Fuzzy Hash: f9d5d3a5547c1c3df327eedbf07c63a3a52b4f9c8926c4f592e222ce0b4a0d87
      • Instruction Fuzzy Hash: B6B1C1B2E1021A9FDF11CFA8C948AEEBBF9EF08344F14416AE905E7250D775DA54CB90
      Function 0028246B Relevance: 15.2, APIs: 10, Instructions: 203COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00282475
      • GetObjectW.GDI32(?,00000018,?), ref: 0028249D
      • GetObjectW.GDI32(?,00000054,?), ref: 002824E2
      • CreateCompatibleDC.GDI32(00000000), ref: 00282603
      • SelectObject.GDI32(?,?), ref: 00282628
      • GetPixel.GDI32(?,00000000,00000000), ref: 00282679
      • GetPixel.GDI32(?,?,00000000), ref: 0028268B
      • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 0028269A
      • SetPixel.GDI32(?,?,00000000,00000000), ref: 002826AC
      • SelectObject.GDI32(?,00000000), ref: 002826F1
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
      • String ID:
      • API String ID: 1266819874-0
      • Opcode ID: 8074fc89028669bb3ab774b69218fb179afaeffa074a45da13106abb47f6662d
      • Instruction ID: 980c58cd7a1a6cee869e1e6d6e10ecb1b86b6cb3fdaf9118585e8f23c18d7c45
      • Opcode Fuzzy Hash: 8074fc89028669bb3ab774b69218fb179afaeffa074a45da13106abb47f6662d
      • Instruction Fuzzy Hash: 99811779E00229CFDB25DF69CC84A9DBBB5FF48300F248169E849A7251DB309D99CF50
      Function 00262BF8 Relevance: 15.1, APIs: 10, Instructions: 134COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_catch.LIBCMT ref: 00262BFF
      • FindResourceW.KERNEL32(?,00000000,00000005), ref: 00262C40
      • LoadResource.KERNEL32(?,00000000), ref: 00262C48
        • Part of subcall function 00258388: UnhookWindowsHookEx.USER32(?), ref: 002583B2
      • LockResource.KERNEL32(?), ref: 00262C55
      • GetDesktopWindow.USER32 ref: 00262C8C
      • IsWindowEnabled.USER32(00000000), ref: 00262C97
      • EnableWindow.USER32(00000000,00000000), ref: 00262CA3
        • Part of subcall function 0025701C: IsWindowEnabled.USER32(?), ref: 00257027
        • Part of subcall function 00256DEA: EnableWindow.USER32(?,00000000), ref: 00256DFB
      • EnableWindow.USER32(00000000,00000001), ref: 00262D87
      • GetActiveWindow.USER32 ref: 00262D91
      • SetActiveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00262D9D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$EnableResource$ActiveEnabled$DesktopFindH_prolog3_catchHookLoadLockUnhookWindows
      • String ID:
      • API String ID: 2731338901-0
      • Opcode ID: d4be2d106c17d775ffd997819681d607e373fb86a26eae6d40a1c851e6a978bf
      • Instruction ID: 9c14635c98c97be87f7a3b3f5a4cbaf237f3643bfb93da587e70f7ecb27b47e1
      • Opcode Fuzzy Hash: d4be2d106c17d775ffd997819681d607e373fb86a26eae6d40a1c851e6a978bf
      • Instruction Fuzzy Hash: E2519030A21616DBDF11AF61C889BAEBBB9BF09311F040115E801B7291CB749DA5CFA1
      Function 00276030 Relevance: 15.1, APIs: 10, Instructions: 110windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00276037
        • Part of subcall function 002548B5: __EH_prolog3.LIBCMT ref: 002548BC
        • Part of subcall function 002548B5: GetDC.USER32(00000000), ref: 002548E8
      • IsRectEmpty.USER32(?), ref: 00276052
      • InvertRect.USER32(?,?), ref: 00276068
      • SetRectEmpty.USER32(?), ref: 0027607B
      • GetClientRect.USER32(00000000,00000000), ref: 002760C8
      • GetSystemMetrics.USER32(00000015), ref: 002760E6
      • GetSystemMetrics.USER32(00000015), ref: 0027610C
      • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 0027614D
      • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 0027617D
      • InvertRect.USER32(?,?), ref: 00276189
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
      • String ID:
      • API String ID: 3401445556-0
      • Opcode ID: 751431b859e7667bbf5b8fa1b3dd736b142b0791cace6126a9e72b98c59094a4
      • Instruction ID: 7bfc00aa771a7a0e8770c45d607beaef32f0b06d34812765941732b163873cbe
      • Opcode Fuzzy Hash: 751431b859e7667bbf5b8fa1b3dd736b142b0791cace6126a9e72b98c59094a4
      • Instruction Fuzzy Hash: EF4166728206289FDF02DF64C949BED7BB8FF05312F154168E809AB261DB756A44CBA0
      Function 002A465A Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 388COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00293D33: __EH_prolog3_GS.LIBCMT ref: 00293D3D
      • __EH_prolog3_GS.LIBCMT ref: 002A46AD
      • GetClientRect.USER32(?,?), ref: 002A46D2
      • GetClientRect.USER32(?,?), ref: 002A46EB
      • IntersectRect.USER32(00000000,?,?), ref: 002A486B
      • InflateRect.USER32(?,00000000,00000001), ref: 002A4967
      • __EH_prolog3.LIBCMT ref: 002A4A0C
        • Part of subcall function 00259C44: GetWindowTextLengthW.USER32(?), ref: 00259C55
        • Part of subcall function 00259C44: GetWindowTextW.USER32(?,00000000,00000000), ref: 00259C6C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientH_prolog3_TextWindow$H_prolog3InflateIntersectLength
      • String ID: XQ@$XQ@
      • API String ID: 296966180-2331283793
      • Opcode ID: ffa516ff35678b9f38c93de0cd7e114c01a07d5cd36b8e039ffba5a8dd0ca2bc
      • Instruction ID: c34b050be38b270b41226e0cab59cf342ee213df31019b1755274796d70a76e6
      • Opcode Fuzzy Hash: ffa516ff35678b9f38c93de0cd7e114c01a07d5cd36b8e039ffba5a8dd0ca2bc
      • Instruction Fuzzy Hash: 42E17E31A102199FDF15EF64CC84BAEB7B9FF86311F1400A9E90AAB291CB74AD51CF51
      Function 00276DE6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00276E1B
      • CreatePopupMenu.USER32 ref: 00276ED7
      • GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 00276F12
      • GetParent.USER32(?), ref: 00276F38
      • GetParent.USER32(?), ref: 00276F8A
      • GetParent.USER32(?), ref: 00276F9D
      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00276FB5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$MenuMessageSend$CreateDefaultItemPopup
      • String ID: $
      • API String ID: 3883924376-3993045852
      • Opcode ID: cb7e7d490bacec6657e282a8de43c18ed3ced3b9ead7ca4e11ff2f208dc55122
      • Instruction ID: 82e428c61da6c6ff9570cfae529ac870b7fec7f0070cd378b2fe8e31b064aabd
      • Opcode Fuzzy Hash: cb7e7d490bacec6657e282a8de43c18ed3ced3b9ead7ca4e11ff2f208dc55122
      • Instruction Fuzzy Hash: F1518A71A10715AFDB159FA5DC88EAEBBB8FF48710F044069F90AA7260DB70AD10CF91
      Function 0027ED50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 137windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0027ED57
        • Part of subcall function 002549BD: __EH_prolog3.LIBCMT ref: 002549C4
        • Part of subcall function 002549BD: GetWindowDC.USER32(00000000,00000004,0027DA6E,00000000), ref: 002549F0
      • CreateCompatibleDC.GDI32(00000000), ref: 0027ED8E
      • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 0027EE0D
      • CreateCompatibleBitmap.GDI32(?,PW%,?), ref: 0027EE24
        • Part of subcall function 00255B4D: SelectObject.GDI32(?,?), ref: 00255B56
      • FillRect.USER32(?,00000000,-00000098), ref: 0027EE6C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
      • String ID: ($H$;$PW%
      • API String ID: 2680359821-1646699549
      • Opcode ID: aa8b4e37b48103aa48b8beda3857f54db0985fe345f77ea798f4378f42b57968
      • Instruction ID: d5bfb936dec7e588f617994fe2a76d744d191bd8e4746c6760a8c84ab7e08f02
      • Opcode Fuzzy Hash: aa8b4e37b48103aa48b8beda3857f54db0985fe345f77ea798f4378f42b57968
      • Instruction Fuzzy Hash: 54515971D20218AFDF15EFA5C885AAEFBB9FF18304F10842EE405A7291DB745918CF24
      Function 00268850 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135memoryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024BF56: __EH_prolog3_catch.LIBCMT ref: 0024BF5D
      • GetModuleHandleW.KERNEL32(comctl32.dll,00268998,?,00000000,?,?,?,00264CD8,?,?,00263784,00000000,0000001C,00264ACC,?,00263784), ref: 00268884
      • GetUserDefaultUILanguage.KERNEL32(?,?,00264CD8,?,?,00263784,00000000,0000001C,00264ACC,?,00263784), ref: 00268895
      • FindResourceExW.KERNEL32(?,00000005,?,0000FC11,?,?,00264CD8,?,?,00263784,00000000,0000001C,00264ACC,?,00263784), ref: 002688D4
      • FindResourceW.KERNEL32(?,?,00000005,?,?,00264CD8,?,?,00263784,00000000,0000001C,00264ACC,?,00263784), ref: 002688F1
      • LoadResource.KERNEL32(?,00000000,?,?,00264CD8,?,?,00263784,00000000,0000001C,00264ACC,?,00263784), ref: 002688FF
        • Part of subcall function 002689D6: GetDC.USER32(00000000), ref: 00268A29
        • Part of subcall function 002689D6: EnumFontFamiliesExW.GDI32(00000000,?,002689C0,?,00000000,?,?,?,?,?,?,00000000), ref: 00268A44
        • Part of subcall function 002689D6: ReleaseDC.USER32(00000000,00000000), ref: 00268A4C
      • GlobalAlloc.KERNEL32(00000040,00000000,?,?,00264CD8,?,?,00263784,00000000,0000001C,00264ACC,?,00263784), ref: 0026892F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$Find$AllocDefaultEnumFamiliesFontGlobalH_prolog3_catchHandleLanguageLoadModuleReleaseUser
      • String ID: MS UI Gothic$comctl32.dll
      • API String ID: 3737665285-3248924666
      • Opcode ID: 6a210efef41a6afcbe255b4ff7a76d60571bb22a4dac6a580b5b0fdea617aece
      • Instruction ID: 4679d23c28c4c027fd9a1b04a718d6b775d4ec6729e420d762914979d7ac4f96
      • Opcode Fuzzy Hash: 6a210efef41a6afcbe255b4ff7a76d60571bb22a4dac6a580b5b0fdea617aece
      • Instruction Fuzzy Hash: A4412371621606ABEB15AF65CC4AA7B73ACEF41710F048639F90ADB391EE70DD908721
      Function 0027133D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00271344
        • Part of subcall function 002ACC30: __EH_prolog3.LIBCMT ref: 002ACC37
        • Part of subcall function 002C6228: SetRectEmpty.USER32(?), ref: 002C6263
      • SetRectEmpty.USER32(?), ref: 00271488
      • SetRectEmpty.USER32 ref: 00271499
      • SetRectEmpty.USER32(?), ref: 002714A0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyRect$H_prolog3
      • String ID: False$True$VW%$l:;
      • API String ID: 3752103406-2505679940
      • Opcode ID: c4705751b811a68349e09bde7284bcce4770e2bdd15c6e9a7d67ffa5851f5c1a
      • Instruction ID: b85744c7870842f6097774213474b62c7469efe8e0548f8edb3a9e61866a1d1e
      • Opcode Fuzzy Hash: c4705751b811a68349e09bde7284bcce4770e2bdd15c6e9a7d67ffa5851f5c1a
      • Instruction Fuzzy Hash: 3661F3B08153019FCB0ADF29D585BA9BBE8BF19304F1881BEE81C9F296DB741604CF65
      Function 0024A11B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 0024A2B1
        • Part of subcall function 0024A077: GetProcAddress.KERNEL32(00000000,00000000), ref: 0024A0A5
      • GetModuleFileNameW.KERNEL32(?,?,00000105,?,0024DBCF,00000000,003EC300,00000014,00000268,0024D62E,?,00000000,?,00000000,00000104,00000000), ref: 0024A1CB
      • SetLastError.KERNEL32(0000006F,?,0024DBCF,00000000,003EC300,00000014,00000268,0024D62E,?,00000000,?,00000000,00000104,00000000,6I$,?), ref: 0024A1DF
      • GetLastError.KERNEL32(00000020), ref: 0024A236
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
      • String ID: $@$Comctl32.dll$GetModuleHandleExW
      • API String ID: 3640817601-4183358198
      • Opcode ID: 6429cd152b029c711d92b349bc866fd4d2c01da2145729124e7a4cbb014abbcc
      • Instruction ID: d2e18cdf10fb725e93138de4b608c689a89512f95abfc4d5cd7e1e6ab93fe298
      • Opcode Fuzzy Hash: 6429cd152b029c711d92b349bc866fd4d2c01da2145729124e7a4cbb014abbcc
      • Instruction Fuzzy Hash: 2E41E670A513259ADB35DF68DC8CBEE76B8EB45710F1006A6E904E31D0DBB58E90DF12
      Function 00323CC4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101sleepthreadCOMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(00405B8C,?,?,?,0029AE67,00000001), ref: 00323CE9
      • SetThreadPriority.KERNEL32(00000000,000000FF), ref: 00323D1A
      • LeaveCriticalSection.KERNEL32(00405B8C), ref: 00323D30
      • PlaySoundW.WINMM(MenuCommand,00000000,00012002), ref: 00323D80
      • Sleep.KERNEL32(00000005,?,00405B8C,?,?,?,?,0029AE67,00000001), ref: 00323DAB
      • PlaySoundW.WINMM(00000000,00000000,00000040), ref: 00323DC0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalPlaySectionSound$EnterLeavePrioritySleepThread
      • String ID: MenuCommand$MenuPopup
      • API String ID: 2370138168-2036262055
      • Opcode ID: 7f360d99414bc52107bc96f8bd9f8e66934972fca8ff3c0f0f2399983e68040d
      • Instruction ID: e5f48f54de169b98ae1c27a23880c72b10383f94ecfb8fd526542f064389229a
      • Opcode Fuzzy Hash: 7f360d99414bc52107bc96f8bd9f8e66934972fca8ff3c0f0f2399983e68040d
      • Instruction Fuzzy Hash: C131E431444724ABDB236B2DBC0CB367A7DFB82B31F290325F535DA5E0C378A9019A18
      Function 002693D1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 002693ED
      • GetNextDlgGroupItem.USER32(?,00000000,00000000), ref: 00269410
      • GetNextDlgGroupItem.USER32(?,?,?), ref: 0026946D
      • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0026949B
      • GetParent.USER32(?), ref: 002694AB
      • GetWindowLongW.USER32(?,000000F4), ref: 002694C6
      • SendMessageW.USER32(00000000,00000111), ref: 002694D6
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: GroupItemLongMessageNextParentSendWindow
      • String ID: 0U;
      • API String ID: 4258059889-2918022327
      • Opcode ID: c1719878ebfaeccd425a4197b62f5524516df02c9e47405edc5be4cdc6d2437a
      • Instruction ID: bf7fa4f9fdc1c131dfe197cf9850d06434bdb907c2e471cfc5fe0bd22d8b1d9c
      • Opcode Fuzzy Hash: c1719878ebfaeccd425a4197b62f5524516df02c9e47405edc5be4cdc6d2437a
      • Instruction Fuzzy Hash: EA31E872920215EFDF22AFB4CC84A6E7ABCFB48301F140529F956D7160EE3188E59B50
      Function 0024ECAF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
      • EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • DecodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECFC
      • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0024ED24
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
      • String ID: SetDefaultDllDirectories$\$kernel32.dll
      • API String ID: 2101061299-3881611067
      • Opcode ID: 51fca252680dbc97172ab353d9ea34d5fa0ec7b59b4d841abb157abc396b9fd5
      • Instruction ID: 49aa76988257084125581ba999f74bbbcedc5ca7ddba5227eae6d3e7fc8834f0
      • Opcode Fuzzy Hash: 51fca252680dbc97172ab353d9ea34d5fa0ec7b59b4d841abb157abc396b9fd5
      • Instruction Fuzzy Hash: D921DE35E5061AE7EF25AB658C4AFEB37ACBF05740F160966F805E2190E6B0DA50CA90
      Function 0026870A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
      Download Yara Rule
      APIs
      • GetStockObject.GDI32(00000011), ref: 0026872C
      • GetStockObject.GDI32(0000000D), ref: 00268738
      • GetObjectW.GDI32(00000000,0000005C,?), ref: 00268749
      • GetDC.USER32(00000000), ref: 00268758
      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0026876F
      • MulDiv.KERNEL32(?,00000048,00000000), ref: 0026877B
      • ReleaseDC.USER32(00000000,00000000), ref: 00268787
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Stock$CapsDeviceRelease
      • String ID: System
      • API String ID: 46613423-3470857405
      • Opcode ID: f39f7a1db971eebd968db55f124a8492a06c5b281e44f814899038dd7d7d2bba
      • Instruction ID: 9f6f1d158e06ac5d28fd7267fa6b30a530bf8a0b32b2cb054f15a49de63003a1
      • Opcode Fuzzy Hash: f39f7a1db971eebd968db55f124a8492a06c5b281e44f814899038dd7d7d2bba
      • Instruction Fuzzy Hash: 17114C75610319ABEB169F65DC89FBE7BBDFB49741F100119FA06DB280DE609C40CA60
      Function 00259D25 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$ActiveFocus$MessageSend
      • String ID: u
      • API String ID: 1556911595-4067256894
      • Opcode ID: 2e1139c892e9e70d8453f7ed2e930a615d6890343d6c6d3b63e0aadb83b649b0
      • Instruction ID: 30e5c060e2f2a6c037b71a876742363ad8abe6af85bfe88118607db22eecbb47
      • Opcode Fuzzy Hash: 2e1139c892e9e70d8453f7ed2e930a615d6890343d6c6d3b63e0aadb83b649b0
      • Instruction Fuzzy Hash: A4119832521315EBEB223F78DC48A7A367DEB4B353F048424FD0585069D735C8A8DB58
      Function 00328BB2 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00328BB9
        • Part of subcall function 00256098: EnterCriticalSection.KERNEL32(00402958,?,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 002560C9
        • Part of subcall function 00256098: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560DF
        • Part of subcall function 00256098: LeaveCriticalSection.KERNEL32(00402958,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560ED
        • Part of subcall function 00256098: EnterCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560FA
      • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 00328C04
      • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 00328C17
      • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 00328C2A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
      • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
      • API String ID: 4229786687-1024936294
      • Opcode ID: d497e7a59ace8a1fc39e9ce41932032aa4a431ab3a5b3eeb050f64a7975d66ed
      • Instruction ID: 2cfe5c9a85ad1bcd5e1c8fbd83657dd44a42102beaa37391e64f84e09190ad74
      • Opcode Fuzzy Hash: d497e7a59ace8a1fc39e9ce41932032aa4a431ab3a5b3eeb050f64a7975d66ed
      • Instruction Fuzzy Hash: 99015EB45607019FDF62AF649D09B1ABAF4FB15B00F40592DF208E76D0C7B468008F09
      Function 00258491 Relevance: 14.0, APIs: 9, Instructions: 474COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5711427942e2833f409ed75863e61ec8560399358d1bcf2e66619f65dd748994
      • Instruction ID: 4dd1dbb55577b55502a60c564cd298ec4db269703e4f3462709a497cf2d09526
      • Opcode Fuzzy Hash: 5711427942e2833f409ed75863e61ec8560399358d1bcf2e66619f65dd748994
      • Instruction Fuzzy Hash: 6902AF32920605DFCB11DF58C8849AEBBBAFF49312F658059ED11BB210EBB0AC55CF94
      Function 0026F117 Relevance: 13.9, APIs: 9, Instructions: 359windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0026F11E
      • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F138
      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0026F329
      • MessageBeep.USER32(000000FF), ref: 0026F36E
      • MessageBeep.USER32(000000FF), ref: 0026F537
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Message$BeepSend$H_prolog3
      • String ID:
      • API String ID: 280101887-0
      • Opcode ID: 6a5122af3d8cd6f28a875465816203769efdbcd1862838bc2d85d2f916b5b9a0
      • Instruction ID: a24583e06d93a57814e78d7a167a9555db7fd82aa46ed11e8a1d49c7bfbc721e
      • Opcode Fuzzy Hash: 6a5122af3d8cd6f28a875465816203769efdbcd1862838bc2d85d2f916b5b9a0
      • Instruction Fuzzy Hash: BED15C71A1011AABCF15DFA4D985AFEB7B9FF48300F144129E952B7281DB30AD64CFA1
      Function 0039655A Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 366571d8500ad8e2371f132f41faf3e65531c6a7d1eb51bcf2419da8d3306427
      • Instruction ID: 74cf6a101c90811bb5ba815ee2bf5dc4345eb89a695ec01cd8d14b1ab47902ff
      • Opcode Fuzzy Hash: 366571d8500ad8e2371f132f41faf3e65531c6a7d1eb51bcf2419da8d3306427
      • Instruction Fuzzy Hash: FEC10574E09209AFDF17DFA8C992BAEBBB4BF49300F154069E505AB392C7309D41CB65
      Function 00275923 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 002759BD
      • InvalidateRect.USER32(?,?,00000001), ref: 00275A19
      • InvalidateRect.USER32(?,?,00000001), ref: 00275A28
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Invalidate$Empty
      • String ID:
      • API String ID: 1126320529-0
      • Opcode ID: 70e480761623be9dda7f128773422db2a7bb17e8c350b0f21acd8fc1ebe7c5ac
      • Instruction ID: 59a2efd9494ae15cfff73e138d5ac667468e91808bf4f3c181009d3bd6939609
      • Opcode Fuzzy Hash: 70e480761623be9dda7f128773422db2a7bb17e8c350b0f21acd8fc1ebe7c5ac
      • Instruction Fuzzy Hash: 77814C35A10619DFCF06CF64C884ABEB7B9FF49310F144169E806AB261DBB4AE41CF91
      Function 00294CA2 Relevance: 13.6, APIs: 9, Instructions: 135windowCOMMON
      Download Yara Rule
      APIs
      • EnableMenuItem.USER32(?,0000420F,00000001), ref: 00294CFF
      • EnableMenuItem.USER32(?,0000420E,00000001), ref: 00294D1A
      • CheckMenuItem.USER32(?,00004213,00000008), ref: 00294D4E
      • EnableMenuItem.USER32(?,00004212,00000001), ref: 00294D68
      • EnableMenuItem.USER32(?,00004212,00000001), ref: 00294D97
      • EnableMenuItem.USER32(?,00004213,00000001), ref: 00294DA6
      • EnableMenuItem.USER32(?,00004214,00000001), ref: 00294DB5
      • EnableMenuItem.USER32(?,00004215,00000001), ref: 00294E05
      • CheckMenuItem.USER32(?,00004215,00000008), ref: 00294E1D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ItemMenu$Enable$Check
      • String ID:
      • API String ID: 1852492618-0
      • Opcode ID: e3d3e1429ac66a7e38b0aa45e72e23bc6224dca6d111a67ae75dddcb48acbcf8
      • Instruction ID: cd0443b73fe395379a6cce9724ca79710f9f6945d917acfd6c941e4d85f3fbbd
      • Opcode Fuzzy Hash: e3d3e1429ac66a7e38b0aa45e72e23bc6224dca6d111a67ae75dddcb48acbcf8
      • Instruction Fuzzy Hash: 9041F334650215EFEF22AF20CD45E69BBB4FF05B11F048166FA05AB1A0C771DD61DBA0
      Function 002593BA Relevance: 13.6, APIs: 9, Instructions: 121windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 002593C4
      • SendMessageW.USER32(00000000,00000000,00000000,00000080), ref: 0025940B
      • SendMessageW.USER32(00000000,00000000,00000000), ref: 00259437
      • ValidateRect.USER32(00000000,00000000), ref: 0025944A
        • Part of subcall function 0024EEA4: GetClientRect.USER32(?,?), ref: 0024EF0E
      • GetClientRect.USER32(00000000,00000000), ref: 002594C2
      • BeginPaint.USER32(00000000,?), ref: 002594CF
      • SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00259505
      • SendMessageW.USER32(00000000,00000000,00000000), ref: 00259527
      • EndPaint.USER32(00000000,?), ref: 0025953F
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
      • String ID:
      • API String ID: 3883544035-0
      • Opcode ID: 148d4dd7af32363bb6c874ea6f15f76c840c477b58524baee6d4f2e1cb5f998a
      • Instruction ID: 4fa7e6e30f206dd569eaceec4d693c19ef7a3e834cf4bb73eb5803d6d78d8be8
      • Opcode Fuzzy Hash: 148d4dd7af32363bb6c874ea6f15f76c840c477b58524baee6d4f2e1cb5f998a
      • Instruction Fuzzy Hash: E5419571920606DFDF26AFA0DC84AAEB7B9FF48301F00452DF55AA2121EB319D68CF14
      Function 0024767A Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00247681
      • GetMenuItemCount.USER32(?), ref: 002476C7
      • GetMenuItemCount.USER32(?), ref: 002476D3
      • GetSubMenu.USER32(?,-00000001), ref: 002476EA
      • GetMenuItemCount.USER32(00000000), ref: 002476FD
      • GetSubMenu.USER32(00000000,00000000), ref: 0024770E
      • RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,?,?,?,003EBBA4,0000000C,00000004,00241C78,?), ref: 00247728
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Menu$CountItem$H_prolog3Remove
      • String ID:
      • API String ID: 3061525546-0
      • Opcode ID: 0d3d860ebe288bcf6a08b6160caec1098b85a271ecbd0c1b1366d6443b7ce5bb
      • Instruction ID: 840063cbc5ca3634add0af951a1b526b0bf2d7466652e9983231df57cd1cff01
      • Opcode Fuzzy Hash: 0d3d860ebe288bcf6a08b6160caec1098b85a271ecbd0c1b1366d6443b7ce5bb
      • Instruction Fuzzy Hash: 9A21D231624309EBCB1A9FA8CD89EAEBF7DFB41750F104929F525E6260D7709950CB50
      Function 00264B17 Relevance: 13.6, APIs: 9, Instructions: 75windowkeyboardCOMMON
      Download Yara Rule
      APIs
      • GetPropW.USER32(?), ref: 00264B35
      • GlobalLock.KERNEL32(00000000), ref: 00264B3E
      • SendMessageW.USER32(?,00000476,00000000,00000000), ref: 00264B59
      • GlobalUnlock.KERNEL32(00000000), ref: 00264B64
      • RemovePropW.USER32(?), ref: 00264B73
      • GlobalFree.KERNEL32(00000000), ref: 00264B7E
      • GlobalUnlock.KERNEL32(00000000), ref: 00264BA0
      • GetAsyncKeyState.USER32(00000011), ref: 00264BB1
      • SendMessageW.USER32(?,00000475,00000000,?), ref: 00264BD9
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
      • String ID:
      • API String ID: 723318029-0
      • Opcode ID: 8da03333b0999970d73e919afa7681341959ca2910fc0152ee2a1f0263788442
      • Instruction ID: 5e0f19bda60f77a3af4e19d6729e09a878a46b347dec51d8d969d7cc796f59ee
      • Opcode Fuzzy Hash: 8da03333b0999970d73e919afa7681341959ca2910fc0152ee2a1f0263788442
      • Instruction Fuzzy Hash: 83219335720312EFEB262F21DC48F66776DFF46759F004029F586925B0EB71D8A0CA55
      Function 002648E4 Relevance: 13.6, APIs: 9, Instructions: 64windowCOMMON
      Download Yara Rule
      APIs
      • GetDlgItem.USER32(?,?), ref: 002648FE
      • GetWindowLongW.USER32(00000000,000000F0), ref: 0026490D
      • IsWindowEnabled.USER32(00000000), ref: 0026491B
      • GetDlgItem.USER32(?), ref: 00264931
      • GetWindowLongW.USER32(00000000,000000F0), ref: 0026493C
      • IsWindowEnabled.USER32(00000000), ref: 0026494A
      • GetFocus.USER32 ref: 00264968
      • IsWindowEnabled.USER32(00000000), ref: 0026496F
      • SetFocus.USER32(00000000), ref: 0026497A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Enabled$FocusItemLong
      • String ID:
      • API String ID: 1558694495-0
      • Opcode ID: 304fb6cb739e246675de0f1f2b0a5b3eedfbc4786c7b4f73f4753521dca4353e
      • Instruction ID: f05de27b6c83421cf930fc5e625f0baba6bb05e67d5651a258625b027854bd11
      • Opcode Fuzzy Hash: 304fb6cb739e246675de0f1f2b0a5b3eedfbc4786c7b4f73f4753521dca4353e
      • Instruction Fuzzy Hash: 1211C432651222ABD7172F65EC4CBAFBB2CFF47325F140114FD8691170EB319861DA94
      Function 00269A03 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 467COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00269A0A
        • Part of subcall function 00259C44: GetWindowTextLengthW.USER32(?), ref: 00259C55
        • Part of subcall function 00259C44: GetWindowTextW.USER32(?,00000000,00000000), ref: 00259C6C
      • InflateRect.USER32(?,?,?), ref: 00269B72
      • SetRectEmpty.USER32(?), ref: 00269B7E
      • InflateRect.USER32(?,00000000,00000000), ref: 00269C2B
      • OffsetRect.USER32(?,00000001,00000001), ref: 00269CEB
      • IsRectEmpty.USER32(?), ref: 00269D9B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 2648887860-973906075
      • Opcode ID: 7b937ac4424a3ded43d7f90a06eae7df4c16e6b089e4356d360399dda36bcc27
      • Instruction ID: cbf3899ca4da44e8b0b9d209edf97b2d0a12eb138d98b67d82a9aed96bce460b
      • Opcode Fuzzy Hash: 7b937ac4424a3ded43d7f90a06eae7df4c16e6b089e4356d360399dda36bcc27
      • Instruction Fuzzy Hash: 08024C71A20215CFCF15DFA8C894ABE77B9EF48310F08417AE806AB285DB75AC95CF50
      Function 00293212 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 346COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(00000000), ref: 002932A1
      • GetClientRect.USER32(?,u,)), ref: 002932B4
      • GetWindowRect.USER32(00000000,?), ref: 00293306
      • GetParent.USER32(00000000), ref: 0029330F
      • GetParent.USER32(00000000), ref: 002935A6
      • RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,?,?,?,?,?,?,?,00292C75,00000000), ref: 002935D6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$RectWindow$ClientRedraw
      • String ID: u,)
      • API String ID: 443302174-3606610027
      • Opcode ID: 52630e95a58d11f1a9e6374a8d0e72f0a1d5536b556af54afa7c2964dc9538f1
      • Instruction ID: a3c6a85dccf91f409d83342650c181ff4bb4c83071f8399a1f6aa1d905633788
      • Opcode Fuzzy Hash: 52630e95a58d11f1a9e6374a8d0e72f0a1d5536b556af54afa7c2964dc9538f1
      • Instruction Fuzzy Hash: 8DD15C35E10219DFCF15DFA8C9949AEBBB9BF89310F154069E806A7350CB34AD51CFA1
      Function 0025A594 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 219libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(user32.dll), ref: 0025A5B7
      • GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 0025A5EC
      • GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 0025A614
      • ScreenToClient.USER32(?,?), ref: 0025A6A0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressProc$ClientHandleModuleScreen
      • String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
      • API String ID: 471820996-2905070798
      • Opcode ID: da2c1f8d4b4e91862dfa628ec5dd903e4857873109c01a840fb0245948e8ee30
      • Instruction ID: 593b7f137ea7941a6eba7dc31fc303f498deb7f22e5e9c42ad7772159230414b
      • Opcode Fuzzy Hash: da2c1f8d4b4e91862dfa628ec5dd903e4857873109c01a840fb0245948e8ee30
      • Instruction Fuzzy Hash: CC81CD74A20216EFCB09CF68D985AA9BBF4FB48311F100269ED01A7760D731ED25DF85
      Function 002921A4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 182COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002921AB
        • Part of subcall function 0027E311: __EH_prolog3.LIBCMT ref: 0027E318
      • SetRectEmpty.USER32(?), ref: 00292364
      • SetRectEmpty.USER32(?), ref: 002923F6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyH_prolog3Rect
      • String ID: (J@$@K@$XL@$pM@
      • API String ID: 1443337074-3471717060
      • Opcode ID: f87e0dbb64d3e62d02d56835bb8187040f4eb98d27d6551ec2581ca17983951f
      • Instruction ID: da607d4267fd892e3cd3bab3c6434bc66a21dbb7bd9f4239c85d56c626bf7670
      • Opcode Fuzzy Hash: f87e0dbb64d3e62d02d56835bb8187040f4eb98d27d6551ec2581ca17983951f
      • Instruction Fuzzy Hash: 64A1F2B0811B45CEE3A4EF79C591BD6FAE4BF49304F108A6ED4AE87281EB742254CF15
      Function 00292A9C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(00000000), ref: 00292B2A
      • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 00292B66
      • SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 00292B99
      • SetRectEmpty.USER32(?), ref: 00292C06
      • SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 00292C66
      • RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 00292C95
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$EmptyParentRectRedrawWindow
      • String ID: ({<
      • API String ID: 3879113052-716903152
      • Opcode ID: 45d8ac2ed367b5aa37322cbf5b1a18b92b9334aa3a89270b9f1e00d61332c123
      • Instruction ID: ba12d7472dd5c0fc7c336a6e99a4a9cec481efaa0380fa55ec6cb893729cb346
      • Opcode Fuzzy Hash: 45d8ac2ed367b5aa37322cbf5b1a18b92b9334aa3a89270b9f1e00d61332c123
      • Instruction Fuzzy Hash: D7616E71A1061AEFDF19DFA4C894BAEBBB9FF48704F14016EE506A7291DB705910CF84
      Function 00281E39 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158COMMON
      Download Yara Rule
      APIs
      • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 00281F24
      • GetObjectW.GDI32(00000000,00000018,?), ref: 00281F3F
      • DeleteObject.GDI32(00000000), ref: 00281F4C
      • DeleteObject.GDI32(00000000), ref: 00281FCC
        • Part of subcall function 00282C39: GetObjectW.GDI32(?,00000054,?), ref: 00282C53
      • __EH_prolog3.LIBCMT ref: 00281E40
        • Part of subcall function 0025161C: DeleteObject.GDI32(?), ref: 0025162E
        • Part of subcall function 00281CF3: FindResourceW.KERNEL32(?,?,PNG,?,?,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D15
        • Part of subcall function 00281CF3: LoadResource.KERNEL32(?,00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D23
        • Part of subcall function 00281CF3: LockResource.KERNEL32(00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D2E
        • Part of subcall function 00281CF3: SizeofResource.KERNEL32(?,00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D3C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Resource$Delete$Load$FindH_prolog3ImageLockSizeof
      • String ID: $H$;
      • API String ID: 1337615151-383333514
      • Opcode ID: 6a4ed5ae9daeae1adde0de84750402defcf76593c164850d315f932837f262a3
      • Instruction ID: 8d9528589338582ef6d9ef1e5744bc3e7a553ea5b713b58138fba0deb5e87e83
      • Opcode Fuzzy Hash: 6a4ed5ae9daeae1adde0de84750402defcf76593c164850d315f932837f262a3
      • Instruction Fuzzy Hash: 17518C7992221BEBDF15AFA0C880AEDB778BF14304F008529E915A66D1DB309975CFA0
      Function 0028A8AD Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
      Download Yara Rule
      APIs
      • FillRect.USER32(?,?,00000000), ref: 0028A8EC
      • GetParent.USER32(?), ref: 0028A90D
      • GetWindowRect.USER32(?,?), ref: 0028A92F
      • GetClientRect.USER32(?,?), ref: 0028A9D7
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 0028A9E9
      • DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 0028AA11
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
      • String ID: z<
      • API String ID: 2136005349-1035170313
      • Opcode ID: aabe21df4dec03e7f5d13fe6e62c0b66f107d3e5b6d7b913dccb22c94b04049f
      • Instruction ID: c707da3f2af65b963806b5606ca1e722d37506897d06f054fe3b28ca0cfc7d1f
      • Opcode Fuzzy Hash: aabe21df4dec03e7f5d13fe6e62c0b66f107d3e5b6d7b913dccb22c94b04049f
      • Instruction Fuzzy Hash: C4515875A1120ADFDF11EFA9C8449AEBBF8FF59300B05416AE805E7261EB309D10CFA1
      Function 00244650 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID: XML$uninstall.xml
      • API String ID: 3473537107-4199322774
      • Opcode ID: 5849079e918f411ed4680f3087493f4b837d9aed9a904655c8a99bb1f535c3a6
      • Instruction ID: 9071fda4ff6ee19014f9254e83574e674d4134db9aea2f0c3454384615ef58ab
      • Opcode Fuzzy Hash: 5849079e918f411ed4680f3087493f4b837d9aed9a904655c8a99bb1f535c3a6
      • Instruction Fuzzy Hash: 80414770A006499BDB15EF79CC49BAEBBB8EF46320F04422DF814A73C2DB348915CB61
      Function 0024E956 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121windowCOMMON
      Download Yara Rule
      APIs
      • CheckMenuItem.USER32(?,?,00000000), ref: 0024E985
        • Part of subcall function 00251675: GetWindowTextW.USER32(?,?,00000100), ref: 002516CB
        • Part of subcall function 00251675: lstrcmpW.KERNEL32(?,0024EA93,?,00000000), ref: 002516DD
        • Part of subcall function 00251675: SetWindowTextW.USER32(?,0024EA93), ref: 002516E9
      • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0024E9A0
      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0024E9BD
      • SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 0024EA2A
      • SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0024EA7A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
      • String ID: 0$@
      • API String ID: 72408025-1545510068
      • Opcode ID: 141b70f4cade20e7ffdc3d79fd3ceda044aa7a9894ff3c4317722119a5786840
      • Instruction ID: f231fca2ac8faadf04a2da1ca6eee386dfe4392aa0d7f34a98df1566b1eadb03
      • Opcode Fuzzy Hash: 141b70f4cade20e7ffdc3d79fd3ceda044aa7a9894ff3c4317722119a5786840
      • Instruction Fuzzy Hash: BA41D131220226EFEF29DF64D844F6ABBB9FF14700F158929F50996590D7B1E860CB90
      Function 00297A24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • LoadCursorW.USER32(?,00007904), ref: 00297A5C
      • LoadCursorW.USER32(?,00007905), ref: 00297A8F
      • LoadCursorW.USER32(00000000,00007F86), ref: 00297ABA
      • CreatePen.GDI32(00000000,00000001,?), ref: 00297B32
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CursorLoad$Create
      • String ID: T:;$_MOUSEANCHORWND@@
      • API String ID: 1516763891-2079010079
      • Opcode ID: b8434f9d5efd32fe7c5a449122656c038c49310ffac71732c32d70f96a3324bd
      • Instruction ID: 08a6900611826c68acbeac69719203e722d72d86146b72e57e4a5559ca282f1c
      • Opcode Fuzzy Hash: b8434f9d5efd32fe7c5a449122656c038c49310ffac71732c32d70f96a3324bd
      • Instruction Fuzzy Hash: 723193716382029BDF26BF709C9AF693299EF44328F1544B5F9099B192EF348860CF61
      Function 002785F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106windowmemoryCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002785FA
      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078,00278F1A,?,002787C7), ref: 00278616
      • SHGetDesktopFolder.SHELL32(?,00000000,00000000,?,00000078,00278F1A,?,002787C7), ref: 00278627
      • GlobalAlloc.KERNEL32(00000040,0000000C,?,002787C7), ref: 00278640
      • SendMessageW.USER32(00000001,00001132,00000000,?), ref: 00278702
      • SendMessageW.USER32(00000001,00001102,00000002,00000000), ref: 00278713
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: FolderMessageSend$AllocDesktopGlobalH_prolog3LocationSpecial
      • String ID: g
      • API String ID: 4238072464-30677878
      • Opcode ID: 1a59e3af93bfe5d3c85efe9704cbeb16330288f4e673abf76af5a86192b12fc2
      • Instruction ID: 62373f3ebfeea14d90c675064a5c8dec43effada1891641272547beae6067262
      • Opcode Fuzzy Hash: 1a59e3af93bfe5d3c85efe9704cbeb16330288f4e673abf76af5a86192b12fc2
      • Instruction Fuzzy Hash: 7C417C75A106299FDF15DF64CC89BAEBBB9FF49710F100169E90AAB391CB74A800CF51
      Function 00372097 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0037209E
      • IsAppThemed.UXTHEME(0000003C,0037221B,?), ref: 003720E0
      • OpenThemeData.UXTHEME(?,Button), ref: 0037210B
      • GetThemePartSize.UXTHEME(?,00000003,00000003,00000005,00000000,00000001,?,00000000), ref: 00372152
      • CloseThemeData.UXTHEME(?), ref: 00372173
      • GetObjectW.GDI32(?,00000018,?), ref: 0037219C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Theme$Data$CloseH_prolog3ObjectOpenPartSizeThemed
      • String ID: Button
      • API String ID: 1633685699-1034594571
      • Opcode ID: ef6dd8c676f2fe995561839b9095de5148d96865e9659ce81e09b67f3d32697a
      • Instruction ID: 394587061b8404afca77cf47639433750a426a77a8b1ca87db1bbf60042a9046
      • Opcode Fuzzy Hash: ef6dd8c676f2fe995561839b9095de5148d96865e9659ce81e09b67f3d32697a
      • Instruction Fuzzy Hash: 07315271A10206AFDB16DF64CC55FAFB7B9FF54711F008029FA05AA281EB789901CF50
      Function 00278AD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00278B16
      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00278B50
      • SendMessageW.USER32(?,00001102,00008001,?), ref: 00278B92
        • Part of subcall function 0027846B: __EH_prolog3.LIBCMT ref: 00278472
        • Part of subcall function 0027846B: SendMessageW.USER32(?,0000113E,00000000,?), ref: 002784B4
      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00278BD6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$H_prolog3
      • String ID: @
      • API String ID: 1885053084-2766056989
      • Opcode ID: 4f5e0adf83fa213e5e48b0731f21cb5d022a0c8da0e8586acfdfa7fbe95eccf7
      • Instruction ID: 921a26c2413f01eaa6796d34bc3f577cca6408df6c77ea526286f1b2fa5f9f6a
      • Opcode Fuzzy Hash: 4f5e0adf83fa213e5e48b0731f21cb5d022a0c8da0e8586acfdfa7fbe95eccf7
      • Instruction Fuzzy Hash: 3931B9B16A1315BFE7169F24DC4AEDA7B7CFF19725F004011F609E61A0EBB1DD208AA1
      Function 0027CDD1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0027CDD8
      • CreateRectRgnIndirect.GDI32(00000000), ref: 0027CDF8
        • Part of subcall function 00255AAD: SelectClipRgn.GDI32(?,00000000), ref: 00255AD1
        • Part of subcall function 00255AAD: SelectClipRgn.GDI32(?,00000000), ref: 00255AE9
      • GetParent.USER32(00000000), ref: 0027CE18
      • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,00000018,00269FEB,?,?,?), ref: 0027CE39
      • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 0027CE6D
      • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 0027CE99
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
      • String ID: p;;
      • API String ID: 935984306-638170974
      • Opcode ID: c8552509bbd5e2417ae84419791400e047baebe31f9ab5532a8d9819611a7c3f
      • Instruction ID: c0c654176d86118cd8c8ee8b8a62b1de650604adc57fadc46e07fbe8dd780776
      • Opcode Fuzzy Hash: c8552509bbd5e2417ae84419791400e047baebe31f9ab5532a8d9819611a7c3f
      • Instruction Fuzzy Hash: FC310971A1021AAFDF01DFA0C895BAE7BB5FF18301F104418FA15AA262DB759A24DF90
      Function 00271AC7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00271AD1
        • Part of subcall function 0027214B: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00272154
      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00271B37
      • SendMessageW.USER32(?,000000D4,00000000,00000000), ref: 00271B48
      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00271B70
      • SendMessageW.USER32(?,000000D4,00000000,00000000), ref: 00271B7C
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00271B9C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$ContextExternal$BaseBase::~Concurrency::details::H_prolog3_
      • String ID: d
      • API String ID: 1047725533-2564639436
      • Opcode ID: ca8f05e6fc1744b3511a367afa5d7b0ed4ade2e84cfd819e8440df2351d52a4f
      • Instruction ID: b9f1bf4eb3616419e3199b49f1c0eda151c2a82aa17881ff0ca77605d8fdd15a
      • Opcode Fuzzy Hash: ca8f05e6fc1744b3511a367afa5d7b0ed4ade2e84cfd819e8440df2351d52a4f
      • Instruction Fuzzy Hash: 9321AE30A20228AFDB26AF64CC45FEEBBB8FF45704F404059F509A71A1EB705A14CF21
      Function 00250BD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00250BE2
      • GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 00250BF2
      • EncodePointer.KERNEL32(00000000), ref: 00250BFB
      • DecodePointer.KERNEL32(00000000), ref: 00250C09
      • DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?), ref: 00250C56
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
      • String ID: DrawThemeTextEx$uxtheme.dll
      • API String ID: 1727381832-3035683158
      • Opcode ID: dee81602c317fec8a68d28b13947c2928922a5e8a5c1381896cbb63f6a28156f
      • Instruction ID: 94eb5076b6c2d652b1769d59068043c43bf9b588c565e06461e26e193959a807
      • Opcode Fuzzy Hash: dee81602c317fec8a68d28b13947c2928922a5e8a5c1381896cbb63f6a28156f
      • Instruction Fuzzy Hash: 9611DD3611121AABCF136FA0DE489EE3F6AAB19796B044211FE05A2160C776C821EF94
      Function 0024790D Relevance: 12.3, APIs: 8, Instructions: 265filecomCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00247914
      • OleDuplicateData.OLE32(?,?,00000000), ref: 002479A5
      • GlobalLock.KERNEL32(00000000), ref: 002479C8
      • CopyMetaFileW.GDI32(?,00000000,?,00000000,?,00000040,0031DC7D,?,00000000,00000000,00000000,0000005C,00297E5A,?), ref: 002479D6
      • GlobalUnlock.KERNEL32(00000000), ref: 002479E4
      • GlobalFree.KERNEL32(00000000), ref: 002479EB
      • GlobalUnlock.KERNEL32(00000000), ref: 002479F8
      • CopyFileW.KERNEL32(?,?,00000000,00000054,00328989,?,?,?,?,00000000,?,00000040,0031DC7D,?,00000000,00000000), ref: 00247BA3
        • Part of subcall function 0024788E: GlobalSize.KERNEL32(?), ref: 00247897
        • Part of subcall function 0024788E: GlobalAlloc.KERNEL32(00002002,00000000), ref: 002478AF
        • Part of subcall function 0024788E: GlobalLock.KERNEL32(?), ref: 002478BF
        • Part of subcall function 0024788E: GlobalLock.KERNEL32(?), ref: 002478C8
        • Part of subcall function 0024788E: GlobalSize.KERNEL32(?), ref: 002478D5
        • Part of subcall function 0024788E: GlobalUnlock.KERNEL32(?), ref: 002478E6
        • Part of subcall function 0024788E: GlobalUnlock.KERNEL32(?), ref: 002478EF
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$Unlock$Lock$CopyFileSize$AllocDataDuplicateFreeH_prolog3_Meta
      • String ID:
      • API String ID: 1141703180-0
      • Opcode ID: 1ab4c0e71d324f21b2230340b62fef845c433adb9b184bc30223ab0875fa488d
      • Instruction ID: 56cc7f8a5d93b68aad7651e7f3f07689684503b9edcad0c82b7bb2b237494bcc
      • Opcode Fuzzy Hash: 1ab4c0e71d324f21b2230340b62fef845c433adb9b184bc30223ab0875fa488d
      • Instruction Fuzzy Hash: 09915D71524602EFDB299F64CD5992ABBB8FF55710B04825CF426DB6A4DB70EC20CB60
      Function 002887A0 Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
      • String ID:
      • API String ID: 3509494761-0
      • Opcode ID: 9cf2c68dbf1bf39fd9000aaaed9cf33120ad0eb7ff92403f73b9e93ffd6765b5
      • Instruction ID: 92b03bde87ffa052b572773df52006108965039869d4e9f9810dc8810875eeab
      • Opcode Fuzzy Hash: 9cf2c68dbf1bf39fd9000aaaed9cf33120ad0eb7ff92403f73b9e93ffd6765b5
      • Instruction Fuzzy Hash: AB51C2356112169FDF16AF24CC99BBE3BA9AF45300F480078EC069F292CF749D15CBA2
      Function 0028436E Relevance: 12.2, APIs: 8, Instructions: 164windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 002B61D9: IsWindow.USER32(?), ref: 002B61E5
      • ScreenToClient.USER32(00000000,?), ref: 002843F9
      • PtInRect.USER32(?,?,?), ref: 00284409
      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00284436
      • GetParent.USER32(?), ref: 0028445F
      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 002844D7
      • GetFocus.USER32 ref: 002844DD
      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00284517
      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00284540
        • Part of subcall function 002B4BDE: GetClientRect.USER32(00000000,002843AF), ref: 002B4C0D
        • Part of subcall function 002B4BDE: PtInRect.USER32(002843AF,?,?), ref: 002B4C27
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$Rect$Client$FocusParentScreenWindow
      • String ID:
      • API String ID: 4216724418-0
      • Opcode ID: 147747ebeb7a229b09d3a3d56fd8cfc947df1c0cc18b2716591043a937c23ab2
      • Instruction ID: c1308e3c64c4da0453b8b5421c961a3ab5691e427d3683c6f4f02471fed8ae75
      • Opcode Fuzzy Hash: 147747ebeb7a229b09d3a3d56fd8cfc947df1c0cc18b2716591043a937c23ab2
      • Instruction Fuzzy Hash: ED51D479A2121BABDF11FF64CC45BAEB7B9EF58300F140425E901E7291EB75ED208B50
      Function 0027AD0C Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
      Download Yara Rule
      APIs
      • GetFocus.USER32 ref: 0027AD59
      • ScreenToClient.USER32(?,?), ref: 0027ADA0
      • SendMessageW.USER32(?,0000102C,00000000,00000003), ref: 0027ADDE
      • SetCapture.USER32(?), ref: 0027AE04
      • ReleaseCapture.USER32 ref: 0027AE3C
      • ScreenToClient.USER32(?,?), ref: 0027AE5B
      • GetSystemMetrics.USER32(00000044), ref: 0027AE8E
      • GetSystemMetrics.USER32(00000045), ref: 0027AEAC
        • Part of subcall function 00279E50: SendMessageW.USER32(00000000,00001018,00000000,00000000), ref: 00279E5C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
      • String ID:
      • API String ID: 3871486171-0
      • Opcode ID: 0e7f5ba16411b271fe7d12f9b50a8e850d19e026b18b5dbc35d271c7678ef6e2
      • Instruction ID: 7c480de43fd77c9beb163980f73da62652dcac41211d5506434d8f7b5735af36
      • Opcode Fuzzy Hash: 0e7f5ba16411b271fe7d12f9b50a8e850d19e026b18b5dbc35d271c7678ef6e2
      • Instruction Fuzzy Hash: CA51E571A1020AEFCB19DFB4C945AEDBBB8FF48321F008269E629D7190D730A960CF51
      Function 00282CFF Relevance: 12.1, APIs: 8, Instructions: 137windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00282D06
      • EnterCriticalSection.KERNEL32(00404690,00000018,002AD935,?,?,?,00000000,?,?,?,?,?), ref: 00282D29
      • SelectObject.GDI32(?,00000018), ref: 00282D78
      • LeaveCriticalSection.KERNEL32(00404690,?), ref: 00282D95
      • CreateBitmap.GDI32(-00000002,-00000002,00000001,00000001,00000000), ref: 00282DBD
      • SelectObject.GDI32(00000000), ref: 00282DCC
      • CreateCompatibleDC.GDI32(00000000), ref: 00282E54
      • CreateCompatibleBitmap.GDI32(?,-00000002,-00000002), ref: 00282E74
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
      • String ID:
      • API String ID: 4255533662-0
      • Opcode ID: a56a8774ca497ab48c043b00608aca339df0e05d5bd25a0d0fe0d0d91e6eceb7
      • Instruction ID: 0b4640853d8c19f90ce7825d9020c606dbf10530991fbbb7fdf42807fc8b4367
      • Opcode Fuzzy Hash: a56a8774ca497ab48c043b00608aca339df0e05d5bd25a0d0fe0d0d91e6eceb7
      • Instruction Fuzzy Hash: E051AF78521702DFDB31EF25C985A67BBF4FF49701B00482DE85697290E774E868CB14
      Function 0025BD78 Relevance: 12.1, APIs: 8, Instructions: 136windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 0025BDBC
      • BeginDeferWindowPos.USER32(00000008), ref: 0025BDD2
      • GetTopWindow.USER32(?), ref: 0025BDE4
      • GetDlgCtrlID.USER32(00000000), ref: 0025BDED
      • SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 0025BE25
      • GetWindow.USER32(00000000,00000002), ref: 0025BE2E
      • CopyRect.USER32(?,?), ref: 0025BE49
      • EndDeferWindowPos.USER32(00000000), ref: 0025BED6
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
      • String ID:
      • API String ID: 1228040700-0
      • Opcode ID: a861229ef3139c75ea3632cda5b6e661807308d214d31160a9f25e2c1d2f7b55
      • Instruction ID: a113c3e063c988d24c42496a95e220b2acc9b8e6ee95228367077e1b23111820
      • Opcode Fuzzy Hash: a861229ef3139c75ea3632cda5b6e661807308d214d31160a9f25e2c1d2f7b55
      • Instruction Fuzzy Hash: 495118319202099FCF16DFA4D886AEEB7B8BF49312F184419ED05BB250D774AD58CB68
      Function 0026A7A2 Relevance: 12.1, APIs: 8, Instructions: 116COMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 0026A7FC
      • ClientToScreen.USER32(?,?), ref: 0026A815
      • PtInRect.USER32(?,?,?), ref: 0026A825
      • WindowFromPoint.USER32(?,?), ref: 0026A839
      • SetCapture.USER32(?), ref: 0026A898
      • InvalidateRect.USER32(?,00000000,00000001), ref: 0026A8BA
      • UpdateWindow.USER32(?), ref: 0026A8C3
      • ReleaseCapture.USER32 ref: 0026A913
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$CaptureClientWindow$FromInvalidatePointReleaseScreenUpdate
      • String ID:
      • API String ID: 1999979895-0
      • Opcode ID: e616dbc0b229d75d531fa05b7bde4e84d10fceb4c687e7616620aa107dc6629e
      • Instruction ID: 0e7989dfc6add320221e4f6f031daae97cd75538c1df394eebf5b15dd3023330
      • Opcode Fuzzy Hash: e616dbc0b229d75d531fa05b7bde4e84d10fceb4c687e7616620aa107dc6629e
      • Instruction Fuzzy Hash: 83413871920706DFDB619F75C844BAAB7F9BB18301F10492EE59AE3120EB34A995CF12
      Function 002A1908 Relevance: 12.1, APIs: 8, Instructions: 113windowCOMMON
      Download Yara Rule
      APIs
      • MessageBeep.USER32(000000FF), ref: 002A196D
      • ReleaseCapture.USER32 ref: 002A19BD
      • GetClientRect.USER32(?,?), ref: 002A19E9
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 002A1A01
      • GetCursorPos.USER32(?), ref: 002A1A11
      • ScreenToClient.USER32(?,?), ref: 002A1A1E
      • PtInRect.USER32(?,?,?), ref: 002A1A2E
      • SendMessageW.USER32(?,?,?,?), ref: 002A1A4A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientMessageRect$BeepCaptureCursorPointsReleaseScreenSendWindow
      • String ID:
      • API String ID: 1719883865-0
      • Opcode ID: 4233a395df538cefe16bb9259f5683bc32f338994fe1c73abc770a1815fc4fe4
      • Instruction ID: 443db47d1ceb31b8f2ff5d0e0a4448f03d6e4a7ca2ebdcfd5cfacebe465b9cbe
      • Opcode Fuzzy Hash: 4233a395df538cefe16bb9259f5683bc32f338994fe1c73abc770a1815fc4fe4
      • Instruction Fuzzy Hash: C441C576610206DFCF01CF95CC88AAEBBB9FF8A311F144569E8169B271DB30A921CF51
      Function 0027846B Relevance: 12.1, APIs: 8, Instructions: 112windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00278472
      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 002784B4
      • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 002784D4
      • SHGetDesktopFolder.SHELL32(?), ref: 002784F2
      • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00278525
      • SendMessageW.USER32(?,00001115,00000000,?), ref: 00278567
      • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00278575
      • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00278585
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$DesktopFolderH_prolog3RedrawWindow
      • String ID:
      • API String ID: 1930222516-0
      • Opcode ID: 17912c4d04f15f28e8d54af8cf3a4c65ccb0540395f4d725e70bed62e8712c97
      • Instruction ID: bb87e0df06c9660c54c6753a7a9e30d9b7747c1eee22d22ae7aec8a8c1979426
      • Opcode Fuzzy Hash: 17912c4d04f15f28e8d54af8cf3a4c65ccb0540395f4d725e70bed62e8712c97
      • Instruction Fuzzy Hash: 75416075A51215AFDB159FA0DD89EAEBB7DFF09700F104014FA09A7260DB719E10CBA1
      Function 00271154 Relevance: 12.1, APIs: 8, Instructions: 111windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 00271196
      • InvalidateRect.USER32(?,00000000,00000001), ref: 002711D9
      • TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00271233
      • GetParent.USER32(?), ref: 00271242
      • SendMessageW.USER32(?,00000111,?,?), ref: 00271274
      • InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00271294
      • UpdateWindow.USER32(?), ref: 0027129D
      • ReleaseCapture.USER32 ref: 002712AC
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
      • String ID:
      • API String ID: 2465089168-0
      • Opcode ID: 19a72d7d45392e687b729b4bf2ac541661ca6ec18dda6f8b76ab47c18326d38d
      • Instruction ID: 08872e8066854676a48d0892e363bcf7c7d57668d95592b5fbe431719dd5f3c8
      • Opcode Fuzzy Hash: 19a72d7d45392e687b729b4bf2ac541661ca6ec18dda6f8b76ab47c18326d38d
      • Instruction Fuzzy Hash: FA4117B0A14716EFDB199F74DC84AAAFBB9FF09301F00422DE91D96261D774A820CF91
      Function 0026A65D Relevance: 12.1, APIs: 8, Instructions: 100windowtimeCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0026A6EF
      • SendMessageW.USER32(?,00000111,?,?), ref: 0026A71C
      • IsWindow.USER32(?), ref: 0026A725
      • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0026A739
      • IsWindow.USER32(?), ref: 0026A747
      • ReleaseCapture.USER32 ref: 0026A759
      • KillTimer.USER32(?,0000EC0D), ref: 0026A775
      • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0026A795
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
      • String ID:
      • API String ID: 3014619129-0
      • Opcode ID: e54979b45770054690c73fcb25506b9ac0383ea570a3d82a595858b3502d9bea
      • Instruction ID: 7e0ef3eb8ebe8ebaffde4d724b1608b5aa55b87eb3f5f890286884a3d8de8769
      • Opcode Fuzzy Hash: e54979b45770054690c73fcb25506b9ac0383ea570a3d82a595858b3502d9bea
      • Instruction Fuzzy Hash: 7A315270722623EFDB1A5F35C844F9AFA6DFB05B41F04021AF059A2151D730A8A0DFD2
      Function 0024C0FA Relevance: 12.1, APIs: 8, Instructions: 97memoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __EH_prolog3_catch.LIBCMT ref: 0024C101
      • EnterCriticalSection.KERNEL32(?,00000010,0024C028,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C112
      • TlsGetValue.KERNEL32(?,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C12E
      • LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C196
      • LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C1B0
      • TlsSetValue.KERNEL32(?,00000000), ref: 0024C1E1
      • LeaveCriticalSection.KERNEL32(00241F31,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C1FF
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
      • String ID:
      • API String ID: 1707010094-0
      • Opcode ID: 52e170ada18d578c2bfc493af151fc4ec954c3f8c87d39a1f79da087c99446e6
      • Instruction ID: 928bcaa715aa0d928d0dcf5d3e60cad042ba6a43ac2dd8a406975b5095a12d4c
      • Opcode Fuzzy Hash: 52e170ada18d578c2bfc493af151fc4ec954c3f8c87d39a1f79da087c99446e6
      • Instruction Fuzzy Hash: 3D31B275901701DFDB6ADF19C885A2BBBB5FF41720B24C069E81E9B2A2C770E850DF90
      Function 002EF58A Relevance: 12.1, APIs: 8, Instructions: 96COMMON
      Download Yara Rule
      APIs
      • ScreenToClient.USER32(?,?), ref: 002EF5A6
      • GetParent.USER32(?), ref: 002EF5BD
      • GetClientRect.USER32(?,?), ref: 002EF601
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 002EF613
      • PtInRect.USER32(?,?,?), ref: 002EF623
      • GetClientRect.USER32(?,?), ref: 002EF650
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 002EF662
      • PtInRect.USER32(?,?,?), ref: 002EF672
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Client$PointsWindow$ParentScreen
      • String ID:
      • API String ID: 1944725958-0
      • Opcode ID: ca8c3687474bc66ac3459254b926285a8399edf21e44186e2303e3ee5f2206da
      • Instruction ID: f76af2182530b5c7e973745042cea34805edfc90cdd2e9b3a96508e21c5da867
      • Opcode Fuzzy Hash: ca8c3687474bc66ac3459254b926285a8399edf21e44186e2303e3ee5f2206da
      • Instruction Fuzzy Hash: BC316C72A10219AFDF029FA5CD489BE7BBDFF59300B544529E906E7261EB31DE108B90
      Function 002518FD Relevance: 12.1, APIs: 8, Instructions: 77COMMON
      Download Yara Rule
      APIs
      • RealChildWindowFromPoint.USER32(?,?,?), ref: 00251921
      • ClientToScreen.USER32(?,?), ref: 0025193C
      • GetWindow.USER32(?,00000005), ref: 00251945
      • GetDlgCtrlID.USER32(00000000), ref: 00251955
      • GetWindowLongW.USER32(00000000,000000F0), ref: 00251965
      • GetWindowRect.USER32(00000000,?), ref: 00251983
      • PtInRect.USER32(?,?,?), ref: 00251993
      • GetWindow.USER32(00000000,00000002), ref: 002519A2
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Rect$ChildClientCtrlFromLongPointRealScreen
      • String ID:
      • API String ID: 151369081-0
      • Opcode ID: 616e07e5635775a8b8f3741dfee626ca5ea1e61ce6c853aa6c52126717623775
      • Instruction ID: c41da3575c4ecf0cbc7fad55b20bcb629731e7b3209a9400adaede4d52da8122
      • Opcode Fuzzy Hash: 616e07e5635775a8b8f3741dfee626ca5ea1e61ce6c853aa6c52126717623775
      • Instruction Fuzzy Hash: D021B67291061AABCB129FA8CC48EAFBBBDEF15301F144529F801E3250D7388D158B94
      Function 0027D2EE Relevance: 12.1, APIs: 8, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • GetSystemMetrics.USER32(00000031), ref: 0027D2FC
      • GetSystemMetrics.USER32(00000032), ref: 0027D30A
      • SetRectEmpty.USER32(004045E4), ref: 0027D31D
      • EnumDisplayMonitors.USER32(00000000,00000000,0027D186,004045E4), ref: 0027D32D
      • SystemParametersInfoW.USER32(00000030,00000000,004045E4,00000000), ref: 0027D33C
      • SystemParametersInfoW.USER32(00001002,00000000,00404608,00000000), ref: 0027D369
      • SystemParametersInfoW.USER32(00001012,00000000,0040460C,00000000), ref: 0027D37D
      • SystemParametersInfoW.USER32(0000100A,00000000,0040461C,00000000), ref: 0027D3A3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
      • String ID:
      • API String ID: 2614369430-0
      • Opcode ID: e0a90c3bb886811036b7b6f69e831677852cfcec4b698792713d4211398381b2
      • Instruction ID: 7911fb04c357e100a82c52f8e4e72753433543751ebb92be4cd2d14de1870365
      • Opcode Fuzzy Hash: e0a90c3bb886811036b7b6f69e831677852cfcec4b698792713d4211398381b2
      • Instruction Fuzzy Hash: 7F2137B0241616BFF3468F719C89AE3BBACFF0A355F004229F65DC6140E7B56855CBA1
      Function 00248D17 Relevance: 12.1, APIs: 8, Instructions: 60memorystringCOMMON
      Download Yara Rule
      APIs
      • GlobalLock.KERNEL32(00000000), ref: 00248D2B
      • lstrcmpW.KERNEL32(00000000,?), ref: 00248D3C
      • OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00248D51
      • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00248D71
      • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00248D79
      • GlobalLock.KERNEL32(00000000), ref: 00248D83
      • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00248D94
      • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00248DAC
        • Part of subcall function 00251642: GlobalFlags.KERNEL32(?), ref: 0025164F
        • Part of subcall function 00251642: GlobalUnlock.KERNEL32(?), ref: 0025165D
        • Part of subcall function 00251642: GlobalFree.KERNEL32(?), ref: 00251669
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
      • String ID:
      • API String ID: 168474834-0
      • Opcode ID: 3b3025310961639994b68f7551b17347aa2b738aa516204305762d1fb612a517
      • Instruction ID: adf2378c64a34af77146122db2c95fb925da2ae5122c6adb8d77bf75c4626ee1
      • Opcode Fuzzy Hash: 3b3025310961639994b68f7551b17347aa2b738aa516204305762d1fb612a517
      • Instruction Fuzzy Hash: 30115AB2410609FFEF276FB0CD86EAE7BACEF04744B104469BA42950B1DA719D60DB20
      Function 0024788E Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$Size$LockUnlock$Alloc
      • String ID:
      • API String ID: 2344174106-0
      • Opcode ID: 71129bc87adc31db4c6edc6d41fc8b54b30c89edabdb48ba8e31930cc3468c24
      • Instruction ID: 5e322ae4d594947411a65a8f9676c4da650e3eed1a925ee5f60a58ca6311dd20
      • Opcode Fuzzy Hash: 71129bc87adc31db4c6edc6d41fc8b54b30c89edabdb48ba8e31930cc3468c24
      • Instruction Fuzzy Hash: 15014F7A610315BBDB122FA5EC8C86A7E6CEB067A1B104524F917932A5EB708D10DA60
      Function 002829F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 185COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002829F7
      • LoadImageW.USER32(?,00000000,00000000,00000000,00000000,00002000), ref: 00282B9A
      • GetObjectW.GDI32(00000000,00000018,?), ref: 00282BAC
      • DeleteObject.GDI32(00000000), ref: 00282C04
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$DeleteH_prolog3ImageLoad
      • String ID: H$;$`w&
      • API String ID: 91933946-1974514514
      • Opcode ID: fbc9b1f763501e51fdc622ea9e8f4b0358d7dbbe48f0f9a460c6bc15335ad65d
      • Instruction ID: d5350b3c209271ff13ab435228a300f3b0d006ee6e4ca4ba4e39a70e2f91d3ce
      • Opcode Fuzzy Hash: fbc9b1f763501e51fdc622ea9e8f4b0358d7dbbe48f0f9a460c6bc15335ad65d
      • Instruction Fuzzy Hash: 5C71AE79812215CBCF19EF64C880BEE7BB5BF08310F1445AAEC196B286C7744969CFA4
      Function 00279A22 Relevance: 10.7, APIs: 7, Instructions: 185windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00279A29
      • GetClientRect.USER32(00000000,00000000), ref: 00279A7C
        • Part of subcall function 002548B5: __EH_prolog3.LIBCMT ref: 002548BC
        • Part of subcall function 002548B5: GetDC.USER32(00000000), ref: 002548E8
      • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00279AC8
      • GetParent.USER32(00000000), ref: 00279AD3
      • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00279AF9
      • GetTextMetricsW.GDI32(?,?), ref: 00279B19
        • Part of subcall function 00255BB4: SelectObject.GDI32(?,00000000), ref: 00255BD8
        • Part of subcall function 00255BB4: SelectObject.GDI32(?,00000000), ref: 00255BF0
      • __EH_prolog3.LIBCMT ref: 00279C03
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3MessageObjectSelectSend$ClientH_prolog3_MetricsParentRectText
      • String ID:
      • API String ID: 3349635734-0
      • Opcode ID: 2864866877c3341f8bbb9eef4f20180e63172f568a6567ecb2c84745d6f22a97
      • Instruction ID: 019792130047ad8e7a02e9543a545cdcf06dc53fb97eb0ada996253fcbb92342
      • Opcode Fuzzy Hash: 2864866877c3341f8bbb9eef4f20180e63172f568a6567ecb2c84745d6f22a97
      • Instruction Fuzzy Hash: 59618D32A106169FCF15DFA8CC95BAE77BAFF48310F144168EC19AB295DB30AD54CB90
      Function 00328907 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_catch.LIBCMT ref: 0032890E
        • Part of subcall function 0032887A: OleGetClipboard.OLE32(?), ref: 00328890
      • ReleaseStgMedium.OLE32(?), ref: 00328991
      • ReleaseStgMedium.OLE32(?), ref: 003289DE
      • ReleaseStgMedium.OLE32(?), ref: 003289ED
      • CoTaskMemFree.OLE32(?,?,00000000,?,00000040,0031DC7D,?,00000000,00000000,00000000,0000005C,00297E5A,?), ref: 00328A9D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
      • String ID: '
      • API String ID: 3213536121-1997036262
      • Opcode ID: d9234c7ffdca9fbb8800c1143b5fa847061867a930537afebe3cd47d707eccc9
      • Instruction ID: f2cbdb32bdbf03a56eb14997ad69a303b14ff9a16765d391eedd362125f344e9
      • Opcode Fuzzy Hash: d9234c7ffdca9fbb8800c1143b5fa847061867a930537afebe3cd47d707eccc9
      • Instruction Fuzzy Hash: AC51DC31E01219DBDF069FB8D845ABEBBB9AF49300F15801AF902AB291DF74DD40CB61
      Function 0027A642 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 143COMMON
      Download Yara Rule
      APIs
      Strings
      • MFCVSListbox_RemoveButton, xrefs: 0027A723
      • MFCVSListbox_BrowseButton, xrefs: 0027A6C9
      • MFCVSListbox_DownButton, xrefs: 0027A783
      • MFCVSListbox_UpButton, xrefs: 0027A753
      • MFCVSListbox_NewButton, xrefs: 0027A6F2
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3
      • String ID: MFCVSListbox_BrowseButton$MFCVSListbox_DownButton$MFCVSListbox_NewButton$MFCVSListbox_RemoveButton$MFCVSListbox_UpButton
      • API String ID: 431132790-4178308353
      • Opcode ID: a8c8a127257ff433baa692a48ceb49cb5adb15494d0efd1575a4727ccc945793
      • Instruction ID: fc3d23d020ec0389ae523e13b840eb78c2c8ad9b68017b085c2767af6f137c68
      • Opcode Fuzzy Hash: a8c8a127257ff433baa692a48ceb49cb5adb15494d0efd1575a4727ccc945793
      • Instruction Fuzzy Hash: CC419570D1020A9EDF25EFA4CC85AFEB7B8AF45374F14862AE825A31D1DB349D14CA61
      Function 00297E22 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0031DC35: __EH_prolog3_catch.LIBCMT ref: 0031DC3C
      • UpdateWindow.USER32(?), ref: 00297ECF
      • EqualRect.USER32(?,?), ref: 00297F0F
      • InflateRect.USER32(?,00000002,00000002), ref: 00297F27
      • InvalidateRect.USER32(?,?,00000001), ref: 00297F36
      • InflateRect.USER32(?,00000002,00000002), ref: 00297F4D
      • InvalidateRect.USER32(?,?,00000001), ref: 00297F5F
      • UpdateWindow.USER32(?), ref: 00297F68
        • Part of subcall function 00295C40: InvalidateRect.USER32(?,?,00000001,?), ref: 00295CBA
        • Part of subcall function 00295C40: InflateRect.USER32(?,00000000,?), ref: 00295CFC
        • Part of subcall function 00295C40: RedrawWindow.USER32(?,?,00000000,00000401), ref: 00295D10
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
      • String ID:
      • API String ID: 1041772997-0
      • Opcode ID: be906ee3ac39e3851ca18ad0870d44869913e5f32a29909b09f09e35f1a55928
      • Instruction ID: 15663852087669758f8dc3b2d32c98c6aefe294bee544f7313a022eca7b33e49
      • Opcode Fuzzy Hash: be906ee3ac39e3851ca18ad0870d44869913e5f32a29909b09f09e35f1a55928
      • Instruction Fuzzy Hash: 945180766102069FCF15DF64CC88AAE77B9BF49710F140279EC0AAF295DB749D01CBA1
      Function 002504B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138registryCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 002504E7
      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,80000001,?,00000000), ref: 002505EB
      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 00250608
      • RegCloseKey.ADVAPI32(?), ref: 00250629
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CloseEnumH_prolog3_Open
      • String ID: Software\
      • API String ID: 3581956906-964853688
      • Opcode ID: 7b6b4753791f3502f57c3b441d250135afdeb4dc3aae5ff280f4782912d8e01a
      • Instruction ID: f48dbf26fc8b364ebb3b17c39122de3d695238e73f55c59a7239f0e1e312d46f
      • Opcode Fuzzy Hash: 7b6b4753791f3502f57c3b441d250135afdeb4dc3aae5ff280f4782912d8e01a
      • Instruction Fuzzy Hash: 40418172910229AFCB25AFA0DC89EEE777CEF49311F4000A9F905A7251DB349EA4CF54
      Function 00241D60 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 129libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,ACDA73A4), ref: 00241D99
      • GetProcAddress.KERNEL32(00000000), ref: 00241DA0
      • GetCurrentProcess.KERNEL32(?), ref: 00241DB7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressCurrentHandleModuleProcProcess
      • String ID: 64bit$IsWow64Process$kernel32
      • API String ID: 4190356694-2000771974
      • Opcode ID: d834e604e3807c1627ae963f8c68a7645d58d41e52bbd74c269bc603915dc38e
      • Instruction ID: 8d742102417652928c2f8b588ccd331fc638d46603d945f2c671f8935a8575b0
      • Opcode Fuzzy Hash: d834e604e3807c1627ae963f8c68a7645d58d41e52bbd74c269bc603915dc38e
      • Instruction Fuzzy Hash: 3341A175A00609EFDB15DF68C888B9AB7F8FF05310F108669F8159B291E770E918CF90
      Function 00286F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00286F08
      • CopyRect.USER32(?,?), ref: 00286FBC
      • IsRectEmpty.USER32(?), ref: 00286FD4
      • IsRectEmpty.USER32(?), ref: 00286FEC
      • IsRectEmpty.USER32(?), ref: 00287001
        • Part of subcall function 0027D3BA: __EH_prolog3.LIBCMT ref: 0027D3C1
        • Part of subcall function 0027D3BA: LoadCursorW.USER32(00000000,00007F00), ref: 0027D3E5
        • Part of subcall function 0027D3BA: GetClassInfoW.USER32(?,?,?), ref: 0027D426
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
      • String ID: Afx:ControlBar
      • API String ID: 685170547-4244778371
      • Opcode ID: 7da4c4cecee6054fcaffaca36e7907e39cefdeecda642a7a889679eac70b1655
      • Instruction ID: b54630d13dae22cf32681c0209d81cbd17da22da1501689ca900a9a6179c8895
      • Opcode Fuzzy Hash: 7da4c4cecee6054fcaffaca36e7907e39cefdeecda642a7a889679eac70b1655
      • Instruction Fuzzy Hash: 7F414675A102099BCF06EFA4D885AEE77B9AF49300F140069FD05BB291DB75EA15CF60
      Function 00278940 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125COMMON
      Download Yara Rule
      APIs
      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,?), ref: 0027897D
      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000208), ref: 002789E0
      • __EH_prolog3.LIBCMT ref: 00278A1D
        • Part of subcall function 002677B2: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 002677C7
        • Part of subcall function 002B2501: __EH_prolog3.LIBCMT ref: 002B2508
        • Part of subcall function 002B257F: __EH_prolog3.LIBCMT ref: 002B2586
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3$FileInfo$ByteCharMultiWide
      • String ID: ???$MFCShellTreeCtrl_EnableShellContextMenu$TRUE
      • API String ID: 1362241028-3649263699
      • Opcode ID: 3f23c49963a7fd9863c897c1a37c23ef51b92fe501d6ba90110b7b473771ae1f
      • Instruction ID: 4ceb2983cd4896c7ec885f1e72608bcbd0549ce77bfb0ddeb65b75380afda2bd
      • Opcode Fuzzy Hash: 3f23c49963a7fd9863c897c1a37c23ef51b92fe501d6ba90110b7b473771ae1f
      • Instruction Fuzzy Hash: 1B418330A2020AEFDB19EFA4CC4AFFEB7B8AF14304F508569B519A61D1DF749A14CB51
      Function 0025BF0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0025BF3B
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0025BF5D
      • UpdateWindow.USER32(?), ref: 0025BF77
      • SendMessageW.USER32(?,00000121,00000001,?), ref: 0025BF9D
      • SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 0025BFB4
      • UpdateWindow.USER32(?), ref: 0025C000
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0025C042
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Message$Window$PeekSendUpdate$LongParent
      • String ID:
      • API String ID: 2853195852-0
      • Opcode ID: 84764580bb507c2e7169d65e326835f3803e5219d1583b42949eb7edb6b16394
      • Instruction ID: 491b9ffd2f9a10bb7f0ab87d8e9aeb5d66b1a84731500484af4476808cd61200
      • Opcode Fuzzy Hash: 84764580bb507c2e7169d65e326835f3803e5219d1583b42949eb7edb6b16394
      • Instruction Fuzzy Hash: A1418031A20316AFEB169FA4CC49B6E7BB8BF00756F144118FD01A75D0D7B0AD648F98
      Function 0024C405 Relevance: 10.6, APIs: 7, Instructions: 118windowthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024C350: GetParent.USER32(?), ref: 0024C3B0
        • Part of subcall function 0024C350: GetLastActivePopup.USER32(?), ref: 0024C3CA
        • Part of subcall function 0024C350: IsWindowEnabled.USER32(?), ref: 0024C3DE
        • Part of subcall function 0024C350: EnableWindow.USER32(?,00000000), ref: 0024C3F1
      • EnableWindow.USER32(?,00000001), ref: 0024C450
      • GetWindowThreadProcessId.USER32(?,?), ref: 0024C466
      • GetCurrentProcessId.KERNEL32 ref: 0024C470
      • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 0024C486
      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0024C509
      • MessageBoxW.USER32(?,?,?,?), ref: 0024C52B
      • EnableWindow.USER32(00000000,00000001), ref: 0024C550
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
      • String ID:
      • API String ID: 1924968399-0
      • Opcode ID: 56386703eb3a780024cd99166b5de502c552d6cf402b3e322730675c5215fd19
      • Instruction ID: e58c1fb50753ccde19b2812a1d8c8352409a892c4f3c7e7be2bbf3628db9a992
      • Opcode Fuzzy Hash: 56386703eb3a780024cd99166b5de502c552d6cf402b3e322730675c5215fd19
      • Instruction Fuzzy Hash: AC41CF75A5221A9BDB64DF68CD88BFDB3B8EF14300F2005A9E519E7280D7709E808F60
      Function 0026ABCC Relevance: 10.6, APIs: 7, Instructions: 112windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00000407,00000000,?), ref: 0026AC0E
      • GetParent.USER32(?), ref: 0026AC32
      • SendMessageW.USER32(00000000,00000111,?), ref: 0026AC5F
      • GetParent.USER32(?), ref: 0026AC7E
      • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 0026ACE7
      • GetParent.USER32(?), ref: 0026ACF0
      • GetWindowLongW.USER32(?,000000F4), ref: 0026AD0B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$MessageSendWindow$LongRedraw
      • String ID:
      • API String ID: 4271267155-0
      • Opcode ID: 359b9d94d41e680709623e8cd1a916e4ad5bf29133785bc285def4151a30e71c
      • Instruction ID: 12bc446793220c82ad9ea6abfd84b6ec13b4bc914ace9aad780205a723ab67b6
      • Opcode Fuzzy Hash: 359b9d94d41e680709623e8cd1a916e4ad5bf29133785bc285def4151a30e71c
      • Instruction Fuzzy Hash: 4631E271621216EFDF255F29CD88A6ABAA8FF09301F044127F546A6061D775DCE0CFA2
      Function 002502D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_catch_GS.LIBCMT ref: 002502E2
      • RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228,002505DA,80000001,?,00000000), ref: 00250388
        • Part of subcall function 0024C56F: __EH_prolog3.LIBCMT ref: 0024C576
      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 002503AC
      • RegCloseKey.ADVAPI32(?), ref: 00250461
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CloseEnumH_prolog3H_prolog3_catch_Open
      • String ID: Software\Classes\
      • API String ID: 854624316-1121929649
      • Opcode ID: aa4d30ca0467af8fdd44c6dfbcc64a326c482ab72954df5b42c1b5bf0864b8f0
      • Instruction ID: 565535bf2720f204cc7ad2a8434f589d87966cf22ca419ee7c1cd29afa1eaac3
      • Opcode Fuzzy Hash: aa4d30ca0467af8fdd44c6dfbcc64a326c482ab72954df5b42c1b5bf0864b8f0
      • Instruction Fuzzy Hash: 3741C336920219EBCB25DFA4DCD8BEDB7B8AF58310F1000D5E90567252DB709E98CE20
      Function 0025AE6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(user32.dll), ref: 0025AE99
      • GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 0025AECE
      • GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 0025AEF6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressProc$HandleModule
      • String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
      • API String ID: 667068680-1853737257
      • Opcode ID: 064879844beb69fd7754592d9c67413ef58654212ede349c2e86fc60feeafd9a
      • Instruction ID: fd111de0cef4dbbced2013dc7cf9540e1ad87cb0eacb1470e5c9eb27d8b992d0
      • Opcode Fuzzy Hash: 064879844beb69fd7754592d9c67413ef58654212ede349c2e86fc60feeafd9a
      • Instruction Fuzzy Hash: 63310BB8721311AFCB199F25ED969693BA4FB85761B00153EFD02E32E0DB718D14CB19
      Function 002C7508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97keyboardCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 002C750F
      • GetKeyboardLayout.USER32(00000000), ref: 002C7552
      • MapVirtualKeyExW.USER32(?,00000000,00000000), ref: 002C755B
      • GetKeyNameTextW.USER32(00000000,?,00000032), ref: 002C7582
      • IsCharLowerW.USER32(?,00000000,?,00000000), ref: 002C75BF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CharH_prolog3_KeyboardLayoutLowerNameTextVirtual
      • String ID: Pause
      • API String ID: 2563161834-375111145
      • Opcode ID: 130ffb6cfd26da6a7a213b10d6c616d67113d5a1fb5a26e8153f6f3487ecef65
      • Instruction ID: 7cab5858f8598accb353b4f46164f6758974ce6a4bbf83a8870ada5780c5485d
      • Opcode Fuzzy Hash: 130ffb6cfd26da6a7a213b10d6c616d67113d5a1fb5a26e8153f6f3487ecef65
      • Instruction Fuzzy Hash: B131BE31C24114ABEB26BBA4DC85EBEB36CEF45340F50451EF851AB092DB359915CF60
      Function 002E405D Relevance: 10.6, APIs: 7, Instructions: 85COMMON
      Download Yara Rule
      APIs
      • LockWindowUpdate.USER32(00000000,00000004,00000004), ref: 002E409E
      • ValidateRect.USER32(?,00000000,?), ref: 002E40DA
      • UpdateWindow.USER32(?), ref: 002E40E3
      • LockWindowUpdate.USER32(00000000), ref: 002E40F4
      • ValidateRect.USER32(?,00000000,?), ref: 002E4122
      • UpdateWindow.USER32(?), ref: 002E412B
      • LockWindowUpdate.USER32(00000000), ref: 002E413C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: UpdateWindow$Lock$RectValidate
      • String ID:
      • API String ID: 797752328-0
      • Opcode ID: 5fec26231f3ca6be02716593d7fdce335c251296f916d0fde6f57bb7662e2234
      • Instruction ID: 7e9994f9e8c9fc720fe86d568b501672a8224a8122a9386546049bdcb57afb0b
      • Opcode Fuzzy Hash: 5fec26231f3ca6be02716593d7fdce335c251296f916d0fde6f57bb7662e2234
      • Instruction Fuzzy Hash: 3E31D131550206EFCF25AF61C908B6ABBB9FF54700F514569F94AA7260EB31EC20CB40
      Function 00290FFC Relevance: 10.6, APIs: 7, Instructions: 82windowCOMMON
      Download Yara Rule
      APIs
      • FillRect.USER32(?,?,-000000A0), ref: 00291025
      • InflateRect.USER32(?,000000FF,000000FF), ref: 00291033
      • PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 00291059
      • PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 00291072
      • PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 0029108B
      • PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 002910A7
      • FillRect.USER32(?,?,-000000D0), ref: 002910CA
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Fill$Inflate
      • String ID:
      • API String ID: 2224923502-0
      • Opcode ID: c220ea21a96d5bc4cf00a03032255f4f1a33675b4ce851566e4f8395e5b9a30f
      • Instruction ID: e6f3120fbffe1a1366e60dda7681a0c21f951c92d0ebdfed4eb6a1ba3f092dc5
      • Opcode Fuzzy Hash: c220ea21a96d5bc4cf00a03032255f4f1a33675b4ce851566e4f8395e5b9a30f
      • Instruction Fuzzy Hash: 1531F97611010AEFDF01DF98DD89EAA7BADFB09314F048525FA29861A0D772ED60DF60
      Function 00299EDF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0029CAAF: __EH_prolog3_GS.LIBCMT ref: 0029CAB6
        • Part of subcall function 0029CAAF: GetWindowRect.USER32(00000000,00000000), ref: 0029CB04
        • Part of subcall function 0029CAAF: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 0029CB2E
        • Part of subcall function 0029CAAF: SetWindowRgn.USER32(00000000,?,00000000), ref: 0029CB44
      • GetSystemMenu.USER32(?,00000000), ref: 00299F69
      • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 00299F86
      • DeleteMenu.USER32(?,0000F020,00000000), ref: 00299F95
      • DeleteMenu.USER32(?,0000F030,00000000), ref: 00299FA4
      • EnableMenuItem.USER32(?,0000F060,00000001), ref: 00299FCC
        • Part of subcall function 00296DB1: SetRectEmpty.USER32(?), ref: 00296DDC
        • Part of subcall function 00296DB1: ReleaseCapture.USER32 ref: 00296DE2
        • Part of subcall function 00296DB1: SetCapture.USER32(?), ref: 00296DF5
        • Part of subcall function 00296DB1: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00296EF5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
      • String ID: (;
      • API String ID: 4022425685-2548908618
      • Opcode ID: 76f9ca5c8cb202a779f5e2b3ca50c5536e5d33c62b0cef26f6db8965ff4bd19e
      • Instruction ID: 7c8ae42bbba6318217ddcb283b1da477b04f62bcfc366c0328aa1becc08ffbf6
      • Opcode Fuzzy Hash: 76f9ca5c8cb202a779f5e2b3ca50c5536e5d33c62b0cef26f6db8965ff4bd19e
      • Instruction Fuzzy Hash: 8221C435311222EBDF226F64CC89DBEBF69EF45361B084029F90597661CB319C60DA90
      Function 0024FB8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,?), ref: 0024FBC7
      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?), ref: 0024FBF3
      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?), ref: 0024FC1F
      • RegCloseKey.ADVAPI32(00000000), ref: 0024FC31
      • RegCloseKey.ADVAPI32(00000000), ref: 0024FC40
        • Part of subcall function 00243030: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00243040
        • Part of subcall function 00243030: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00243050
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CloseCreate$AddressHandleModuleOpenProc
      • String ID: software
      • API String ID: 550756860-2010147023
      • Opcode ID: 16baa9319fa94a4246b393aab2ce6709687d6c1a44265cf77073b96b56ef89af
      • Instruction ID: 49c2779d8b8371e595c25d306912d85111b4b3fea5c734f81b442a7272c7df42
      • Opcode Fuzzy Hash: 16baa9319fa94a4246b393aab2ce6709687d6c1a44265cf77073b96b56ef89af
      • Instruction Fuzzy Hash: 29215E71A1011DFBDB1ADF94DD84EBFBB7DEB85704F11406AB902E6110D7708E60ABA0
      Function 0025802E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78libraryloaderthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024BFAD: __EH_prolog3.LIBCMT ref: 0024BFB4
      • GetCurrentThreadId.KERNEL32 ref: 00258056
      • SetWindowsHookExW.USER32(00000005,0025C99B,00000000,00000000), ref: 00258066
      • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 002580C9
      • FreeLibrary.KERNEL32(?,?,00247218,?,?,?,00262A40), ref: 002580D9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressCurrentFreeH_prolog3HookLibraryProcThreadWindows
      • String ID: HtmlHelpW$hhctrl.ocx
      • API String ID: 3379832378-3773518134
      • Opcode ID: 89207d8444f79f882681e6b519e854f32398f6884bd7eb962d9fa40d38a4a0f4
      • Instruction ID: 825e5962f87cfc89241a560fbe6e38613e8e2f4bce4d98e033a7527c1f12a7f6
      • Opcode Fuzzy Hash: 89207d8444f79f882681e6b519e854f32398f6884bd7eb962d9fa40d38a4a0f4
      • Instruction Fuzzy Hash: C4210A31520706ABDB326F61DC09B677B94EF41762F004429FE1DA6590DFB0D8688BA5
      Function 0031CD5D Relevance: 10.6, APIs: 7, Instructions: 78COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0031CD64
        • Part of subcall function 0031CC82: __EH_prolog3.LIBCMT ref: 0031CC89
        • Part of subcall function 0031CC82: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 0031CCDC
        • Part of subcall function 0031CC82: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 0031CCF2
      • CopyRect.USER32(?,?), ref: 0031CD98
      • GetCursorPos.USER32(?), ref: 0031CDAA
      • SetRect.USER32(?,?,?,?,?), ref: 0031CDBD
      • IsRectEmpty.USER32(?), ref: 0031CDD8
      • InflateRect.USER32(?,00000002,00000002), ref: 0031CDEA
      • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 0031CE31
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
      • String ID:
      • API String ID: 1837043813-0
      • Opcode ID: 6669b0b8bd396fe1dfd8a360fcd98accdf759c0b7a8718969b80152983cfe4e4
      • Instruction ID: 470829d11e2a5998439ad9cbbe34f395d94f2d7624a0154c2d4402a6772bf62b
      • Opcode Fuzzy Hash: 6669b0b8bd396fe1dfd8a360fcd98accdf759c0b7a8718969b80152983cfe4e4
      • Instruction Fuzzy Hash: F6312575A11749EFDB0AAFE4DC849EEBB79FF09300B015029F902AB250CB34A955CF50
      Function 00394750 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID: api-ms-$ext-ms-
      • API String ID: 0-537541572
      • Opcode ID: e98326502a9114e576cb07d866842bad987e92d7275f2317c0775bb11b0a8c2b
      • Instruction ID: 43fe71630b0e47969911e917f5a7492584b85ffb7d4e813a504ab7de284be35a
      • Opcode Fuzzy Hash: e98326502a9114e576cb07d866842bad987e92d7275f2317c0775bb11b0a8c2b
      • Instruction Fuzzy Hash: B321EB36A15325ABDF239BB4AC40E5B775CAF16760F220210E826AB6D0D730DC0296D0
      Function 002C7ADD Relevance: 10.6, APIs: 7, Instructions: 73keyboardCOMMON
      Download Yara Rule
      APIs
      • GetAsyncKeyState.USER32(00000012), ref: 002C7AFF
      • GetAsyncKeyState.USER32(00000012), ref: 002C7B1F
      • GetKeyboardState.USER32(?,?,?,?), ref: 002C7B53
      • GetKeyboardLayout.USER32(?), ref: 002C7B65
      • MapVirtualKeyW.USER32(?,00000000), ref: 002C7B81
      • ToUnicodeEx.USER32(?,00000000,?,?,?), ref: 002C7B89
      • CharUpperW.USER32(?,?,?,?), ref: 002C7B9F
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual
      • String ID:
      • API String ID: 298839909-0
      • Opcode ID: ffe3492a86848fd07736089f93cf1dbe284ca172bb347a64e6fbd677114b3af7
      • Instruction ID: 4fb25fc3bfbea5525c77d42ad296289dabc9a9c9173b8b542ffc2cf5fd3351ae
      • Opcode Fuzzy Hash: ffe3492a86848fd07736089f93cf1dbe284ca172bb347a64e6fbd677114b3af7
      • Instruction Fuzzy Hash: 1921D171524219ABEB12AF64DC09FED73ACEF15B04F4000A9F645E6090DBB49AD08FA0
      Function 002430E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71registrylibraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00243104
      • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00243122
      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000), ref: 0024315B
      • RegCloseKey.ADVAPI32(00000000), ref: 0024316E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressCloseHandleModuleOpenProc
      • String ID: Advapi32.dll$RegOpenKeyTransactedW
      • API String ID: 823179699-3913318428
      • Opcode ID: 07a59e2e478915a8089cbc1b675d36491dd90605f30ee084b7aafb02b61293a1
      • Instruction ID: 5be001c50a5cbd555896fdfd3bc989784e347bb0dfabd34e95683245970b03a2
      • Opcode Fuzzy Hash: 07a59e2e478915a8089cbc1b675d36491dd90605f30ee084b7aafb02b61293a1
      • Instruction Fuzzy Hash: 7B117F31710205ABDF29CF9ADC45B9ABBADEB45750F148029F90CD7190D7B19A60DA60
      Function 0025BC44 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,user32.dll), ref: 0025BC55
      • GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 0025BC67
      • GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 0025BC75
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressProc$HandleModule
      • String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
      • API String ID: 667068680-2470269259
      • Opcode ID: 7edee0f81251cbae1dfd0ffb01b6df7cbd9f56cc4ea20cc92b633f5109efa293
      • Instruction ID: b2c719b72454f5ccf247c05fddc57e71287e96411aa6e69916d10c6c4d50a098
      • Opcode Fuzzy Hash: 7edee0f81251cbae1dfd0ffb01b6df7cbd9f56cc4ea20cc92b633f5109efa293
      • Instruction Fuzzy Hash: 3B11EE32610615AFC7135F64DC88AAABBA8FF95763B00012BFD0583650CFB0AC248BD8
      Function 002582DA Relevance: 10.6, APIs: 7, Instructions: 68COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 002582F7
      • GetWindowRect.USER32(?,?), ref: 0025831B
      • ScreenToClient.USER32(?,?), ref: 00258328
      • ScreenToClient.USER32(?,?), ref: 00258335
      • EqualRect.USER32(?,?), ref: 00258340
      • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 00258367
      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00258371
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$ClientRectScreen$DeferEqualParent
      • String ID:
      • API String ID: 443303494-0
      • Opcode ID: 4152c74f3d8f0eb35da46e728274d0e0fa94cacd7f95e61966698fc7902425db
      • Instruction ID: d4b4990ea07d3cd642422a57e12d7646b3bb4d001ea3f24077fcc985fe8f26d6
      • Opcode Fuzzy Hash: 4152c74f3d8f0eb35da46e728274d0e0fa94cacd7f95e61966698fc7902425db
      • Instruction Fuzzy Hash: B021FC7690010AEFDB11DFA4DD84DAEBBBCEF09705F108569E905EA114DB70DA14CB61
      Function 0039B39B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
      Download Yara Rule
      APIs
        • Part of subcall function 0039B363: _free.LIBCMT ref: 0039B388
      • _free.LIBCMT ref: 0039B3E9
        • Part of subcall function 00392EB8: HeapFree.KERNEL32(00000000,00000000,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?), ref: 00392ECE
        • Part of subcall function 00392EB8: GetLastError.KERNEL32(?,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?,?), ref: 00392EE0
      • _free.LIBCMT ref: 0039B3F4
      • _free.LIBCMT ref: 0039B3FF
      • _free.LIBCMT ref: 0039B453
      • _free.LIBCMT ref: 0039B45E
      • _free.LIBCMT ref: 0039B469
      • _free.LIBCMT ref: 0039B474
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _free$ErrorFreeHeapLast
      • String ID:
      • API String ID: 776569668-0
      • Opcode ID: 8a9f109b2df654f3810f9b58ebdd52c5c7cc43d5458df8f0376a899786c5f407
      • Instruction ID: a5ad2ac2552b61e07b8a7960b9586771a84fe0ac37e125471ce09c2722005b6f
      • Opcode Fuzzy Hash: 8a9f109b2df654f3810f9b58ebdd52c5c7cc43d5458df8f0376a899786c5f407
      • Instruction Fuzzy Hash: B3115972941B08FADE62FBB5DDC7FCBB7DCAF00700F400815B299AA162DB74A5048690
      Function 0025A0AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
      • IsWindow.USER32(00000000), ref: 0025A0C3
      • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 0025A0EB
      • SizeofResource.KERNEL32(?,00000000), ref: 0025A0FD
      • LoadResource.KERNEL32(?,00000000), ref: 0025A109
      • LockResource.KERNEL32(00000000), ref: 0025A114
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeofWindow
      • String ID: AFX_DIALOG_LAYOUT
      • API String ID: 2582447065-2436846380
      • Opcode ID: 37ecf5b80894c37a89504bc09d7a412eac3daa01be02487d297a5b18421851c3
      • Instruction ID: 380a465f841465a54fd1c6bb0ce680c2d9d7a300318f2435ca5055add5fa0220
      • Opcode Fuzzy Hash: 37ecf5b80894c37a89504bc09d7a412eac3daa01be02487d297a5b18421851c3
      • Instruction Fuzzy Hash: 59110471620602AFDF125F65CC4AE6F7AACEB49352F148226FD09C3211EB74CD54CB26
      Function 0029CAAF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0029CAB6
      • GetWindowRect.USER32(00000000,00000000), ref: 0029CB04
      • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 0029CB2E
      • SetWindowRgn.USER32(00000000,?,00000000), ref: 0029CB44
      • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 0029CB5C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Rect$CreateH_prolog3_Round
      • String ID: p;;
      • API String ID: 2502471913-638170974
      • Opcode ID: 48fca7fb0919a8bd9e5f4fb5f6bb0a8425056e30235a0a5172d72010c02c0aee
      • Instruction ID: 2e8c8f675b6e1edcb563b11658aea16ddca59bc227be5a7c3a3510b60abbf05d
      • Opcode Fuzzy Hash: 48fca7fb0919a8bd9e5f4fb5f6bb0a8425056e30235a0a5172d72010c02c0aee
      • Instruction Fuzzy Hash: F0211AB591021AEFDF05EFA4C9959EEBB78FB09318F140129E505B3261CB345D50CFA5
      Function 002517A8 Relevance: 10.6, APIs: 7, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • ClientToScreen.USER32(?,?), ref: 002517C2
      • GetWindow.USER32(?,00000005), ref: 002517CB
      • GetDlgCtrlID.USER32(00000000), ref: 002517DA
      • GetWindowLongW.USER32(00000000,000000F0), ref: 002517EA
      • GetWindowRect.USER32(00000000,?), ref: 00251808
      • PtInRect.USER32(?,?,?), ref: 00251818
      • GetWindow.USER32(00000000,00000002), ref: 00251825
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Rect$ClientCtrlLongScreen
      • String ID:
      • API String ID: 1315500227-0
      • Opcode ID: 1de6eee38ce986ffeee77f8ce251b014be3fe085909efc1b60c6376eb4b37fac
      • Instruction ID: aae00a2138b2038a1aab0bf234772940cd036309c01a378e6c686ec2df04e9ed
      • Opcode Fuzzy Hash: 1de6eee38ce986ffeee77f8ce251b014be3fe085909efc1b60c6376eb4b37fac
      • Instruction Fuzzy Hash: 87118F7191122AABDB229F699C0CEAF7BACEF5A311F044525FC01E2260D7348A15CB95
      Function 002A4B38 Relevance: 10.5, APIs: 7, Instructions: 49windowCOMMON
      Download Yara Rule
      APIs
      • EnableMenuItem.USER32(?,00004212,00000001), ref: 002A4B58
      • EnableMenuItem.USER32(?,00004213,00000001), ref: 002A4B67
      • EnableMenuItem.USER32(?,00004214,00000001), ref: 002A4B76
      • EnableMenuItem.USER32(?,00004211,00000001), ref: 002A4B85
      • EnableMenuItem.USER32(?,00004215,00000001), ref: 002A4B94
      • EnableMenuItem.USER32(?,0000420E,00000001), ref: 002A4BA3
      • EnableMenuItem.USER32(?,0000420F,00000001), ref: 002A4BB2
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EnableItemMenu
      • String ID:
      • API String ID: 1841910628-0
      • Opcode ID: 83eff5d408b0b46168943d3a9cbd89579d8197bd0acfd53cd4f798e2103ce888
      • Instruction ID: 5851049908d96ae1b8c624fdb80f7320f862b113d75793048876534d31843487
      • Opcode Fuzzy Hash: 83eff5d408b0b46168943d3a9cbd89579d8197bd0acfd53cd4f798e2103ce888
      • Instruction Fuzzy Hash: 3101A7B1240614BFFB121F60DE8AC577BEDEB56B55F004025F366554B1C7B35C50AB24
      Function 00250A65 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00250A77
      • GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 00250A87
      • EncodePointer.KERNEL32(00000000), ref: 00250A90
      • DecodePointer.KERNEL32(00000000), ref: 00250A9E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: BeginBufferedPaint$uxtheme.dll
      • API String ID: 2061474489-1632326970
      • Opcode ID: 4a988c92e5941696e9c8f452ac48cf7d7dfa759ec639cdba9e1460fc90092a6a
      • Instruction ID: 77adbf5d07690650f30d341f80fa6a5159d5f5d2dcd4a35367808dc06ed9f617
      • Opcode Fuzzy Hash: 4a988c92e5941696e9c8f452ac48cf7d7dfa759ec639cdba9e1460fc90092a6a
      • Instruction Fuzzy Hash: 00F03035A11326BBCF136FA4DD5C9AA3B6DBB057917050420FE05D2160D771C8609B98
      Function 002511D6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,002499BF,?,?,?,?), ref: 002511E8
      • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 002511F8
      • EncodePointer.KERNEL32(00000000,?,?,002499BF,?,?,?,?), ref: 00251201
      • DecodePointer.KERNEL32(00000000,?,?,002499BF,?,?,?,?), ref: 0025120F
      Strings
      • RegisterApplicationRecoveryCallback, xrefs: 002511F2
      • kernel32.dll, xrefs: 002511E3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
      • API String ID: 2061474489-202725706
      • Opcode ID: 4d3b622f0bd4b15752aa2ecf94736326c876d18978f90fd56a04d158bcc2dbbb
      • Instruction ID: c81dcc5790de808e7d747642d5fbadc61e033f0386b2eb90f4c63c7dcf2a6d19
      • Opcode Fuzzy Hash: 4d3b622f0bd4b15752aa2ecf94736326c876d18978f90fd56a04d158bcc2dbbb
      • Instruction Fuzzy Hash: 8AF0B435520326ABCF122F64ED1CEAA3B6CAF45752F440120FD01E62A0D770CC30CB98
      Function 0025129A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(shell32.dll), ref: 002512AC
      • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 002512BC
      • EncodePointer.KERNEL32(00000000), ref: 002512C5
      • DecodePointer.KERNEL32(00000000), ref: 002512D3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: SHCreateItemFromParsingName$shell32.dll
      • API String ID: 2061474489-2320870614
      • Opcode ID: 10fc8f66eb55faf1e1feb9f2438a3d3a84aad84d236d4780fb65fea9dc22ca75
      • Instruction ID: 6fb1a24ae0b22929f3ee1af1b06533b0308590c979125ee0bb7fe2780bb86ba7
      • Opcode Fuzzy Hash: 10fc8f66eb55faf1e1feb9f2438a3d3a84aad84d236d4780fb65fea9dc22ca75
      • Instruction Fuzzy Hash: 09F0B435511336ABCF122F64DC1DAAA3B6CAB05752F040421FD05E62B0DBB0CC309B98
      Function 002512FF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(shell32.dll), ref: 00251311
      • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00251321
      • EncodePointer.KERNEL32(00000000), ref: 0025132A
      • DecodePointer.KERNEL32(00000000), ref: 00251338
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: SHGetKnownFolderPath$shell32.dll
      • API String ID: 2061474489-2936008475
      • Opcode ID: 2a130bca0f3c38d3edd129863b7ac96dd2f850860141636dcccc07870df775da
      • Instruction ID: 1db3cf711a01c1c30bbee42f167ad18df7b704f270c6aa5d24f2242e54a820dc
      • Opcode Fuzzy Hash: 2a130bca0f3c38d3edd129863b7ac96dd2f850860141636dcccc07870df775da
      • Instruction Fuzzy Hash: 91F09036511326BBCF122F60DD2CAAA3FACAB45B95B050460FD05A6670C7B0CC208B98
      Function 00251364 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 00251376
      • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00251386
      • EncodePointer.KERNEL32(00000000), ref: 0025138F
      • DecodePointer.KERNEL32(00000000), ref: 0025139D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: TaskDialogIndirect$comctl32.dll
      • API String ID: 2061474489-2809879075
      • Opcode ID: 19c1e3704db615804dc3aebc862ce3a5cf6c565eae030cd2e0915ba8ff2d7dd9
      • Instruction ID: 61d060bbcd1a828a5fa5f1707a87ac50bcac6ce0160fd23bd2b787dc55ec3cdb
      • Opcode Fuzzy Hash: 19c1e3704db615804dc3aebc862ce3a5cf6c565eae030cd2e0915ba8ff2d7dd9
      • Instruction Fuzzy Hash: 03F0B435910316BBDF121F64ED2C9AA3BACAF08796B000461FD05E6660D770C8309F98
      Function 0025123B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,002499A3,?,?), ref: 0025124D
      • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 0025125D
      • EncodePointer.KERNEL32(00000000,?,?,002499A3,?,?), ref: 00251266
      • DecodePointer.KERNEL32(00000000,?,?,002499A3,?,?), ref: 00251274
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: RegisterApplicationRestart$kernel32.dll
      • API String ID: 2061474489-1259503209
      • Opcode ID: 7256ec24aeef4cee1600097a4dbfafba64ab07ffdd9be9abd3a002f36a865cc6
      • Instruction ID: 7e97e34a34c50de7ca8027932794bffac70877a1b090abf6e2d8c1429d2b9f8f
      • Opcode Fuzzy Hash: 7256ec24aeef4cee1600097a4dbfafba64ab07ffdd9be9abd3a002f36a865cc6
      • Instruction Fuzzy Hash: 0AF08935511336A7DF121F749C1CA6A3B5C9B45752B014421FD05E72A4D770CC648E98
      Function 00250B74 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(user32.dll), ref: 00250B86
      • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 00250B96
      • EncodePointer.KERNEL32(00000000), ref: 00250B9F
      • DecodePointer.KERNEL32(00000000), ref: 00250BAD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: ChangeWindowMessageFilter$user32.dll
      • API String ID: 2061474489-2498399450
      • Opcode ID: 025d6cc2faaddabcbd477038b9ae5340a10e2a9ab32ce42092b3505caa00e14c
      • Instruction ID: bc41098b87841df99b74850241f5aa309c07d19866a883abd1d26ac9d6e4d2ce
      • Opcode Fuzzy Hash: 025d6cc2faaddabcbd477038b9ae5340a10e2a9ab32ce42092b3505caa00e14c
      • Instruction Fuzzy Hash: 3AF08235511326AFCB122F71ADDCDAA3BACAB05B9A7044431FC01E22A0D7B088108A98
      Function 00250EAB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00250EBD
      • GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 00250ECD
      • EncodePointer.KERNEL32(00000000), ref: 00250ED6
      • DecodePointer.KERNEL32(00000000), ref: 00250EE4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: EndBufferedPaint$uxtheme.dll
      • API String ID: 2061474489-2993015961
      • Opcode ID: 6091777acbe6b9b2f6b681456d69c6e0c6410c4f950df00338e1935cff677952
      • Instruction ID: d187ecca6a37db749d1cb3a947d85e029acac0bec2109e1ada7dd30a54abdc39
      • Opcode Fuzzy Hash: 6091777acbe6b9b2f6b681456d69c6e0c6410c4f950df00338e1935cff677952
      • Instruction Fuzzy Hash: 50F08235511326ABCB222F64ED6DD6E3B6CAB05B967004521FD06E76A0DBB09C118FA8
      Function 00250A09 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00248C7A,00000000), ref: 00250A1B
      • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 00250A2B
      • EncodePointer.KERNEL32(00000000,?,?,00248C7A,00000000), ref: 00250A34
      • DecodePointer.KERNEL32(00000000,?,?,00248C7A,00000000), ref: 00250A42
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: ApplicationRecoveryInProgress$kernel32.dll
      • API String ID: 2061474489-2899047487
      • Opcode ID: 388af2437f8e1a7f8ff485a99801c7fb3cf4e0a76afed45461f342ae7cbb22ab
      • Instruction ID: 2bb654880f37c069f2943aca54a6b9b5d24a1aa81f34721326991b71c4c516b9
      • Opcode Fuzzy Hash: 388af2437f8e1a7f8ff485a99801c7fb3cf4e0a76afed45461f342ae7cbb22ab
      • Instruction Fuzzy Hash: 29F0EC39551722ABCF125F64AD9C96E3BACAB45B927040021FE06E3290D7B0CC108B98
      Function 002509B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00248CBD,00000001), ref: 002509C6
      • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 002509D6
      • EncodePointer.KERNEL32(00000000,?,00248CBD,00000001), ref: 002509DF
      • DecodePointer.KERNEL32(00000000,?,?,00248CBD,00000001), ref: 002509ED
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: ApplicationRecoveryFinished$kernel32.dll
      • API String ID: 2061474489-1962646049
      • Opcode ID: 1840f11a376b61289639ead06be3eafde60c0132cc8c5f3fd2ea75c719eb4e5a
      • Instruction ID: 7df7611f7f1205e636abcc57c6b007164c0133eeab20d6fc5329e56652439998
      • Opcode Fuzzy Hash: 1840f11a376b61289639ead06be3eafde60c0132cc8c5f3fd2ea75c719eb4e5a
      • Instruction Fuzzy Hash: BDF06535A11326AB9B122F65ADAD9AB3B6C9A45F977440521FD02E3290DBB48C108AD8
      Function 00251139 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(shell32.dll,00000000,00258127,?,0026296B,000FC000,00000010,00000040,00262B54,00000000,00000000,?,?,?,?,002628D0), ref: 00251148
      • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 00251158
      • EncodePointer.KERNEL32(00000000,?,?,?,002628D0,00000000,00000000,?,?,?,0025E8BF,00000000,00000000,?,80004005), ref: 00251161
      • DecodePointer.KERNEL32(00000000,00000000,00258127,?,0026296B,000FC000,00000010,00000040,00262B54,00000000,00000000,?,?,?,?,002628D0), ref: 0025116F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: InitNetworkAddressControl$shell32.dll
      • API String ID: 2061474489-1950653938
      • Opcode ID: 33a50c7230a1497226419731d72e4785a0d894f6ac9702d0e8a19847aa5ba9be
      • Instruction ID: fb1b4abe88f4a28d915dd3fff036fd22beb97acb87c38e4a1e12e6ba2c8ce534
      • Opcode Fuzzy Hash: 33a50c7230a1497226419731d72e4785a0d894f6ac9702d0e8a19847aa5ba9be
      • Instruction Fuzzy Hash: 58E09B35611B327BDB123F70BD1C9AE375C9B427567054561FD01E31A0D7748C51C698
      Function 00250ACA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(uxtheme.dll,?,0027C77D,00000001,00000000,?,?,?,00000008,002A46FE,?), ref: 00250AD9
      • GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 00250AE9
      • EncodePointer.KERNEL32(00000000,?,?,?,00000008,002A46FE,?), ref: 00250AF2
      • DecodePointer.KERNEL32(00000000,?,0027C77D,00000001,00000000,?,?,?,00000008,002A46FE,?), ref: 00250B00
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: BufferedPaintInit$uxtheme.dll
      • API String ID: 2061474489-1331937065
      • Opcode ID: 66d1ffa93d3bfe70f8ef4082ede9d6f112bbdd0c3c1d38f7b7f7b0caf19ebf88
      • Instruction ID: 3b59315df0b0e242867b98ab0c791c2900991991bc87f8d8bf0ba4216438c4df
      • Opcode Fuzzy Hash: 66d1ffa93d3bfe70f8ef4082ede9d6f112bbdd0c3c1d38f7b7f7b0caf19ebf88
      • Instruction Fuzzy Hash: C3E0E535A4133367CB522B74BC9C9AA375CBB457867050520FC01E3190DB708C018B98
      Function 00250B1F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(uxtheme.dll,?,0027CC33,?,?,0027C886,ACDA73A4,?,?,?,003A2117,000000FF), ref: 00250B2E
      • GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 00250B3E
      • EncodePointer.KERNEL32(00000000,?,0027CC33,?,?,0027C886,ACDA73A4,?,?,?,003A2117,000000FF), ref: 00250B47
      • DecodePointer.KERNEL32(00000000,?,0027CC33,?,?,0027C886,ACDA73A4,?,?,?,003A2117,000000FF), ref: 00250B55
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
      • String ID: BufferedPaintUnInit$uxtheme.dll
      • API String ID: 2061474489-1501038116
      • Opcode ID: 78882328a9fc4d0e6fdf169a225037a9b9206e27a58c834b1f658862ceff4663
      • Instruction ID: 553e345efb6f8b26543cb3c1ae33fbf6d6e71e8598423a63bc9565319b2ee993
      • Opcode Fuzzy Hash: 78882328a9fc4d0e6fdf169a225037a9b9206e27a58c834b1f658862ceff4663
      • Instruction Fuzzy Hash: 06E06535A01733ABDA123F74BD9CE9E376C9B45B9A7050561FD02E3190D7748C458AA8
      Function 003954F5 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
      Download Yara Rule
      APIs
      • GetConsoleCP.KERNEL32(003874C1,00000000,00000000), ref: 0039553D
      • __fassign.LIBCMT ref: 0039571C
      • __fassign.LIBCMT ref: 00395739
      • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00395781
      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 003957C1
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0039586D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: FileWrite__fassign$ConsoleErrorLast
      • String ID:
      • API String ID: 4031098158-0
      • Opcode ID: e7732fdce156a5f959798da26521aecbf8b7abd86e66952b81278b32d28e3195
      • Instruction ID: f48005cbff6794b07837389a676c581634b20cc1699de82af924f60eb99bacc7
      • Opcode Fuzzy Hash: e7732fdce156a5f959798da26521aecbf8b7abd86e66952b81278b32d28e3195
      • Instruction Fuzzy Hash: 42D1AF75D006589FCF16CFA8C9809EDBBB9FF49310F294169E816FB241D630AA86CB50
      Function 00297FD1 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 00298172
      • GetParent.USER32(?), ref: 00298191
      • GetParent.USER32(?), ref: 002981A0
      • RedrawWindow.USER32(?,00000000,00000000,00000505,003BC9B8,00000000), ref: 00298206
      • GetParent.USER32(?), ref: 0029820F
      • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 00298236
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$RedrawWindow
      • String ID:
      • API String ID: 2946272266-0
      • Opcode ID: 3c0b9eb0533adfa4fc58746a047deec1de251c6f9f8ae6b121680f4e1de04d45
      • Instruction ID: 165e29e419e335f5760ecc19cd0042c031c19243a8769ebe6db521b7f58e8810
      • Opcode Fuzzy Hash: 3c0b9eb0533adfa4fc58746a047deec1de251c6f9f8ae6b121680f4e1de04d45
      • Instruction Fuzzy Hash: E8716E35B10616AFDF069F64D898A7E7BB9BF4A310F080069E806973A1DF35AD11CF91
      Function 0029D76F Relevance: 9.2, APIs: 6, Instructions: 185windowCOMMON
      Download Yara Rule
      APIs
      • CallNextHookEx.USER32(00000000,?,?), ref: 0029D789
        • Part of subcall function 002C7897: GetKeyboardState.USER32(?), ref: 002C78B1
        • Part of subcall function 002C7897: GetKeyboardLayout.USER32(?), ref: 002C78D6
        • Part of subcall function 002C7897: MapVirtualKeyW.USER32(?,00000000), ref: 002C78F4
        • Part of subcall function 002C7897: ToUnicodeEx.USER32(?,00000000), ref: 002C78FE
        • Part of subcall function 002C7ADD: GetAsyncKeyState.USER32(00000012), ref: 002C7AFF
        • Part of subcall function 002C7ADD: GetAsyncKeyState.USER32(00000012), ref: 002C7B1F
      • WindowFromPoint.USER32(?,?), ref: 0029D7B3
      • ScreenToClient.USER32(?,00000000), ref: 0029D7E4
      • GetParent.USER32(?), ref: 0029D849
      • UpdateWindow.USER32(?), ref: 0029D8AF
      • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 0029D97A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: State$AsyncKeyboardWindow$CallClientFromHookLayoutMessageNextParentPointScreenSendUnicodeUpdateVirtual
      • String ID:
      • API String ID: 1336928137-0
      • Opcode ID: 1a6da0e1031a6f761ce31fe8cc273d21629d0902ed9154392e591bead046c157
      • Instruction ID: abea5afe8b817fdd1d518062b6932cda6c3cd85d7c2daa40d0a67c383b100d29
      • Opcode Fuzzy Hash: 1a6da0e1031a6f761ce31fe8cc273d21629d0902ed9154392e591bead046c157
      • Instruction Fuzzy Hash: A6610376620206EFDF16AFA4DD44EAE7BB9FF89310F100169F905A72A1DB309921DF50
      Function 002A160A Relevance: 9.2, APIs: 6, Instructions: 177windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 002A169F
      • GetCursorPos.USER32(00000000), ref: 002A16C0
      • ScreenToClient.USER32(?,00000000), ref: 002A16CD
      • PtInRect.USER32(?,00000000,00000000), ref: 002A16E0
      • SendMessageW.USER32(00000000,00000000,004050D8), ref: 002A1723
      • SendMessageW.USER32(?,00000000,004050D8), ref: 002A1740
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$ClientCursorParentRectScreen
      • String ID:
      • API String ID: 4164469669-0
      • Opcode ID: 16adb724cb72e0aa713f22cd645549394721c8dffbf7b40e0fb8d47b6f6c45d1
      • Instruction ID: acc93bdfd86e24c5cb6199d5717b3775cf025ea2db7eff630b2af9906f406ade
      • Opcode Fuzzy Hash: 16adb724cb72e0aa713f22cd645549394721c8dffbf7b40e0fb8d47b6f6c45d1
      • Instruction Fuzzy Hash: 4451A075A10606EFDB159F65C884AAEBBA9FF49320F04417AE819D7210DF34A830CFA5
      Function 0032B7F0 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(?,?,?), ref: 0032B8D3
      • PtInRect.USER32(?,?,?), ref: 0032B8EB
      • GetWindowRect.USER32(?,?), ref: 0032B918
      • PtInRect.USER32(?,?,?), ref: 0032B959
      • InflateRect.USER32(?,?,?), ref: 0032B96F
      • PtInRect.USER32(?,?,?), ref: 0032B97F
        • Part of subcall function 002DBF04: __EH_prolog3.LIBCMT ref: 002DBF0B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$H_prolog3InflateWindow
      • String ID:
      • API String ID: 1292614506-0
      • Opcode ID: 8be7d59227e4eff83be82a553930d4c02332b08fa11392aaa3aa64a64ff50723
      • Instruction ID: 01e8954bdd3ccec224206502c60e775ca45c40c294ce7911c5a816d993588472
      • Opcode Fuzzy Hash: 8be7d59227e4eff83be82a553930d4c02332b08fa11392aaa3aa64a64ff50723
      • Instruction Fuzzy Hash: 35513E71A00219AFCF06CFA9E994AEEBBF9FF48710F15412AE905E7260D7349A40CF50
      Function 00273CE9 Relevance: 9.1, APIs: 6, Instructions: 147windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 00273D46
      • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 00273D8C
      • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 00273DBC
      • SendMessageW.USER32(?,00000201,00000000,00000000), ref: 00273E42
      • SendMessageW.USER32(?,00000202,00000000,00000000), ref: 00273E5E
      • PtInRect.USER32(?,?,?), ref: 00273E7E
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$Rect$Client
      • String ID:
      • API String ID: 4194289498-0
      • Opcode ID: 7257a3f1cd599259f57e1c486a02143b45d90494a2bda1d4b3827cbd5738b5c9
      • Instruction ID: b13f8063b8518ecf29148c52e8d7949925cbc84290488cde63f863b666b5aaa4
      • Opcode Fuzzy Hash: 7257a3f1cd599259f57e1c486a02143b45d90494a2bda1d4b3827cbd5738b5c9
      • Instruction Fuzzy Hash: 96517F71610215DFCF15DF68CD88EAE7BB9FF89700F1840A9E809AB261CB31AA11DF10
      Function 00284193 Relevance: 9.1, APIs: 6, Instructions: 139windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00000100,?,00000000), ref: 00284231
      • SendMessageW.USER32(?,0000020A,?,?), ref: 002842C5
      • IsWindow.USER32(?), ref: 002842ED
      • ClientToScreen.USER32(?,?), ref: 002842FE
      • IsWindow.USER32(?), ref: 0028431B
      • ClientToScreen.USER32(?,?), ref: 0028434A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientMessageScreenSendWindow
      • String ID:
      • API String ID: 2093367132-0
      • Opcode ID: 64035621e7ca7fe540571eecf585aea92735b8d8d416d1ce8fcaf5f42275e8be
      • Instruction ID: 4706680e592b5c681472f7708f1aa60defb5416b4290daf0ba2ce3b5353ba64e
      • Opcode Fuzzy Hash: 64035621e7ca7fe540571eecf585aea92735b8d8d416d1ce8fcaf5f42275e8be
      • Instruction Fuzzy Hash: E441D339531203EBEF217F64DC48B7EB6A8AB45700F24487AE865D11E2E675DC70E701
      Function 002A4BD8 Relevance: 9.1, APIs: 6, Instructions: 115COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CursorParentRect$Window
      • String ID:
      • API String ID: 499013921-0
      • Opcode ID: c4be2da9569a9bea834a1105a57a3950c46c3cbd105f05afc8e423a3c86d2eea
      • Instruction ID: 3c6c84d95e6cca0230af741b8777a8196562f05c680ea1381d83585381ab49cb
      • Opcode Fuzzy Hash: c4be2da9569a9bea834a1105a57a3950c46c3cbd105f05afc8e423a3c86d2eea
      • Instruction Fuzzy Hash: 673192B2A2021AAFDB04AFA5DC459AEBBBDFF49710B10442AF405E7210EB74D910CF60
      Function 00265BDA Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
      Download Yara Rule
      APIs
      • GetFocus.USER32 ref: 00265C15
        • Part of subcall function 00258388: UnhookWindowsHookEx.USER32(?), ref: 002583B2
      • IsWindowEnabled.USER32(00000000), ref: 00265C4B
      • EnableWindow.USER32(00000000,00000000), ref: 00265C63
      • EnableWindow.USER32(00000000,00000001), ref: 00265D04
      • IsWindow.USER32(00000000), ref: 00265D0B
      • SetFocus.USER32(00000000), ref: 00265D16
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$EnableFocus$EnabledHookUnhookWindows
      • String ID:
      • API String ID: 2931672367-0
      • Opcode ID: f74373ce35871e4680a63e01645483006e5211d70cd5184443450b7c0f32785f
      • Instruction ID: e99a6c030aa71b99e63d41df8b09a8e3884b0b508a7a3c801ce6dc046796eb48
      • Opcode Fuzzy Hash: f74373ce35871e4680a63e01645483006e5211d70cd5184443450b7c0f32785f
      • Instruction Fuzzy Hash: 2941A330710712EFDB05EF64C889BA9B7A9FF45304F14816AF4098B2A1DB719DA5CF91
      Function 0026DA43 Relevance: 9.1, APIs: 6, Instructions: 100windowCOMMON
      Download Yara Rule
      APIs
      • IsWindow.USER32(?), ref: 0026DA4E
      • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0026DA6F
      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0026DA83
      • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0026DAB1
      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0026DAC5
      • __EH_prolog3.LIBCMT ref: 0026DADD
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$H_prolog3Window
      • String ID:
      • API String ID: 3728102838-0
      • Opcode ID: 767c2000e6607dcd08524d89f3dccbc0f62130b443ce53cfed48038567eb969c
      • Instruction ID: 1ac44cc3c0ee604452bda3cbf22a824c95acf514cf689ab869f9dd9765b14bbb
      • Opcode Fuzzy Hash: 767c2000e6607dcd08524d89f3dccbc0f62130b443ce53cfed48038567eb969c
      • Instruction Fuzzy Hash: A831A431A11126BBDB19AFA1CD46EAF7B79FF46360F100129F405A61A1DB719D20CBA1
      Function 0025C075 Relevance: 9.1, APIs: 6, Instructions: 88windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 0025C096
      • GetWindow.USER32(?,00000005), ref: 0025C0AD
      • GetWindowRect.USER32(00000000,00000000), ref: 0025C0D1
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A7D
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A8A
      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000015), ref: 0025C0F7
      • GetWindow.USER32(00000000,00000002), ref: 0025C100
      • ScrollWindow.USER32(?,?,?,?,?), ref: 0025C11C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$ClientScreen$RectScrollVisible
      • String ID:
      • API String ID: 1714389229-0
      • Opcode ID: c77f8809a87698ae5cc73bf29427bfd5969336acfa451c760d4281246c0a37d7
      • Instruction ID: c6b3d923d20585e391b16ab553e96086faef87c560669d4f63bf49e3f296740b
      • Opcode Fuzzy Hash: c77f8809a87698ae5cc73bf29427bfd5969336acfa451c760d4281246c0a37d7
      • Instruction Fuzzy Hash: 0E317A36610709AFDB12CF54CC88ABEBBB9FF89716F208018F905A7211EB34DD148B64
      Function 0026E000 Relevance: 9.1, APIs: 6, Instructions: 86keyboardwindowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0026E035
      • GetKeyState.USER32(00000012), ref: 0026E063
      • GetKeyState.USER32(00000011), ref: 0026E074
      • SendMessageW.USER32(?,00000157,00000000,00000000), ref: 0026E089
      • SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 0026E09E
      • GetNextDlgTabItem.USER32(?,?,00000000), ref: 0026E0DD
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSendState$ItemNextParent
      • String ID:
      • API String ID: 1930099164-0
      • Opcode ID: 8f159ec645d4d0bf7f904cfe85a4a4efe41e7d150135d2a8f7136ae10d0e6246
      • Instruction ID: b51939a31fc739811a39219d91c71dc4c46ccde721b461b169a5f2ce273c32de
      • Opcode Fuzzy Hash: 8f159ec645d4d0bf7f904cfe85a4a4efe41e7d150135d2a8f7136ae10d0e6246
      • Instruction Fuzzy Hash: 5B21F8793302179BEE292F389D08A3A766DFB50741F024438F90AB6060EFF19CB08A55
      Function 002800C7 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
      Download Yara Rule
      APIs
      • PatBlt.GDI32(00000000,00000000,-00000002,-00000002,00FF0062,?), ref: 002800EB
      • SetBkColor.GDI32(?), ref: 00280111
      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00CC0020,?,00280A29), ref: 00280139
      • SetBkColor.GDI32(?), ref: 00280152
      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00EE0086,?,00280A29), ref: 0028017A
      • BitBlt.GDI32(00000000,00000001,00000001,00000001,00000001,00000000,00000000,00000000,008800C6), ref: 002801A2
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color
      • String ID:
      • API String ID: 2811717613-0
      • Opcode ID: 914e71b556d732507d3114f4e0a194e0665fa7e3c37dca78af48d3bc0a7ffd61
      • Instruction ID: acb333a141600744f7a1bda0648026ced834f6baa78e614c7a3c83f5813f4c42
      • Opcode Fuzzy Hash: 914e71b556d732507d3114f4e0a194e0665fa7e3c37dca78af48d3bc0a7ffd61
      • Instruction Fuzzy Hash: 8B214A71101A40BFC7219F96ED89D577BBEFBC6B14B004918F646921B0C7BAA870DF20
      Function 0024C350 Relevance: 9.1, APIs: 6, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000F0), ref: 0024C38B
      • GetParent.USER32(?), ref: 0024C399
      • GetParent.USER32(?), ref: 0024C3B0
      • GetLastActivePopup.USER32(?), ref: 0024C3CA
      • IsWindowEnabled.USER32(?), ref: 0024C3DE
      • EnableWindow.USER32(?,00000000), ref: 0024C3F1
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
      • String ID:
      • API String ID: 670545878-0
      • Opcode ID: 043262045fcfc764f6a16c2dedc6b2ff67c8a68a62036fca3a61804ee4d5fc2b
      • Instruction ID: 28b5489d779ced0e2537a091561f636a9ea142210b9bc5fc09c67abe22556bfa
      • Opcode Fuzzy Hash: 043262045fcfc764f6a16c2dedc6b2ff67c8a68a62036fca3a61804ee4d5fc2b
      • Instruction Fuzzy Hash: 7311DD3262232397E7A95F6D984472A7A9CAF55B54F3581A4FC01E7250DB71DC2047E0
      Function 0026E356 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0026E35D
        • Part of subcall function 0025701C: IsWindowEnabled.USER32(?), ref: 00257027
      • InvalidateRect.USER32(?,00000000,00000001,0000000C,0026E742), ref: 0026E389
      • UpdateWindow.USER32(?), ref: 0026E392
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$EnabledH_prolog3InvalidateRectUpdate
      • String ID:
      • API String ID: 262192325-0
      • Opcode ID: 6d30b6fb1e99911ed1a773b2cb1f7710e190b0f93393fae5f2e7132ec67bf593
      • Instruction ID: 848f1fd5393d8896401c60b2403da27522d660a120e5d8a334c34c7508959357
      • Opcode Fuzzy Hash: 6d30b6fb1e99911ed1a773b2cb1f7710e190b0f93393fae5f2e7132ec67bf593
      • Instruction Fuzzy Hash: 29218071814205DFCB25AF71CC499AFBBB8FF49300F10091CF14A96262DB349914CF20
      Function 0031FE4C Relevance: 9.1, APIs: 6, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0031FEE1
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0031FEF7
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0031FF02
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0031FF0D
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0031FF18
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0031FF23
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ContextExternal$BaseBase::~Concurrency::details::
      • String ID:
      • API String ID: 1690591649-0
      • Opcode ID: e860c45585df1af71776a20975972cdcabea501b545c9f4270181a98776e5cc8
      • Instruction ID: 61110b2545b00f64cbfffadee39b01a365cfd67190f662cc6173d3c85879462f
      • Opcode Fuzzy Hash: e860c45585df1af71776a20975972cdcabea501b545c9f4270181a98776e5cc8
      • Instruction Fuzzy Hash: F0216832310901ABC70EEB64C8A1BE9F769FB45710F40462CE41B47292DF346A66CF95
      Function 0026A5AD Relevance: 9.1, APIs: 6, Instructions: 56windowtimeCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0026A5BF
        • Part of subcall function 00256E2D: GetDlgCtrlID.USER32(?), ref: 00256E38
      • SendMessageW.USER32(?,00000111,?,?), ref: 0026A5E8
      • SetCapture.USER32(?,?,?,?,002710C9,?,?,?), ref: 0026A610
      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,002710C9,?,?,?), ref: 0026A627
      • UpdateWindow.USER32(?), ref: 0026A630
      • SetTimer.USER32(?,0000EC0D,?,00000000), ref: 0026A64A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
      • String ID:
      • API String ID: 171814724-0
      • Opcode ID: a9ca53c21e8ced4ccdf4252729b29e3554a46c26809679cd72518c2949dc386a
      • Instruction ID: 5892d6e96fcf2d22c70ff1b814994e5293ef5c5b2d152d84c6cf2208cf9db782
      • Opcode Fuzzy Hash: a9ca53c21e8ced4ccdf4252729b29e3554a46c26809679cd72518c2949dc386a
      • Instruction Fuzzy Hash: 45114872720616BFDB095F75CC88AA6BA6EFB09301F04022AF64996530DB70A874DF95
      Function 00251550 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
      Download Yara Rule
      APIs
      • GetFocus.USER32 ref: 00251554
        • Part of subcall function 00251895: GetWindowLongW.USER32(?,000000F0), ref: 002518B0
        • Part of subcall function 00251895: GetClassNameW.USER32(?,?,0000000A), ref: 002518C5
        • Part of subcall function 00251895: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 002518DC
      • GetParent.USER32(00000000), ref: 00251575
      • GetWindowLongW.USER32(?,000000F0), ref: 00251594
      • GetParent.USER32(?), ref: 002515A2
      • GetDesktopWindow.USER32 ref: 002515AA
      • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 002515BE
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
      • String ID:
      • API String ID: 1233893325-0
      • Opcode ID: 1986688880456f491ba1788e336850e53a51f2dc14ad009fc0335d3ce9d75675
      • Instruction ID: 1e5af95ae05c1ae2efcebc509850b32a2eff142a7a20fd03629905ccbedbb087
      • Opcode Fuzzy Hash: 1986688880456f491ba1788e336850e53a51f2dc14ad009fc0335d3ce9d75675
      • Instruction Fuzzy Hash: F5F0813221122263E2232F245C0DFBE319D8BC2B66F490110FD03A61D4EB349D755599
      Function 002E2974 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 286keyboardCOMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 002E29A2
      • GetKeyState.USER32(00000011), ref: 002E29AA
      • IsRectEmpty.USER32(?), ref: 002E2A13
      • GetWindowRect.USER32(00000000,?), ref: 002E2BE5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Empty$StateWindow
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 2684165152-973906075
      • Opcode ID: 9f6acbb25603fd7cf4b48801f0aa505c3623aa39bd1fec9a261c5348e24ab9ee
      • Instruction ID: d184cba8dc06ad0d63ae06f8c5643ed1d24aefc79a537094dbb346a86ad11ac7
      • Opcode Fuzzy Hash: 9f6acbb25603fd7cf4b48801f0aa505c3623aa39bd1fec9a261c5348e24ab9ee
      • Instruction Fuzzy Hash: 7CA1C032A1021ADFDF16DF65C845ABEBBB9FF49310F180059E906A7290DB35AC11CFA1
      Function 0024965E Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 282COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00249705
      • CoCreateGuid.OLE32(?,00000000,00000000,00000030), ref: 00249762
      • SysFreeString.OLEAUT32(?), ref: 0024996A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CreateFreeGuidH_prolog3_String
      • String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
      • API String ID: 1084067465-5890034
      • Opcode ID: bad029f9737a70435bbfed0543f5ccac7ba55d0d5cedc6b22c303223edcef52e
      • Instruction ID: 08239eba8b74c086c9a5d3a2de45beafbb631dd734bd58dea1d74bf2772640e8
      • Opcode Fuzzy Hash: bad029f9737a70435bbfed0543f5ccac7ba55d0d5cedc6b22c303223edcef52e
      • Instruction Fuzzy Hash: 9FA18F71A11115AFCB09EFA8DD95EFEB7B9AF49310F144068F406AB292DB349D14CB60
      Function 0025A925 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024BFAD: __EH_prolog3.LIBCMT ref: 0024BFB4
      • SendMessageW.USER32(?,00000433,00000000,?), ref: 0025AAFD
      • GetWindowLongW.USER32(?,000000FC), ref: 0025AB08
      • GetWindowLongW.USER32(?,000000FC), ref: 0025AB1C
      • SetWindowLongW.USER32(?,000000FC,00000000), ref: 0025AB45
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: LongWindow$H_prolog3MessageSend
      • String ID: ,
      • API String ID: 4140968126-3772416878
      • Opcode ID: 02a635798cdc9c8f5f43c24ce5776875bad3ad7eafc2208589f6a23427808500
      • Instruction ID: fb8744b7c1b2ab03a8364120105701eeb855b2d648972321dfcdad89fcc9c463
      • Opcode Fuzzy Hash: 02a635798cdc9c8f5f43c24ce5776875bad3ad7eafc2208589f6a23427808500
      • Instruction Fuzzy Hash: 6671F631A10316AFCB16EF64C986A6E77B9FF48311F040269ED0697251DB70ED24CF96
      Function 00397B77 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON
      Download Yara Rule
      APIs
      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003DEC4C), ref: 00397BE1
      • _free.LIBCMT ref: 00397BCF
        • Part of subcall function 00392EB8: HeapFree.KERNEL32(00000000,00000000,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?), ref: 00392ECE
        • Part of subcall function 00392EB8: GetLastError.KERNEL32(?,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?,?), ref: 00392EE0
      • _free.LIBCMT ref: 00397D9B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
      • String ID: L=$L=
      • API String ID: 2155170405-713417311
      • Opcode ID: fdc5d772a6b1c95ba108aae652e719e9ed4a8460bd624619a480ad14a118870d
      • Instruction ID: 434e779056d5ab136edb22755bf659fec2a6f4d2a6de6f6e7f255ab4247a76c1
      • Opcode Fuzzy Hash: fdc5d772a6b1c95ba108aae652e719e9ed4a8460bd624619a480ad14a118870d
      • Instruction Fuzzy Hash: 67510872914209ABDF22FF799D819BE77BCEF40310B56456AE411AB2D1E7309E40CB94
      Function 0024B686 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3
      • String ID: Invalid DateTime
      • API String ID: 431132790-2190634649
      • Opcode ID: 6c5014d11242e9cdf87f8139055c72a757f1ec444e0bc8ed81507bbedd807769
      • Instruction ID: d3f02bcf61f60313e3d76beef56695f300f0adebefa1c433e445541e7f8659a3
      • Opcode Fuzzy Hash: 6c5014d11242e9cdf87f8139055c72a757f1ec444e0bc8ed81507bbedd807769
      • Instruction Fuzzy Hash: A541BF32920109EBCF1EEFA5CC46ABE7778AF41354F244118F515AB1D2CB309A64DBA5
      Function 00244450 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 119registryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00242590: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425CE
        • Part of subcall function 00242590: LoadResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425E1
        • Part of subcall function 00242590: LockResource.KERNEL32(00000000,?,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425F1
        • Part of subcall function 00242590: SizeofResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 00242605
      • RegQueryValueExW.ADVAPI32(00000000,UninstallString,00000000,80004005,00000000,00000208), ref: 00244533
      • RegCloseKey.ADVAPI32(00000000), ref: 00244612
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$CloseFindLoadLockQuerySizeofValue
      • String ID: UninstallString$XML$uninstall.xml
      • API String ID: 286508957-2003308740
      • Opcode ID: 8a5bb44ffd26daf2edbc5458357baa66cb04f56e980e5f57f4c89b47db3717c3
      • Instruction ID: acbb9a5e7e75436160fba0ef47d58d01612584818895d5c947a7874d8a5c17bd
      • Opcode Fuzzy Hash: 8a5bb44ffd26daf2edbc5458357baa66cb04f56e980e5f57f4c89b47db3717c3
      • Instruction Fuzzy Hash: 87312871A10209ABEF18EF55CC45FAEB3B8EF15710F404129FD11BB281D7759924CBA1
      Function 00259E4E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      • GetClientRect.USER32(?,?), ref: 00259EBD
      • IsMenu.USER32(?), ref: 00259EFA
      • AdjustWindowRectEx.USER32(?,00000000,00000000), ref: 00259F0D
      • GetClientRect.USER32(?,?), ref: 00259F5A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientWindow$AdjustLongMenu
      • String ID: D;
      • API String ID: 3435883281-3792895191
      • Opcode ID: aed077b49fe1eb505d3caaa280584734061fe7d64e7dbdce9c982634689650ff
      • Instruction ID: ab179bfde89fc0f46423307c0b4f4257d17a40cce3f65e0d0ccbae11b5e228ea
      • Opcode Fuzzy Hash: aed077b49fe1eb505d3caaa280584734061fe7d64e7dbdce9c982634689650ff
      • Instruction Fuzzy Hash: 2B317E71E1021AAFDB11DFA9D9499BFBBBDEF48701F10405AE801E3240EB34AD14CB95
      Function 0027C6F5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0027C6FC
      • GetClientRect.USER32(003B2448,?), ref: 0027C74B
        • Part of subcall function 00259AB3: GetScrollPos.USER32(?,00000000), ref: 00259ADF
        • Part of subcall function 00250ACA: GetModuleHandleW.KERNEL32(uxtheme.dll,?,0027C77D,00000001,00000000,?,?,?,00000008,002A46FE,?), ref: 00250AD9
        • Part of subcall function 00250ACA: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 00250AE9
        • Part of subcall function 00250ACA: EncodePointer.KERNEL32(00000000,?,?,?,00000008,002A46FE,?), ref: 00250AF2
      • CreateCompatibleDC.GDI32(?), ref: 0027C7E7
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0027C80D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
      • String ID: H$;
      • API String ID: 1015973060-3240824296
      • Opcode ID: cb35c0f46b9ef32470b774aa0aa78a67b4c12cd1b2a11a6f0a3e7cc75ea719f1
      • Instruction ID: 3a46461476fcd453dcf083fd01827ad316f0988896bcb9a0dc144b2efd6a5972
      • Opcode Fuzzy Hash: cb35c0f46b9ef32470b774aa0aa78a67b4c12cd1b2a11a6f0a3e7cc75ea719f1
      • Instruction Fuzzy Hash: 45418DB0910606EFCB15DF65C984A6AFBE8FF08304B10C52DE90D87651DB70E964CF91
      Function 002C53D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 002C5407
      • GetWindowRect.USER32(?,?), ref: 002C5448
      • GetClientRect.USER32(?,00000000), ref: 002C5466
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientEmptyWindow
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 742297903-973906075
      • Opcode ID: 3531d35608b923308223f534ecb8ee8b69a63753d90825121966d4d17b4e0882
      • Instruction ID: 88805217133ba03a5fa965b8b04751046e61d0f8faf0b1ec2af937a36ccfc022
      • Opcode Fuzzy Hash: 3531d35608b923308223f534ecb8ee8b69a63753d90825121966d4d17b4e0882
      • Instruction Fuzzy Hash: 7C314C75A106159FCB09DF68C884E6EB7B9FF48302B148169E80ADB351D734ED90CF90
      Function 002F6A28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID: D;$8Y<$<D<$d<
      • API String ID: 0-3644287754
      • Opcode ID: 472e11c898cb8fb40cfb443f6beea7af2fabf62ce5da62a192b75e38ec45b4a5
      • Instruction ID: 9ad8705503441d9f46a704e011c6bae04bceeba2149cca0ec056e85eeb97d6c7
      • Opcode Fuzzy Hash: 472e11c898cb8fb40cfb443f6beea7af2fabf62ce5da62a192b75e38ec45b4a5
      • Instruction Fuzzy Hash: C421D53177061A968A19AE20DC0AEFFF798DB207C8B444038EA47E7285FF60ED204795
      Function 002581D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
      Download Yara Rule
      APIs
      • __snprintf_s.LIBCMT ref: 00258222
        • Part of subcall function 00247C92: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 00247CA7
      • __snprintf_s.LIBCMT ref: 00258256
      • GetClassInfoW.USER32(?,0000007C,?), ref: 00258286
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: __snprintf_s$ClassInfo__vsnwprintf_s_l
      • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
      • API String ID: 2864017905-2801496823
      • Opcode ID: 49b48c8d03feac748d837fe9f619fe6c2a6bd9536263d0d45dcc06a9665b00ec
      • Instruction ID: b81aa8c1dd60a8d2b6eb9936171d6921051c4c79f54a09051e697ef0733d16c1
      • Opcode Fuzzy Hash: 49b48c8d03feac748d837fe9f619fe6c2a6bd9536263d0d45dcc06a9665b00ec
      • Instruction Fuzzy Hash: 83316FB4910709AFDB11EFA5D841A9E7BB4FF09311F004056FD04AB251E7709A50CFA6
      Function 002FBB72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyRect
      • String ID: <w<
      • API String ID: 2270935405-2636207696
      • Opcode ID: 73f1dd8e4d24dbbbe05c2540723c6fae8f67a44d2273c7ca7e8c01e1ae990c24
      • Instruction ID: 558ee6db243923c6da8e4f009cb7ceba50697d5b625038effadcccaea951459c
      • Opcode Fuzzy Hash: 73f1dd8e4d24dbbbe05c2540723c6fae8f67a44d2273c7ca7e8c01e1ae990c24
      • Instruction Fuzzy Hash: 6031AC319112098FCF16CF94C884BBEB7A8EF09755F1040AAEE06AB245DB75DD51CF90
      Function 00263236 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID: Edit
      • API String ID: 0-554135844
      • Opcode ID: 4c7801fc73ed5e73499914ff42eddbef130eda92c206fc81f08e4d73cad8a300
      • Instruction ID: 09807d1b9eda3ffeb0db3367fbe7a12fd1bedd93ef1e981c660424cf097e0f3b
      • Opcode Fuzzy Hash: 4c7801fc73ed5e73499914ff42eddbef130eda92c206fc81f08e4d73cad8a300
      • Instruction Fuzzy Hash: 4A11A13133020BEBEF259F26CD1ABA676A9AF46756F140035FD42914E1DBB1DEB0DA10
      Function 00261FEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00261FF5
      • GetClassNameW.USER32(00000000,00000000,00000400), ref: 0026202C
      • GetWindowLongW.USER32(00000000,000000F0), ref: 00262065
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClassH_prolog3LongNameWindow
      • String ID: ComboBox$ComboBoxEx32
      • API String ID: 297531199-1907415764
      • Opcode ID: d3037c2432286f5745ca3ffd6d6588a163cb5a3e0a200d18016b1c74d9eddb2e
      • Instruction ID: 014c714da1aa6fd1899a2b4d6e3fa0c71a622439604f39bfdd2c0929aa2a8576
      • Opcode Fuzzy Hash: d3037c2432286f5745ca3ffd6d6588a163cb5a3e0a200d18016b1c74d9eddb2e
      • Instruction Fuzzy Hash: DA01F572420526EBDB1ABB60CD46BEEB778BF22330F500518F110A20D1DF31A969CB65
      Function 0024D3B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryfileloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,0024D753,00000000,80000000,00000000,0000000C,00000003,?,00000000,?,00000000,?), ref: 0024D3C6
      • GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 0024D3D6
      • CreateFileW.KERNEL32(?,?,00000000,00000104,00000000,?,00000000,?,00000000,00000000,?,0024D753,00000000,80000000,00000000,0000000C), ref: 0024D41F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressCreateFileHandleModuleProc
      • String ID: CreateFileTransactedW$kernel32.dll
      • API String ID: 2580138172-2053874626
      • Opcode ID: c359f89a340038581cee5f9da6d655ea97ed836219e7cd9e21cfb07d1ed9c7a5
      • Instruction ID: ec3090dd2ca670d5598e1006217336df1442a7cd1bfe616aeded595e1ed081e0
      • Opcode Fuzzy Hash: c359f89a340038581cee5f9da6d655ea97ed836219e7cd9e21cfb07d1ed9c7a5
      • Instruction Fuzzy Hash: 1701043611024AFFCF160F94DC44DAA3F7AFB883A5F148529FA51560A0CB72D871EBA0
      Function 002527AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 002527D3
      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002527E3
        • Part of subcall function 0024C719: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0024C72C
        • Part of subcall function 0024C719: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0024C73C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegDeleteKeyExW
      • API String ID: 1646373207-2191092095
      • Opcode ID: cea10c62e3ca3aeda4c8a4e3f0836c55bcdcc4a56a2afddd446df5832bbd6d8b
      • Instruction ID: 13c2ebae4aa022b3039eadae167db9fabad3ebab8c13bd9479c26735c78a8977
      • Opcode Fuzzy Hash: cea10c62e3ca3aeda4c8a4e3f0836c55bcdcc4a56a2afddd446df5832bbd6d8b
      • Instruction Fuzzy Hash: 9501B139514212FBDB138F51ED18A99BF68EB0A752F140135FD01B21E0CBF19C28ABAC
      Function 00281CF3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
      Download Yara Rule
      APIs
      • FindResourceW.KERNEL32(?,?,PNG,?,?,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D15
      • LoadResource.KERNEL32(?,00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D23
      • LockResource.KERNEL32(00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D2E
      • SizeofResource.KERNEL32(?,00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D3C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID: PNG
      • API String ID: 3473537107-364855578
      • Opcode ID: 963388f408964ba3f83d14c2ace1ebd6b3685c145594027e03d1f47a4ef5b5f7
      • Instruction ID: b36be75fabf24577a1cb9e9b32729b701911b244d958a06f0bc9750c1d0d3760
      • Opcode Fuzzy Hash: 963388f408964ba3f83d14c2ace1ebd6b3685c145594027e03d1f47a4ef5b5f7
      • Instruction Fuzzy Hash: BCF0F63E611115BBCB126FA5CD49D9F77ACDE8A7517008025FD01D7280DB74DD2287B1
      Function 00250C5F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(00000000), ref: 00250C98
        • Part of subcall function 0024ECAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
        • Part of subcall function 0024ECAF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
        • Part of subcall function 0024ECAF: EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 00250C81
      • EncodePointer.KERNEL32(00000000), ref: 00250C8A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
      • String ID: DwmDefWindowProc$dwmapi.dll
      • API String ID: 1102202064-234806475
      • Opcode ID: 21ba2b17c77247f7552e3afd362bbe62c8b3388067ae5a3ab045dbd76037fdd8
      • Instruction ID: 6b321dcf21bca865257928d3c160f14062f37ac675b9fb0f8fc03c8065f0811a
      • Opcode Fuzzy Hash: 21ba2b17c77247f7552e3afd362bbe62c8b3388067ae5a3ab045dbd76037fdd8
      • Instruction Fuzzy Hash: C7F0B43551131BABCF126F75DE499AA3F6CBB06792B040622FD01E22A0DB70C821DB98
      Function 00250D7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(00000000), ref: 00250DB8
        • Part of subcall function 0024ECAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
        • Part of subcall function 0024ECAF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
        • Part of subcall function 0024ECAF: EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 00250DA1
      • EncodePointer.KERNEL32(00000000), ref: 00250DAA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
      • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
      • API String ID: 1102202064-1757063745
      • Opcode ID: 819c82ee0b5f714f2925cee7eae85aaf636207d65a8b2a263afb6d8176afc1b1
      • Instruction ID: 10b0877f218e5ee42934e2d7fa7c791dae777bf0720caeb7e968481c852c9e02
      • Opcode Fuzzy Hash: 819c82ee0b5f714f2925cee7eae85aaf636207d65a8b2a263afb6d8176afc1b1
      • Instruction Fuzzy Hash: 72F0B436552317ABCF122FA4ED488AF3F7CEB45791B000421FD01A6260C770D8208B98
      Function 00250E46 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(00000000), ref: 00250E7F
        • Part of subcall function 0024ECAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
        • Part of subcall function 0024ECAF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
        • Part of subcall function 0024ECAF: EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 00250E68
      • EncodePointer.KERNEL32(00000000), ref: 00250E71
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
      • String ID: DwmSetWindowAttribute$dwmapi.dll
      • API String ID: 1102202064-3105884578
      • Opcode ID: dba1d5a6ea464f49ba41daccbe42d05f0357c52419f00c147d4ad9b604dd2944
      • Instruction ID: 6efee602ebcc95f2396b54c36bf67034ff3bb99605cc1aedcddce3c2e9447fd6
      • Opcode Fuzzy Hash: dba1d5a6ea464f49ba41daccbe42d05f0357c52419f00c147d4ad9b604dd2944
      • Instruction Fuzzy Hash: 35F0B436511316ABCF126F75ED5E8AB3B6CAB49791B100821FD01A7260C770CC64CB98
      Function 00250D20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(00000000), ref: 00250D59
        • Part of subcall function 0024ECAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
        • Part of subcall function 0024ECAF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
        • Part of subcall function 0024ECAF: EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 00250D42
      • EncodePointer.KERNEL32(00000000), ref: 00250D4B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
      • String ID: DwmIsCompositionEnabled$dwmapi.dll
      • API String ID: 1102202064-1198327662
      • Opcode ID: 33b5756ccaf955664563b01d3998eef387e07dca84d3e15b894104081c8f1547
      • Instruction ID: 101a2118ddb1cac87a34264d33d7854f91e0afdb9da9a66f021d2991de38ffd9
      • Opcode Fuzzy Hash: 33b5756ccaf955664563b01d3998eef387e07dca84d3e15b894104081c8f1547
      • Instruction Fuzzy Hash: BBF0B435512712ABCB125BB4DD4D66A37ACDB05792B000121FC01E7260DB70A8108A98
      Function 00250DE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(00000000), ref: 00250E1D
        • Part of subcall function 0024ECAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
        • Part of subcall function 0024ECAF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
        • Part of subcall function 0024ECAF: EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 00250E06
      • EncodePointer.KERNEL32(00000000), ref: 00250E0F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
      • String ID: DwmSetIconicThumbnail$dwmapi.dll
      • API String ID: 1102202064-2331651847
      • Opcode ID: 1d6f02237744ce51be48f966e2ceb6570a42ac086bffa602298033f02afe8380
      • Instruction ID: 7d2e980605599bb2134a5de73414317c645962d4a2eff1b95a8d355424bec9ef
      • Opcode Fuzzy Hash: 1d6f02237744ce51be48f966e2ceb6570a42ac086bffa602298033f02afe8380
      • Instruction Fuzzy Hash: 0EF0BE36521326ABCB122F649D5E89B3A6DAB48792B100821FD05E72A0DA70CC218F98
      Function 00250CC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(00000000), ref: 00250CFD
        • Part of subcall function 0024ECAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 0024ECD5
        • Part of subcall function 0024ECAF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0024ECE5
        • Part of subcall function 0024ECAF: EncodePointer.KERNEL32(00000000,?,00000000), ref: 0024ECEE
      • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00250CE6
      • EncodePointer.KERNEL32(00000000), ref: 00250CEF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
      • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
      • API String ID: 1102202064-1901905683
      • Opcode ID: d9fc9c97fd5bc51eceb801e7c887386de4d9210e346336abf8fc2dd14a917054
      • Instruction ID: f98e49a5ef85d2f4e4338ad393621654a3626346c44b1cce79797eeee62ca43d
      • Opcode Fuzzy Hash: d9fc9c97fd5bc51eceb801e7c887386de4d9210e346336abf8fc2dd14a917054
      • Instruction Fuzzy Hash: 0DF0EC35552727A7CB122BB4AD5C96B3AACEF497937010121FD05E7290EF70DC114AEC
      Function 00391D51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00391D46,?,?,00391D0E,?,?,?), ref: 00391D66
      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00391D79
      • FreeLibrary.KERNEL32(00000000,?,?,00391D46,?,?,00391D0E,?,?,?), ref: 00391D9C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressFreeHandleLibraryModuleProc
      • String ID: CorExitProcess$mscoree.dll
      • API String ID: 4061214504-1276376045
      • Opcode ID: 8fd878e38055fdda48f9af764f691a04f818638759d76326599eb7bd8f2ebcad
      • Instruction ID: 7076af6f4a7043092f02e15389ed46569d7a12a3364d34e663962f202d571010
      • Opcode Fuzzy Hash: 8fd878e38055fdda48f9af764f691a04f818638759d76326599eb7bd8f2ebcad
      • Instruction Fuzzy Hash: 37F01C32A01329FBDF139B55ED0ABEE7ABCEB41755F154065F805B21A0CB748F00EA91
      Function 00294F6D Relevance: 7.9, APIs: 5, Instructions: 366COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Empty$Client
      • String ID:
      • API String ID: 1457177775-0
      • Opcode ID: 47ad5491d2034e62e8005e2f737395406e70bc1810546da047ecc7d226f5731a
      • Instruction ID: 8284a588a494f3b0b8232f170b19703ea60cfd07579212db9b6da03ed9562dc7
      • Opcode Fuzzy Hash: 47ad5491d2034e62e8005e2f737395406e70bc1810546da047ecc7d226f5731a
      • Instruction Fuzzy Hash: 42E11B31E10A2A8FCF16CFA8D9846AEB7F2BF49310F254169E805BB240D771AD55CF50
      Function 0027FD7F Relevance: 7.7, APIs: 5, Instructions: 228windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 002811BE: GdipGetImagePixelFormat.GDIPLUS(?,00404690,00000000,00000000,?,0027FDAD,00000000,00000000,00404690), ref: 002811CC
      • GdipBitmapLockBits.GDIPLUS(00000007,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00404690), ref: 0027FF87
        • Part of subcall function 0028119A: GdipGetImagePaletteSize.GDIPLUS(00000007,00000000,00000000,?,?,0027FE67,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002811AC
      • GdipBitmapUnlockBits.GDIPLUS(00000007,?,00000007,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00404690), ref: 00280032
        • Part of subcall function 0027E1A0: GdipCreateBitmapFromScan0.GDIPLUS(00000000,00000000,00000000,00000000,00000000,00404690,00000000,?,?,00280058,?,?,?,00022009,?,00000000), ref: 0027E1C7
        • Part of subcall function 0027E3D9: GdipGetImageGraphicsContext.GDIPLUS(?,00404690,00000000,?,?,0028006A,?,?,?,?,00022009,?,00000000,00000000,?,00000000), ref: 0027E3F3
      • GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00280084
      • GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000,00000000), ref: 0028008F
      • GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000), ref: 0028009A
        • Part of subcall function 00386E1C: _free.LIBCMT ref: 00386E2F
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Gdip$Image$Bitmap$BitsGraphics$ContextCreateDeleteDisposeDrawFormatFromLockPalettePixelScan0SizeUnlock_free
      • String ID:
      • API String ID: 1252309004-0
      • Opcode ID: 66d0bb5825cfeb6857ed553e9a0461aaaf6276f255b4f95c70ffa2cb574192d4
      • Instruction ID: 3ea604769b2927c89c29fde1c7569b140aaf27faf321284e61f4ddc423112ac0
      • Opcode Fuzzy Hash: 66d0bb5825cfeb6857ed553e9a0461aaaf6276f255b4f95c70ffa2cb574192d4
      • Instruction Fuzzy Hash: FE914FF5A112299FDB64DF14CD80BA9B7B8EB48304F4081E9EA0DA7251D730AED5CF58
      Function 0026291D Relevance: 7.7, APIs: 5, Instructions: 155COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_catch.LIBCMT ref: 00262924
      • GlobalLock.KERNEL32(00000000), ref: 00262A29
      • DestroyWindow.USER32(?,?,?,00000000,0026273E,00000000), ref: 00262AFA
      • GlobalUnlock.KERNEL32(00000000), ref: 00262B07
      • GlobalFree.KERNEL32(00000000), ref: 00262B0E
        • Part of subcall function 0026870A: GetStockObject.GDI32(00000011), ref: 0026872C
        • Part of subcall function 0026870A: GetStockObject.GDI32(0000000D), ref: 00268738
        • Part of subcall function 0026870A: GetObjectW.GDI32(00000000,0000005C,?), ref: 00268749
        • Part of subcall function 0026870A: GetDC.USER32(00000000), ref: 00268758
        • Part of subcall function 0026870A: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0026876F
        • Part of subcall function 0026870A: MulDiv.KERNEL32(?,00000048,00000000), ref: 0026877B
        • Part of subcall function 0026870A: ReleaseDC.USER32(00000000,00000000), ref: 00268787
        • Part of subcall function 002683F6: GlobalFree.KERNEL32 ref: 002683FD
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$Object$FreeStock$CapsDestroyDeviceH_prolog3_catchLockReleaseUnlockWindow
      • String ID:
      • API String ID: 15253214-0
      • Opcode ID: 196c7ddca5db3829dbb77fb24e0f2ea1a160d24b4c04b3c0fbfa21185c444d27
      • Instruction ID: 60b58df624ccb5b4e409775c446f3f76aa6132c2a9bbcbf26664964f9f3f2f0f
      • Opcode Fuzzy Hash: 196c7ddca5db3829dbb77fb24e0f2ea1a160d24b4c04b3c0fbfa21185c444d27
      • Instruction Fuzzy Hash: 5051AE31E1061ADFCF15EFA4C985AAEBBB4BF18310F140119E802B7291DB749E65CFA1
      Function 00271DB2 Relevance: 7.6, APIs: 5, Instructions: 143windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,0000120C,00000000,00000002), ref: 00271E35
      • SendMessageW.USER32(?,0000120C,00000001,00000002), ref: 00271E6A
      • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00271E90
      • GetCapture.USER32 ref: 00271F1F
      • ReleaseCapture.USER32 ref: 00271F29
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CaptureMessageSend$RedrawReleaseWindow
      • String ID:
      • API String ID: 2167886739-0
      • Opcode ID: 3234194a6a2c6d03a1aee759d6f7ef54b8a1f33d03eca286b5bec4c88b661e0b
      • Instruction ID: 62de5db5a57dd5d070d5f1bb324670c752e8ac1553a1c8d70f6a792fc5e40c92
      • Opcode Fuzzy Hash: 3234194a6a2c6d03a1aee759d6f7ef54b8a1f33d03eca286b5bec4c88b661e0b
      • Instruction Fuzzy Hash: DF4191357113159FCB099F28DC88BAD77A9FF49750F084069EC0AA7391DB74AC20CB91
      Function 002B4BDE Relevance: 7.6, APIs: 5, Instructions: 123COMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(00000000,002843AF), ref: 002B4C0D
        • Part of subcall function 002554CD: ClientToScreen.USER32(?,?), ref: 002554DC
        • Part of subcall function 002554CD: ClientToScreen.USER32(?,?), ref: 002554E9
      • PtInRect.USER32(002843AF,?,?), ref: 002B4C27
      • PtInRect.USER32(?,?,?), ref: 002B4CA0
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientRect$Screen
      • String ID:
      • API String ID: 3187875807-0
      • Opcode ID: 9ff49ddcdef092349fe9bc8ed70be5abef5ef5b38fb0ce34144acbd6952cd683
      • Instruction ID: dede2b22ce745cfae7dd1873aae6a5a092fdd477f9c6ced0b27a5f5755226d2a
      • Opcode Fuzzy Hash: 9ff49ddcdef092349fe9bc8ed70be5abef5ef5b38fb0ce34144acbd6952cd683
      • Instruction Fuzzy Hash: 8741427191050AEFCF11DFA4D984AEE7BF9FF08740F104426E905E7251D771AA51CB60
      Function 0029929F Relevance: 7.6, APIs: 5, Instructions: 116windowCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$FocusMessageSendUpdateWindow
      • String ID:
      • API String ID: 2438739141-0
      • Opcode ID: e8eb18d450baed7918ebc75dcae87fa7e7ba9ea41c682d4e932935421eb75160
      • Instruction ID: f8c70ed090fbf8165a6550ac413b66d9cc511e706159d16246a13a083bd08c61
      • Opcode Fuzzy Hash: e8eb18d450baed7918ebc75dcae87fa7e7ba9ea41c682d4e932935421eb75160
      • Instruction Fuzzy Hash: 2F41F331620722DBCF126F388D9862D3BA9BB46331F0502BCEC16DB2E5DB3488528F44
      Function 00299BDB Relevance: 7.6, APIs: 5, Instructions: 103COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(00000000), ref: 00299C02
      • ScreenToClient.USER32(?,00000000), ref: 00299C30
      • ScreenToClient.USER32(?,?), ref: 00299C9E
      • PtInRect.USER32(00000000,?,?), ref: 00299CCF
      • SetCursor.USER32(?), ref: 00299D03
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientCursorScreen$Rect
      • String ID:
      • API String ID: 1082406499-0
      • Opcode ID: 0bd8e55e9283a9f478e108cda78381b73561211511672906b1d85d5a59ce876c
      • Instruction ID: a9b29a3c28b1311830b456be11e7c033bc2ef00378cfd5bc1dc54a1123400581
      • Opcode Fuzzy Hash: 0bd8e55e9283a9f478e108cda78381b73561211511672906b1d85d5a59ce876c
      • Instruction Fuzzy Hash: 90416171A10206DFCF16DFA4CD85BBDB7B8BF48325F10012AE411A7150DB749951CF95
      Function 002AD696 Relevance: 7.6, APIs: 5, Instructions: 100windowCOMMON
      Download Yara Rule
      APIs
      • IsWindow.USER32(00000000), ref: 002AD6B4
      • SendMessageW.USER32(00000000,00000439,00000000,?), ref: 002AD6F9
      • SendMessageW.USER32(00000000,00000410,00000000,?), ref: 002AD73D
      • ScreenToClient.USER32(00000000,?), ref: 002AD765
      • SendMessageW.USER32(00000000,00000407,00000000,?), ref: 002AD78D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$ClientScreenWindow
      • String ID:
      • API String ID: 4074774880-0
      • Opcode ID: b6211ea104845bb120d557b1da9e5b32f333c46ea00c6f821a9a6359c1e55318
      • Instruction ID: 79e95a590c3e9fe42a76865ceebffaf0cb4ed6112be6e14f3dc85e3e682d51a0
      • Opcode Fuzzy Hash: b6211ea104845bb120d557b1da9e5b32f333c46ea00c6f821a9a6359c1e55318
      • Instruction Fuzzy Hash: B531A775900219ABDB08DF95DC45AAEB7BCFB49710F100116F905A7690EB70ED10CB94
      Function 0025C5AD Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0025C5B7
      • GetTopWindow.USER32(?), ref: 0025C5E4
      • GetDlgCtrlID.USER32(00000000), ref: 0025C5F6
      • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0025C651
      • GetWindow.USER32(00000000,00000002), ref: 0025C693
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$CtrlH_prolog3MessageSend
      • String ID:
      • API String ID: 849854284-0
      • Opcode ID: fac1bc1892be736e6ccc703dbeea4c0dd5c379a3bcde89d56115c5638412dd90
      • Instruction ID: 1180d3b5e771d95dbcb5abdfc65af88c78973fa62ff50a99d4ac954d7b42b712
      • Opcode Fuzzy Hash: fac1bc1892be736e6ccc703dbeea4c0dd5c379a3bcde89d56115c5638412dd90
      • Instruction Fuzzy Hash: FF210F71920315AEDF2AAF70DD45EAE76BDEFA5301F200154FC09A2151EB308F18CE55
      Function 00281D57 Relevance: 7.6, APIs: 5, Instructions: 77memoryCOMMON
      Download Yara Rule
      APIs
      • GlobalAlloc.KERNEL32(00000002,?,00000000,?,00000000,?,00281D4C,00000000,00000000,?,003B97C8,?,00282B59,?,00000000,?), ref: 00281D64
      • GlobalLock.KERNEL32(00000000), ref: 00281D79
      • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 00281D95
      • EnterCriticalSection.KERNEL32(00404690,00000000), ref: 00281DB2
      • LeaveCriticalSection.KERNEL32(00404690), ref: 00281E19
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream
      • String ID:
      • API String ID: 983187867-0
      • Opcode ID: 295c51beb2cb12819928368a4880fd109777d8f6d8d0ad6dff72906d797bc3ad
      • Instruction ID: 991aab6928ab4dd54306c3034a6ddc5c058cc81953b6bb954b1fbb7ef0ef40da
      • Opcode Fuzzy Hash: 295c51beb2cb12819928368a4880fd109777d8f6d8d0ad6dff72906d797bc3ad
      • Instruction Fuzzy Hash: 3321C279611202ABDB15BF70ED09B6E37ACAB86321F000429FE05E72D1EB798D21CB55
      Function 00275F5C Relevance: 7.6, APIs: 5, Instructions: 74COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 002548B5: __EH_prolog3.LIBCMT ref: 002548BC
        • Part of subcall function 002548B5: GetDC.USER32(00000000), ref: 002548E8
      • IsRectEmpty.USER32(?), ref: 00275F84
      • InvertRect.USER32(?,?), ref: 00275F92
      • SetRectEmpty.USER32(?), ref: 00275FA4
      • GetClientRect.USER32(?,00274295), ref: 00275FC1
      • InvertRect.USER32(?,?), ref: 00276011
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$EmptyInvert$ClientH_prolog3
      • String ID:
      • API String ID: 1656078942-0
      • Opcode ID: 6768a05cd6fc1de90eecd54a8be896fc246fa25b1a3e04352ac03b0f432527f3
      • Instruction ID: 4b930b682d62fc08cc03d939ce8a12c406dba7b156a145d6e6402834397d6bd8
      • Opcode Fuzzy Hash: 6768a05cd6fc1de90eecd54a8be896fc246fa25b1a3e04352ac03b0f432527f3
      • Instruction Fuzzy Hash: 27216071A106099FDB05DFB4CC889EEBBF9FF4A305F104129E409E7210E7719A45CB50
      Function 00290BD3 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
      Download Yara Rule
      APIs
      • FillRect.USER32(?,?,00000000), ref: 00290C10
      • GetParent.USER32(?), ref: 00290C27
      • GetClientRect.USER32(?,?), ref: 00290C3A
      • GetParent.USER32(?), ref: 00290C43
      • MapWindowPoints.USER32(?,?,?,00000002), ref: 00290C5B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ParentRect$ClientFillPointsWindow
      • String ID:
      • API String ID: 3058756167-0
      • Opcode ID: 727c8b96c8e87174e5c47130b169d760782270bf99dfe152a98ad09a3810074e
      • Instruction ID: 9ca258be2ca0a27f04915a08f37b4264cb1e7d7252d849f15367246cbe9bf0e3
      • Opcode Fuzzy Hash: 727c8b96c8e87174e5c47130b169d760782270bf99dfe152a98ad09a3810074e
      • Instruction Fuzzy Hash: 32217C72910119EFCB05EFA8CC498AEBBB9FF0A300F04415AF905A7221DB71AA14CFD0
      Function 002501DC Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
      Download Yara Rule
      APIs
      • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 00250200
      • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 00250220
      • RegCloseKey.ADVAPI32(00000000), ref: 00250251
        • Part of subcall function 0024FB8C: RegCloseKey.ADVAPI32(00000000), ref: 0024FC31
        • Part of subcall function 0024FB8C: RegCloseKey.ADVAPI32(00000000), ref: 0024FC40
      • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 00250248
      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0025026C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Close$DeleteValue$PrivateProfileStringWrite
      • String ID:
      • API String ID: 222425065-0
      • Opcode ID: 91f08f6ce84f3f6387993c02cedf6b9922f4e7f97b56ba8bbab3fc687d5df3df
      • Instruction ID: fc90a59afd6acf205dd0eb7fbef80629c8dff0f5b7c3e59c6e81a92fbd3fafa7
      • Opcode Fuzzy Hash: 91f08f6ce84f3f6387993c02cedf6b9922f4e7f97b56ba8bbab3fc687d5df3df
      • Instruction Fuzzy Hash: CC11A736021216BBCB235FA19C8CE9B3A2DEF89752F114420FD05DA110DA71DC299BA4
      Function 00280EFF Relevance: 7.6, APIs: 5, Instructions: 66COMMON
      Download Yara Rule
      APIs
      • SelectObject.GDI32(?,00000000), ref: 00280F1D
        • Part of subcall function 0025161C: DeleteObject.GDI32(?), ref: 0025162E
      • SelectObject.GDI32(?,00000000), ref: 00280F32
      • DeleteObject.GDI32(00000000), ref: 00280F98
      • DeleteDC.GDI32(00000000), ref: 00280FA7
      • LeaveCriticalSection.KERNEL32(00404690), ref: 00280FBE
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Delete$Select$CriticalLeaveSection
      • String ID:
      • API String ID: 3849354926-0
      • Opcode ID: 1e090c8e54c63f0d5936766f2e0e9e3e28fb696d8643472c796557d998775c30
      • Instruction ID: 8a5a1817d7cb8bea2b95497919cf3cce390743bcba32f2159ba54f2a1d9081b6
      • Opcode Fuzzy Hash: 1e090c8e54c63f0d5936766f2e0e9e3e28fb696d8643472c796557d998775c30
      • Instruction Fuzzy Hash: 3B212375811200DFDF21AF64CC88A5ABBB9FF52301F108165EE18AA0E6DBB59868CF50
      Function 0027586D Relevance: 7.6, APIs: 5, Instructions: 56COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00275874
      • IsWindow.USER32(?), ref: 0027589B
      • InflateRect.USER32(?,00000000,000000FF), ref: 002758B7
      • InvalidateRect.USER32(?,?,00000001), ref: 002758CC
      • UpdateWindow.USER32(?), ref: 002758DB
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
      • String ID:
      • API String ID: 2146894351-0
      • Opcode ID: e5d6bc5b8a2ee3ee70197f30c5618ca8f7303e4d313c5f2c29288fb3ef046c40
      • Instruction ID: c56c017cee054625691ddc421136e16613e217f1c9ea0d7309d39ffbf1298308
      • Opcode Fuzzy Hash: e5d6bc5b8a2ee3ee70197f30c5618ca8f7303e4d313c5f2c29288fb3ef046c40
      • Instruction Fuzzy Hash: D21126716102169FDF09EF64C994FA977B9BF09300F0441A8F90AAF2A2CB75A954CB60
      Function 0027AB43 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • GetObjectW.GDI32(?,0000005C,?), ref: 0027AB6C
      • CreateFontIndirectW.GDI32(?), ref: 0027AB83
      • IsWindow.USER32(?), ref: 0027AB9D
      • InvalidateRect.USER32(?,00000000,00000001), ref: 0027ABBB
      • UpdateWindow.USER32(?), ref: 0027ABC4
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
      • String ID:
      • API String ID: 1602852816-0
      • Opcode ID: 79b1a95c90dbee1571ddcc0185178f3e1c7fa8d775ba8a6bf0175c3af1607dc9
      • Instruction ID: 6c78077df79ca257b9c07674196ed8ead6d41421694c56b6781eda53664a2bdc
      • Opcode Fuzzy Hash: 79b1a95c90dbee1571ddcc0185178f3e1c7fa8d775ba8a6bf0175c3af1607dc9
      • Instruction Fuzzy Hash: 9211E131620615EFCB16AF70CC49EAE77AEBF98711F008418F90A971A0DB74E8258B81
      Function 0029173C Relevance: 7.6, APIs: 5, Instructions: 52COMMON
      Download Yara Rule
      APIs
      • DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000), ref: 00291768
      • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDB,?), ref: 0029177B
      • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDF,?), ref: 0029178E
      • GetSysColorBrush.USER32(00000018), ref: 002917A3
      • FillRect.USER32(?,?,00000000), ref: 002917AF
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ColorTheme$BackgroundBrushDrawFillRect
      • String ID:
      • API String ID: 3021913306-0
      • Opcode ID: 46dfcfbc4216c01fe6bb5341b427cae6fe84e8c1d0d3113fe4251885f0a1320e
      • Instruction ID: d5f35a0b571f78639a4e77b309e96087d5a8eb44ef48851ab14ffe945fd87442
      • Opcode Fuzzy Hash: 46dfcfbc4216c01fe6bb5341b427cae6fe84e8c1d0d3113fe4251885f0a1320e
      • Instruction Fuzzy Hash: 2B01523226031AABEB218F85DD49FE7B7ADEB48B01F154415F701A60E0D7B1AC20CB60
      Function 0026A98C Relevance: 7.6, APIs: 5, Instructions: 50COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientCursorRect$Screen
      • String ID:
      • API String ID: 1023402310-0
      • Opcode ID: 7a161073afe7271dae412b80f620d880236093c84fb5e66d2f8c8a95c2d64826
      • Instruction ID: 84038223d886ac735e864d19d992fb48cf75ced80cd43daaca2c5f7bf59fdbc5
      • Opcode Fuzzy Hash: 7a161073afe7271dae412b80f620d880236093c84fb5e66d2f8c8a95c2d64826
      • Instruction Fuzzy Hash: 1A1118B1D1020AEFCB029FA5C9498BEBBBCFF59300B00452AE416A2220D7345A12DF61
      Function 0026D2D2 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(?,?,?), ref: 0026D2F0
      • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 0026D30E
      • PtInRect.USER32(?,?,?), ref: 0026D32B
      • ReleaseCapture.USER32 ref: 0026D33B
      • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 0026D34B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RectRedrawWindow$CaptureRelease
      • String ID:
      • API String ID: 1080614547-0
      • Opcode ID: 9dcc0478852dbe20dadc971e545fd0d5314b2b23ba579859b051e6482c467d39
      • Instruction ID: 1e8c5c392f253859e550e41abf16213df66b4240420e23dbd7fdef5d1d05dcc8
      • Opcode Fuzzy Hash: 9dcc0478852dbe20dadc971e545fd0d5314b2b23ba579859b051e6482c467d39
      • Instruction Fuzzy Hash: 53015E32910709EBDB224F71DC48E9B7BBDFB86701F048919F69AC2120EA31A461EF10
      Function 0039B2FA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • _free.LIBCMT ref: 0039B312
        • Part of subcall function 00392EB8: HeapFree.KERNEL32(00000000,00000000,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?), ref: 00392ECE
        • Part of subcall function 00392EB8: GetLastError.KERNEL32(?,?,0039B38D,?,00000000,?,?,?,0039B3B4,?,00000007,?,?,0039B796,?,?), ref: 00392EE0
      • _free.LIBCMT ref: 0039B324
      • _free.LIBCMT ref: 0039B336
      • _free.LIBCMT ref: 0039B348
      • _free.LIBCMT ref: 0039B35A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _free$ErrorFreeHeapLast
      • String ID:
      • API String ID: 776569668-0
      • Opcode ID: 5cac7f26d6034cc245d2f9a96225df24fae70443945aa71efbcf6d8718fcf38d
      • Instruction ID: 342a440109c496a1b6f576cf21f5f2b5f1b6d89a7716f8bcf25f3e01f5c34396
      • Opcode Fuzzy Hash: 5cac7f26d6034cc245d2f9a96225df24fae70443945aa71efbcf6d8718fcf38d
      • Instruction Fuzzy Hash: 9DF0FF3794561DBBCA26FB59FAC2C2BB7DDAA00B50BD50805F449DB661C730FC8086A4
      Function 00256098 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 37COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(00402958,?,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 002560C9
      • InitializeCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560DF
      • LeaveCriticalSection.KERNEL32(00402958,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560ED
      • EnterCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560FA
        • Part of subcall function 00256074: InitializeCriticalSection.KERNEL32(00402958,002560B3,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 0025608C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$EnterInitialize$Leave
      • String ID: X)@
      • API String ID: 713024617-2943645793
      • Opcode ID: 9d25e3fb53dbbbec9310bb1c4495a26f10431010984279ba967c7f9124494c2d
      • Instruction ID: 2111639fd0c28a9f69e8eaab887415598bd514cbd55825ce9a30f3e664fa0520
      • Opcode Fuzzy Hash: 9d25e3fb53dbbbec9310bb1c4495a26f10431010984279ba967c7f9124494c2d
      • Instruction Fuzzy Hash: 22F0F6F26102159FDE111F64EE0CB5A7B6CFB56322F805032EA11A30D2C7B8C841CBE9
      Function 003024DF Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 476COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 003024E6
      • IsRectEmpty.USER32(00000000), ref: 0030299D
      • OffsetRect.USER32(00000001,00000000,00000001), ref: 003029DE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$EmptyH_prolog3_Offset
      • String ID: !
      • API String ID: 307044148-2657877971
      • Opcode ID: 4a4bc076dce62ba2fe975a08197994bffb3df5d724388512583a2dffc5cfb211
      • Instruction ID: 512c881bef9aa0c09406fb7f5de3c515564f9cc187c5f3fee252a19069e0c0d8
      • Opcode Fuzzy Hash: 4a4bc076dce62ba2fe975a08197994bffb3df5d724388512583a2dffc5cfb211
      • Instruction Fuzzy Hash: 24125A71E01619CFCF06DFA4C898AEEBBB9FF49310F154069E806AB295DB34A945CF50
      Function 002480D0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 385COMMON
      Download Yara Rule
      APIs
      • __fread_nolock.LIBCMT ref: 00248222
        • Part of subcall function 0024CCB4: __EH_prolog3.LIBCMT ref: 0024CCBB
        • Part of subcall function 0024CCB4: __EH_prolog3.LIBCMT ref: 0024CD00
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3$__fread_nolock
      • String ID: +$6I$$a
      • API String ID: 235550537-4035965437
      • Opcode ID: 36e4b0ebc0c6c2e48110a74967625ddcb5807cc18f6291d728d41cc14803998e
      • Instruction ID: 8e16cd908fac59e8e8fb9bfba53929fdc60236b8344fec727d63f36c59d8ed6b
      • Opcode Fuzzy Hash: 36e4b0ebc0c6c2e48110a74967625ddcb5807cc18f6291d728d41cc14803998e
      • Instruction Fuzzy Hash: A5B12932520606ABDB2D7F64DC42BAEB769EF00760F148126FD099B192DF70DD658BA0
      Function 00244110 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 266COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00242590: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425CE
        • Part of subcall function 00242590: LoadResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425E1
        • Part of subcall function 00242590: LockResource.KERNEL32(00000000,?,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425F1
        • Part of subcall function 00242590: SizeofResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 00242605
      • GetTempPathW.KERNEL32(00000104,?,003E1718), ref: 002441B4
      • SHFileOperationW.SHELL32(?,*.*), ref: 002443AB
        • Part of subcall function 00241C60: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?), ref: 00241C85
        • Part of subcall function 00241C60: GetLastError.KERNEL32(?,00000000,00000000,?), ref: 00241C8F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$CriticalErrorFileFindInitializeLastLoadLockOperationPathSectionSizeofTemp
      • String ID: *.*$sldim_%s
      • API String ID: 1273104938-1015435057
      • Opcode ID: e58806544504daa97f2f825267592550ff6a994daa71c49da21d53158dafa8a4
      • Instruction ID: 33542202d2666c754d1aa2dbc9b2140b9e7f5614e460ed6f4074a0802cf1351a
      • Opcode Fuzzy Hash: e58806544504daa97f2f825267592550ff6a994daa71c49da21d53158dafa8a4
      • Instruction Fuzzy Hash: 16B1A171A1060ADFDB04DFA8C885BAEFBB4FF44310F148259E815AB391DB70A955CF51
      Function 00284C21 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184COMMON
      Download Yara Rule
      APIs
      • GetSysColorBrush.USER32(0000000F), ref: 00284D73
      • SetClassLongW.USER32(?,000000F6,00000000), ref: 00284D7F
      • GetWindowRect.USER32(?,?), ref: 00284DA4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: BrushClassColorLongRectWindow
      • String ID: X;
      • API String ID: 3059706247-1849664133
      • Opcode ID: a6a44abe88b63b75375385f9dadf25bda2a3cc7c04764d3a178912fc5661f03f
      • Instruction ID: 562a1d2810adad1ea1416bf5e5745763e9548e20040a34e00b39d4bd2931f1b4
      • Opcode Fuzzy Hash: a6a44abe88b63b75375385f9dadf25bda2a3cc7c04764d3a178912fc5661f03f
      • Instruction Fuzzy Hash: 34613075A1121A9FCF05EFA8C945AAEBBF9FF48300F14456AE905EB341DB7499108FA0
      Function 002C7BC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMON
      Download Yara Rule
      APIs
      • DestroyAcceleratorTable.USER32(00000000), ref: 002C7C89
        • Part of subcall function 0025994D: GetParent.USER32(?), ref: 00259979
      • CreateAcceleratorTableW.USER32(00000000,?,?,?), ref: 002C7CE3
      • DestroyAcceleratorTable.USER32(00000000), ref: 002C7D06
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AcceleratorTable$Destroy$CreateParent
      • String ID: X;
      • API String ID: 2271732900-1849664133
      • Opcode ID: 490b20803ff2aada278086d0da7611e0b7f46f0246bd1f6de7f80a008da3ea6f
      • Instruction ID: eb446ee25d1fcce383d51ae3524de01f7d7fab7493b5a834fe6b3a3691df7a94
      • Opcode Fuzzy Hash: 490b20803ff2aada278086d0da7611e0b7f46f0246bd1f6de7f80a008da3ea6f
      • Instruction Fuzzy Hash: C8418B71A2421A9FCB059F64D844FAE7BA9EF48360F14856EE805D7211DB30DE22CFA0
      Function 002B20B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002B20B7
      • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 002B21B5
      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002B21E1
        • Part of subcall function 002ACC30: __EH_prolog3.LIBCMT ref: 002ACC37
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3MessageSend
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 936991600-973906075
      • Opcode ID: c739d64f813c58b0df4104e1f483fde07ca5e241b0659a33f24134abc6f4116f
      • Instruction ID: 828af78a2364dfdfe7189183624e1fa1a91c48398fdc833d6005c8d39d5f2fa8
      • Opcode Fuzzy Hash: c739d64f813c58b0df4104e1f483fde07ca5e241b0659a33f24134abc6f4116f
      • Instruction Fuzzy Hash: C541CF71730302DBEB19AF68CC95BB973A5FF09350F140068EA0ADB2E2DB709865CB11
      Function 0029B2C9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3
      • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
      • API String ID: 431132790-2016111687
      • Opcode ID: 7ccd78d9a2a4dd39ba78063fae3c82a8e846c9ae26d37731315a31bce814cd26
      • Instruction ID: 3f3562504a6d8fb8ed15de1798601dde5de10827a52e5d5a534d04077cf4c12b
      • Opcode Fuzzy Hash: 7ccd78d9a2a4dd39ba78063fae3c82a8e846c9ae26d37731315a31bce814cd26
      • Instruction Fuzzy Hash: 0841E471E2021AEFCF16EFA4C981AFEB769AF45310F100569E915A7281DB709E15CBA0
      Function 00272BEF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON
      Download Yara Rule
      APIs
      • FillRect.USER32(?,?,?), ref: 00272C20
      • FillRect.USER32(?,?,?), ref: 00272C68
      • InflateRect.USER32(?,000000FC,000000FC), ref: 00272CA9
        • Part of subcall function 00254871: __EH_prolog3.LIBCMT ref: 00254878
        • Part of subcall function 00254871: CreateSolidBrush.GDI32(?), ref: 00254893
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Fill$BrushCreateH_prolog3InflateSolid
      • String ID: VW%
      • API String ID: 1940447340-697210052
      • Opcode ID: 5e628e3272d190a2363912d9036cb0f9b2d577beab023ab668496693c7576d22
      • Instruction ID: 4f99ae58574ba76ae7ca389d5b396a3a7603cf79df57761689779067f62735a8
      • Opcode Fuzzy Hash: 5e628e3272d190a2363912d9036cb0f9b2d577beab023ab668496693c7576d22
      • Instruction Fuzzy Hash: 1741F731910215EFCB06DFA8C8848AEB779FF05324F11835AF82A972A1D730AE55CF91
      Function 0029DB27 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0029DB31
      • SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 0029DB5C
      • SendMessageW.USER32(?,0000043A,-00000001,00000030), ref: 0029DBA4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$H_prolog3_
      • String ID: 0
      • API String ID: 3491702567-4108050209
      • Opcode ID: 9c58bc80d380236ef3948d55b62962ae466b3b36c2ddd25956c5f2933e7edc09
      • Instruction ID: 4846c7ff07fbc870604a1f751ed67f6203896c43319743cf80ee75074f6e782b
      • Opcode Fuzzy Hash: 9c58bc80d380236ef3948d55b62962ae466b3b36c2ddd25956c5f2933e7edc09
      • Instruction Fuzzy Hash: 2541D175A10219AFDB29EF60CD81FA9B778FF45304F0002A9E11DA7191DBB06E90DF62
      Function 0029997B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 002999C0
      • ScreenToClient.USER32(?,?), ref: 002999CD
        • Part of subcall function 00386E1C: _free.LIBCMT ref: 00386E2F
      • SendMessageW.USER32(?,00000030,?,00000000), ref: 00299A59
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientCursorMessageScreenSend_free
      • String ID: ,
      • API String ID: 1549304721-3772416878
      • Opcode ID: 8fb5eddc8a0ee7a392f464b6ed48e340c6a1c568b4888a99852c73aab798c3be
      • Instruction ID: b21002ed0ee1623f0513c1273abb41669b9a0e20f16ac3fe89bb02af9a9840b0
      • Opcode Fuzzy Hash: 8fb5eddc8a0ee7a392f464b6ed48e340c6a1c568b4888a99852c73aab798c3be
      • Instruction Fuzzy Hash: AC315E71A21215EBDF15EF69DC45AAEBBBCEF08720F104129F415DB2A1DB30AD50CB64
      Function 0024CCB4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0024CCBB
      • __EH_prolog3.LIBCMT ref: 0024CD00
        • Part of subcall function 00247CE1: __EH_prolog3.LIBCMT ref: 00247CE8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3
      • String ID: 6I$$6I$
      • API String ID: 431132790-1489448096
      • Opcode ID: 609f976960256e3eebbfff8c1a8f77a4e3fc45da16ccc1b61713a4514244ccbd
      • Instruction ID: d7fc3a9a98f514690cd2617f290d89590c53bf43339be4e0835660cb3d94d009
      • Opcode Fuzzy Hash: 609f976960256e3eebbfff8c1a8f77a4e3fc45da16ccc1b61713a4514244ccbd
      • Instruction Fuzzy Hash: 6231B171921206EBDF1AEFB4CC41BEF7764BF00310F104929B521AB292DB309A64DBA0
      Function 00397CD2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
      Download Yara Rule
      APIs
      • _free.LIBCMT ref: 00397D45
      • _free.LIBCMT ref: 00397D9B
        • Part of subcall function 00397B77: _free.LIBCMT ref: 00397BCF
        • Part of subcall function 00397B77: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003DEC4C), ref: 00397BE1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _free$InformationTimeZone
      • String ID: L=
      • API String ID: 597776487-305936114
      • Opcode ID: fb9760ca3461d0adc94ef13db26fd1c0a9a79866d80804a62a58d996672d9942
      • Instruction ID: f52f4c48f65d30ada5afa151d0b3c876493558785d3bb058fa8625639f4cbaf8
      • Opcode Fuzzy Hash: fb9760ca3461d0adc94ef13db26fd1c0a9a79866d80804a62a58d996672d9942
      • Instruction Fuzzy Hash: E521057381921966DF33A7358D86EFBB77C9F91320F510256F495AB2D1EB308E81C6A0
      Function 0029E58D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClassEmptyH_prolog3_NameRect
      • String ID: SysListView32
      • API String ID: 2539663969-78025650
      • Opcode ID: b4ca013742b2a0b01f88ed04e6eae5739b0c9e5335cf3fd3cdf17d8e7b5eceb3
      • Instruction ID: 308f00fdbd48652c0b354ff8e4e082f0e9633e3d7d665c3f6803f643cdfa7a88
      • Opcode Fuzzy Hash: b4ca013742b2a0b01f88ed04e6eae5739b0c9e5335cf3fd3cdf17d8e7b5eceb3
      • Instruction Fuzzy Hash: A5313CB09502199FCB18DF28D885A997BF4FF18310F1046AEF85E9B392DB719981CF54
      Function 00293E5D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyH_prolog3_Rect
      • String ID: Afx:ToolBar$_MOUSEANCHORWND@@
      • API String ID: 2941628838-2708727887
      • Opcode ID: 9616e4481c4a98363fcd2d53271a3a2e184087abea7794f8d3b56481ffd133f8
      • Instruction ID: df14f18d2b8b6bd32e6c17762cf7d0ffd5ac9812a8aec2444e54e99137e1daea
      • Opcode Fuzzy Hash: 9616e4481c4a98363fcd2d53271a3a2e184087abea7794f8d3b56481ffd133f8
      • Instruction Fuzzy Hash: A2219C71E1021A9FCF05EFB4C846AEE7AB5FF09310F00412AF915A7280DB748E608FA4
      Function 003296F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 003296FE
        • Part of subcall function 0028682B: __EH_prolog3.LIBCMT ref: 00286832
        • Part of subcall function 0028682B: SetRectEmpty.USER32 ref: 0028691C
        • Part of subcall function 0028682B: SetRectEmpty.USER32(?), ref: 00286947
      • SetRectEmpty.USER32 ref: 003297FE
      • SetRectEmpty.USER32(?), ref: 00329805
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyRect$H_prolog3
      • String ID: 4{<
      • API String ID: 3752103406-1065830628
      • Opcode ID: 34582fbfc8935fce4ad9737cdd125d3bdac593d1d3620bf04cb832b9765a7b6f
      • Instruction ID: 8fdc9224dedd886cd6c44ff10b59e39a3dacb1f46b3247d68d67cbc758cee29d
      • Opcode Fuzzy Hash: 34582fbfc8935fce4ad9737cdd125d3bdac593d1d3620bf04cb832b9765a7b6f
      • Instruction Fuzzy Hash: D3315DB0816B018FC7AADF39D54879ABBE4BB09300F54892EE4AED7311E7746640CF48
      Function 0027D3BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0027D3C1
      • LoadCursorW.USER32(00000000,00007F00), ref: 0027D3E5
      • GetClassInfoW.USER32(?,?,?), ref: 0027D426
        • Part of subcall function 0025813C: __EH_prolog3_catch.LIBCMT ref: 00258143
        • Part of subcall function 0025813C: GetClassInfoW.USER32(00000000,?,?), ref: 00258155
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
      • String ID: %Ts:%x:%x:%x:%x
      • API String ID: 937286869-4057404147
      • Opcode ID: e2c7de2f63f6e510a5843462508cffe130f0f98e80d296eaaf45af84dd3b2287
      • Instruction ID: 6cb1fe678c0fadf431d8570b9a15ecda916016ab69025ceb68700a7f2eccd0b2
      • Opcode Fuzzy Hash: e2c7de2f63f6e510a5843462508cffe130f0f98e80d296eaaf45af84dd3b2287
      • Instruction Fuzzy Hash: 14214AB0D10219AFDF11EFA5D885B9EBAF4FF49314F10802AF548A7241D7749A54CF64
      Function 0025E8C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0025E90C
      • SystemParametersInfoW.USER32(00000029,000001F8,?,00000000), ref: 0025E967
      • CreateFontIndirectW.GDI32(?), ref: 0025E974
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CreateFontH_prolog3_IndirectInfoParametersSystem
      • String ID: l:;
      • API String ID: 3603398567-707714059
      • Opcode ID: f67a2d9ba44c99ce7b5dff937f27e5b9cf8ec5abfef6ffbb9a63958a360e1cdc
      • Instruction ID: 20e5e5c2ab78d8d1fcf73b34c5a77dcb29884be1d359ca5e9cbdf68bd95a6ddb
      • Opcode Fuzzy Hash: f67a2d9ba44c99ce7b5dff937f27e5b9cf8ec5abfef6ffbb9a63958a360e1cdc
      • Instruction Fuzzy Hash: 1911E6B2900219AFDB11EF58CC88ADAF7ACFF44310F108166F618DB201DB709A948F91
      Function 00251706 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024F2A5: LoadLibraryW.KERNEL32(?,003EC398,00000010,0024ED77,?,?,?,00000000), ref: 0024F2DF
      • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00251745
      • FreeLibrary.KERNEL32(00000000), ref: 00251791
        • Part of subcall function 0024D35E: GetLastError.KERNEL32(0025173C,comctl32.dll,0024EA93), ref: 0024D35E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Library$AddressErrorFreeLastLoadProc
      • String ID: DllGetVersion$comctl32.dll
      • API String ID: 2540614322-3857068685
      • Opcode ID: 346137122528618faf825b5796edde1d9c2ce6948d4595f0fdce3e81416ae6a9
      • Instruction ID: 58abf8cf7f573cd1b4f457c9f96cbfb5d3e20e9db88883601810b5d95b9b3f0d
      • Opcode Fuzzy Hash: 346137122528618faf825b5796edde1d9c2ce6948d4595f0fdce3e81416ae6a9
      • Instruction Fuzzy Hash: B511AB75A1030A9BCB12DF68CC85BEFB7F9AF89711F110025F9019B340DB7499158B65
      Function 002715BD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00271657
        • Part of subcall function 002C5706: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 002C5748
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ContextExternal$BaseBase::~Concurrency::details::
      • String ID: VW%$hW%$xs;
      • API String ID: 1690591649-1967573203
      • Opcode ID: 25e8a631eb385e5165fd570ae0239d2fc44bb70153d51ab4357d29195efacce0
      • Instruction ID: cc861bb92ee57a7f5917c8bb17577d16c06d99b15699b39c91a8c0c5fa6e165c
      • Opcode Fuzzy Hash: 25e8a631eb385e5165fd570ae0239d2fc44bb70153d51ab4357d29195efacce0
      • Instruction Fuzzy Hash: 22116775520A04CBC32AEF74C862BEAB7E8EF45314F50091DE85747692DF302659CF90
      Function 0024C6A9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,0024C670,?,?,00000000,?,?,?,?,?,?), ref: 0024C6BA
      • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0024C6CA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegCreateKeyTransactedW
      • API String ID: 1646373207-2994018265
      • Opcode ID: 941bc0e52103320eea363a590fb98e73e36b528cc5cfa2cfcb6851f3aba10f38
      • Instruction ID: 7ae07ad736fcedcaa9d2b9a8c2ff48266a78901d09bffef15c56f8fca3106ade
      • Opcode Fuzzy Hash: 941bc0e52103320eea363a590fb98e73e36b528cc5cfa2cfcb6851f3aba10f38
      • Instruction Fuzzy Hash: 9E016D36210209ABCF171F99DC04FEA7BAAFB887A1F140425FA0491260CBB2D871EF50
      Function 0024C719 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0024C72C
      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0024C73C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegDeleteKeyTransactedW
      • API String ID: 1646373207-2168864297
      • Opcode ID: 9319219e92ae0f804ef85b729e1824189b308c21c41ef53f91deb49dce029ef5
      • Instruction ID: 123cea001c40c45bf511e9bb658ddc1e50b50da32a5f4023e8dc5839ffcf41a5
      • Opcode Fuzzy Hash: 9319219e92ae0f804ef85b729e1824189b308c21c41ef53f91deb49dce029ef5
      • Instruction Fuzzy Hash: A2F0B43731120AAF9B562F99ADC4C7BB79DEB81BEA724403AF24182010CB718C10AB70
      Function 00246C02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00246C09
      • MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,T:,00000004,80004005,?,?,?,?,00000000,?), ref: 00246C37
      • MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,000000FF,00000000,00000000), ref: 00246C53
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharMultiWide$H_prolog3
      • String ID: T:
      • API String ID: 692526729-3704127250
      • Opcode ID: 604eae2d8854186c8e9b39a437e6eb8f957e84d4dc74ebf8dcb1d0b00a7df57b
      • Instruction ID: 9ed47b6779019b4eb8939e64634b2dfc9e1fbb59ef4d3ba1242f922368282d8b
      • Opcode Fuzzy Hash: 604eae2d8854186c8e9b39a437e6eb8f957e84d4dc74ebf8dcb1d0b00a7df57b
      • Instruction Fuzzy Hash: 0101A475610109FFDF1A6FB58C5AFBE3A99EF49350F10841AF608DA191CA704930DB66
      Function 00251895 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000F0), ref: 002518B0
      • GetClassNameW.USER32(?,?,0000000A), ref: 002518C5
      • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 002518DC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClassCompareLongNameStringWindow
      • String ID: combobox
      • API String ID: 1414938635-2240613097
      • Opcode ID: 414149bc8cb36ea76c53b013afc8b83690ba9be08f7adfb314303014081df00e
      • Instruction ID: 0af303b9ba55b0c4ff7c506e887f3bcdf38b0a261df75db7b223a25142e5317c
      • Opcode Fuzzy Hash: 414149bc8cb36ea76c53b013afc8b83690ba9be08f7adfb314303014081df00e
      • Instruction Fuzzy Hash: 72F0F4326601196BDB11EF68CC06EAE77ACDB16720F500314F922E60C0C63095048695
      Function 0024DEB7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,80070057), ref: 0024DECE
      • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 0024DEDE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: GetFileAttributesTransactedW$kernel32.dll
      • API String ID: 1646373207-1378992308
      • Opcode ID: 64d2f827f57505a59576d7be83f973059bfe800f5a0294c97add1e9ef909e7a1
      • Instruction ID: 4a1c6d5aa43b389e59e7932db53f69467a564fef76d5b6df79c8c91d1f4c587c
      • Opcode Fuzzy Hash: 64d2f827f57505a59576d7be83f973059bfe800f5a0294c97add1e9ef909e7a1
      • Instruction Fuzzy Hash: 28F09032215316DFDF371F949C98BAA77D8EB14356F15483AFA0282860C7B28C74DA54
      Function 00243030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00243040
      • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00243050
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegOpenKeyTransactedW
      • API String ID: 1646373207-3913318428
      • Opcode ID: 0c12bddd5d4c77bf7f2129141e1d8789c4d12aff1543068ef58beb81ae1f699c
      • Instruction ID: d563c4c54923ef057e2ef7bc509ef7c0a79a17146a483a4d83066d0ad2f68b44
      • Opcode Fuzzy Hash: 0c12bddd5d4c77bf7f2129141e1d8789c4d12aff1543068ef58beb81ae1f699c
      • Instruction Fuzzy Hash: 0CF01932150219ABDF265FD9EC05FD67B9DEB04751F04862AF600910E0C7B1D9B0EB60
      Function 0029074F Relevance: 6.4, APIs: 4, Instructions: 384windowCOMMON
      Download Yara Rule
      APIs
      • GetBkColor.GDI32(?), ref: 0029078D
      • GetTextColor.GDI32(?), ref: 00290838
      • GetBkColor.GDI32(?), ref: 00290A3D
      • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 00290B4B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color$DrawIconText
      • String ID:
      • API String ID: 2759393849-0
      • Opcode ID: a1d79128d67857ba56c0a88435419af33d27d154aa102ffb1f8fd2d0f081e04f
      • Instruction ID: b7fec00d2379d73b70e7f99a99b6fc1e614bb59d0b9765a00883267b3ba209d0
      • Opcode Fuzzy Hash: a1d79128d67857ba56c0a88435419af33d27d154aa102ffb1f8fd2d0f081e04f
      • Instruction Fuzzy Hash: 39E18C31A10619DFCF05CFA8C984AAEBBB6FF48314F144169E806AB391DB74AD51CF90
      Function 00393860 Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: _strrchr
      • String ID:
      • API String ID: 3213747228-0
      • Opcode ID: 2565d7c875116aab6f38b03549990e14ad6be3a9ed4e59bc4048ca0bfa14e9d8
      • Instruction ID: 93ed142c4a8f7a29acb75713f6c294a06223af724e4ca3366db24624232dba2e
      • Opcode Fuzzy Hash: 2565d7c875116aab6f38b03549990e14ad6be3a9ed4e59bc4048ca0bfa14e9d8
      • Instruction Fuzzy Hash: D1B135B29042859FDF16DF68C881BFEBBE5EF55340F1581AAE885EB241D6348F01CB60
      Function 002A02DC Relevance: 6.3, APIs: 4, Instructions: 294windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002A0378
      • __EH_prolog3_GS.LIBCMT ref: 002A0414
      • IsWindowVisible.USER32(?), ref: 002A0459
      • BringWindowToTop.USER32(00000000), ref: 002A062D
        • Part of subcall function 002572CD: ShowWindow.USER32(?,00000000,?,?,0024F8A4,00000000,?,00000363,00000001,00000000,00000001,00000001,?,?,00000363,00000001), ref: 002572DE
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$BringH_prolog3H_prolog3_ShowVisible
      • String ID:
      • API String ID: 1019583663-0
      • Opcode ID: 1e2d642e5547e85955b94c49026dc98f87929bdd155234b5372d12e59f234e37
      • Instruction ID: b91349260e40a405711fed26a50a967b9b434a4c322828aafc98cd4f352cd75c
      • Opcode Fuzzy Hash: 1e2d642e5547e85955b94c49026dc98f87929bdd155234b5372d12e59f234e37
      • Instruction Fuzzy Hash: B8B1AB71A1021AAFCF19DFA4C895BAEBBB5BF49310F144159F915A7291CB30AD21CFA0
      Function 002755DA Relevance: 6.2, APIs: 4, Instructions: 177COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyRect$Window
      • String ID:
      • API String ID: 1945993337-0
      • Opcode ID: dd297dc6e2342ca07610165732bc4a36d11287615d1c267250f35e8490bdf27c
      • Instruction ID: ef2c0b9f01e42f0aee269f566a063e1c4f6fd3cd3ddf5a63bcae02fc0b5cf35d
      • Opcode Fuzzy Hash: dd297dc6e2342ca07610165732bc4a36d11287615d1c267250f35e8490bdf27c
      • Instruction Fuzzy Hash: D4618131A11615CFCB09DF64C984BAAB3B9FF09314F4441A9ED19AF246DBB1A905CF60
      Function 002FB9B3 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$CopyEmptyWindow
      • String ID:
      • API String ID: 2176940440-0
      • Opcode ID: 72e2e0b6fa88c06069450fb078bb7288c4f6027c51eba6baa407084055b3714f
      • Instruction ID: 50b44254d47574b3c0148a0e73ed2981c1204154544817c6d8a1df989a642b2e
      • Opcode Fuzzy Hash: 72e2e0b6fa88c06069450fb078bb7288c4f6027c51eba6baa407084055b3714f
      • Instruction Fuzzy Hash: 8851D0B1D10209AFDB12DFA9D9848EEFBF9EF44344F14416AE905A7210DB70AA51CF60
      Function 002870A5 Relevance: 6.1, APIs: 4, Instructions: 145windowCOMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 00287156
      • GetWindowRect.USER32(?,?), ref: 00287163
      • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0028719C
      • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00287234
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageRectSend$EmptyWindow
      • String ID:
      • API String ID: 1914275016-0
      • Opcode ID: 51b7c577bf28aca86a26b82031b940e9631af09fe08a4ea7c0d597b6305a2559
      • Instruction ID: 946ece948e3bb4da1caaac9a2a7690391c46a706da8e8550dc2654f39abaf170
      • Opcode Fuzzy Hash: 51b7c577bf28aca86a26b82031b940e9631af09fe08a4ea7c0d597b6305a2559
      • Instruction Fuzzy Hash: B9515F35A112169FCF05AF64CC98ABE7BB9FF89710F140069E906A7390DB74AD01CF91
      Function 002695EC Relevance: 6.1, APIs: 4, Instructions: 137COMMON
      Download Yara Rule
      APIs
      • InflateRect.USER32(?), ref: 002696C0
      • InflateRect.USER32(?), ref: 00269725
      • InflateRect.USER32(?,000000FE,000000FE), ref: 00269759
        • Part of subcall function 00267B6D: __EH_prolog3.LIBCMT ref: 00267B74
      • InflateRect.USER32(?,000000FE,000000FE), ref: 0026978B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: InflateRect$H_prolog3
      • String ID:
      • API String ID: 3346915232-0
      • Opcode ID: 7c85b0f0c1dbf335e1a73da7614447895f762ce879e5c647a8c603c917d734d2
      • Instruction ID: 9d96779ca7c492dd1d5d5c2c58ebbf3d527e7f26eeec1c7abc8edd33d3e70bef
      • Opcode Fuzzy Hash: 7c85b0f0c1dbf335e1a73da7614447895f762ce879e5c647a8c603c917d734d2
      • Instruction Fuzzy Hash: 98416F71524345EFCB229F24CD84FAA7BAEFF86318F104529F516961A2DB7098E0DF11
      Function 0026ADF6 Relevance: 6.1, APIs: 4, Instructions: 135COMMON
      Download Yara Rule
      APIs
      • GetObjectW.GDI32(?,00000018,?), ref: 0026AE8E
      • DeleteObject.GDI32(00000000), ref: 0026AF58
      • DeleteObject.GDI32(00000000), ref: 0026AF61
      • DeleteObject.GDI32(00000000), ref: 0026AF70
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Delete
      • String ID:
      • API String ID: 774837909-0
      • Opcode ID: fa79d8434a3087cd72b684df372c7c3e92bb7f7518cffea46f76687be8c08944
      • Instruction ID: 249b0c037e723ceb20f5e25ddbfeb25e84cd984563d38b76d8ab1a89e83841fe
      • Opcode Fuzzy Hash: fa79d8434a3087cd72b684df372c7c3e92bb7f7518cffea46f76687be8c08944
      • Instruction Fuzzy Hash: D1418E71A2021ADBDF21DF64C985BAEB7B5EB04300F148125E911B7281D776CDE1CF92
      Function 002B687C Relevance: 6.1, APIs: 4, Instructions: 132COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EmptyRect
      • String ID:
      • API String ID: 2270935405-0
      • Opcode ID: bd7a8a74726af0f511933deec58a06da4e60333fee7e845ff21e050bffda671b
      • Instruction ID: e48f4e617c6db1ec09443e2189737c77fbe99f7dec169b180d39e321fbc414c0
      • Opcode Fuzzy Hash: bd7a8a74726af0f511933deec58a06da4e60333fee7e845ff21e050bffda671b
      • Instruction Fuzzy Hash: CF51D6B0821222CFCB219F29D5C46E53BA8BB09B55F1841BBED0DCF65AD7B05441DFA1
      Function 002423C0 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
      Download Yara Rule
      APIs
      • FindResourceW.KERNEL32(00000000,?,00000006,?,?), ref: 002423EE
      • LoadResource.KERNEL32(00000000,00000000,?,?), ref: 00242401
      • LockResource.KERNEL32(00000000,?,?), ref: 00242410
      • SizeofResource.KERNEL32(00000000,?,?,?), ref: 00242424
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID:
      • API String ID: 3473537107-0
      • Opcode ID: eef6633888b808f2fb50c15ebde1d4d0aaf90ee72c03ec241073c9a88b9771c6
      • Instruction ID: ba2e2a8b1e287560374eac3b35478d8981caa7237160edce58bf78067ce9da01
      • Opcode Fuzzy Hash: eef6633888b808f2fb50c15ebde1d4d0aaf90ee72c03ec241073c9a88b9771c6
      • Instruction Fuzzy Hash: B2312272610512DFCB28DF2ADC8497AFBECEF84311740826AF845DB250EA35DC64CBA0
      Function 002A365A Relevance: 6.1, APIs: 4, Instructions: 118COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$Empty
      • String ID:
      • API String ID: 4257549173-0
      • Opcode ID: a8404db723a64256c1670f878e8189af46003e68745aad97f516cfb9c4aca036
      • Instruction ID: 93d0f6fb5219c54f186b45b24768c38fa4235198e0ec3d27c865c48e7c746e60
      • Opcode Fuzzy Hash: a8404db723a64256c1670f878e8189af46003e68745aad97f516cfb9c4aca036
      • Instruction Fuzzy Hash: FC415BB5A002199FCF41DF64DC88AAEBBF9FF5D350B144169E80AE7210DB349E11CB90
      Function 0024FE5B Relevance: 6.1, APIs: 4, Instructions: 118registryCOMMON
      Download Yara Rule
      APIs
      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 0024FFAD
        • Part of subcall function 0024FFDF: RegCloseKey.ADVAPI32(00000000,?,?,?,?,0024FE08,?,00000000), ref: 00250024
      • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 0024FEFC
      • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0024FF38
      • RegCloseKey.ADVAPI32(00000000), ref: 0024FF52
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CloseQueryValue$PrivateProfileString
      • String ID:
      • API String ID: 2114517702-0
      • Opcode ID: eaf3f84b775b60c6c22db5eedc9cf85653949fd17294b4abcd8b0744efa7d1d8
      • Instruction ID: 65107d3a159ce014d39a2f2a44e09f04b948f13b8afe89bf1a115bf0c415a18f
      • Opcode Fuzzy Hash: eaf3f84b775b60c6c22db5eedc9cf85653949fd17294b4abcd8b0744efa7d1d8
      • Instruction Fuzzy Hash: C1419371910319DFDB29DF15CD49EAEB3B8EB44310F0001AAF909A7282DB749E59DF60
      Function 0024E4DC Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
      Download Yara Rule
      APIs
      • EnableMenuItem.USER32(00000000,?,?), ref: 0024E59D
      • GetFocus.USER32 ref: 0024E5B7
      • GetParent.USER32(?), ref: 0024E5C2
      • SendMessageW.USER32(?,00000028,00000000,00000000), ref: 0024E5D7
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: EnableFocusItemMenuMessageParentSend
      • String ID:
      • API String ID: 2297321873-0
      • Opcode ID: 8e73c9c411333822ab25ea654977e05af02f3ad2c97ca633c13f988f4ec7d531
      • Instruction ID: 70009b7dad2bb15076d2828c3560951e0b369c19a64add73b5e7367eb9e3741f
      • Opcode Fuzzy Hash: 8e73c9c411333822ab25ea654977e05af02f3ad2c97ca633c13f988f4ec7d531
      • Instruction Fuzzy Hash: 9C41E471610205EFEF299F28C884B6AB7B9FF55714F148229F41A93690EB74EC50CB90
      Function 002426A0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
      Download Yara Rule
      APIs
      • FindResourceW.KERNEL32(00000000,?,00000006,?,00000010,?,?,0025617E,00000000,?,?,00000000,00000004,00256144,00000000,?), ref: 002426BB
      • LoadResource.KERNEL32(00000000,00000000,?,00000010,?,?,0025617E,00000000,?,?,00000000,00000004,00256144,00000000,?,0024AD7B), ref: 002426CE
      • LockResource.KERNEL32(00000000,?,00000010,?,?,0025617E,00000000,?,?,00000000,00000004,00256144,00000000,?,0024AD7B,00000001), ref: 002426DD
      • SizeofResource.KERNEL32(00000000,?,?,00000010,?,?,0025617E,00000000,?,?,00000000,00000004,00256144,00000000,?,0024AD7B), ref: 002426F3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID:
      • API String ID: 3473537107-0
      • Opcode ID: 11ebf73cc52d3a062b9fafe2faffad6c355cecda92274f77b1237c8008db4a07
      • Instruction ID: 5faefaa09d50fe2d2de750c19513e9bae7b0b7536755b620ca3c18bd16ae9e37
      • Opcode Fuzzy Hash: 11ebf73cc52d3a062b9fafe2faffad6c355cecda92274f77b1237c8008db4a07
      • Instruction Fuzzy Hash: A531E636610516EFDB249F2ACC8497AF3ADEF84351B50812AFC45DB250DB31EC65CBA0
      Function 00271F48 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 00271FCF
      • RedrawWindow.USER32(?,?,00000000,00000105), ref: 00271FE4
      • IsRectEmpty.USER32(?), ref: 0027203C
      • RedrawWindow.USER32(?,?,00000000,00000105), ref: 00272068
        • Part of subcall function 0027207F: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 002720F3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RedrawWindow$EmptyRect
      • String ID:
      • API String ID: 138230908-0
      • Opcode ID: b60494e78fbfa400ca3eee28bcba4b1a29a7e42945b9fb3c9a7a8d77f384ac71
      • Instruction ID: 9e275ffc3f48f80eaeb36e85bb77ca69414f7a2452a07ba7780bc5ccea61e8a7
      • Opcode Fuzzy Hash: b60494e78fbfa400ca3eee28bcba4b1a29a7e42945b9fb3c9a7a8d77f384ac71
      • Instruction Fuzzy Hash: C1418B71A20615DFCB16DF68C884AEEB7B9FF19300F148029ED09AF251D771AA55CFA0
      Function 00242590 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
      Download Yara Rule
      APIs
      • FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425CE
      • LoadResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425E1
      • LockResource.KERNEL32(00000000,?,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425F1
      • SizeofResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 00242605
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID:
      • API String ID: 3473537107-0
      • Opcode ID: 7989f3d4dbb6ad337cdae739647c56dc586d9437edd489907619ac8455f5a37d
      • Instruction ID: 4d0f1813947a2e61c1891c6888bf80a811855f0d2f31ebc1ce43d68e8eec1abf
      • Opcode Fuzzy Hash: 7989f3d4dbb6ad337cdae739647c56dc586d9437edd489907619ac8455f5a37d
      • Instruction Fuzzy Hash: A631D171611217EFCB289F2ACC8497AB7ECEF45340B42052AF945DB254DA30EC65CBA4
      Function 00268119 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 00268142
      • GetClientRect.USER32(?,?), ref: 00268189
      • GetWindowRect.USER32(?,?), ref: 002681CF
      • GetSystemMetrics.USER32(00000007), ref: 002681E3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientMetricsParentSystemWindow
      • String ID:
      • API String ID: 2120119201-0
      • Opcode ID: 7fd7457a19f720fb800af4dab292f3498bb73d4d11333b0b19a147c8f24f6a65
      • Instruction ID: 0925fd2fd944697576b006ab6a23239c05f20efb9d61cf768e8bc952377e1114
      • Opcode Fuzzy Hash: 7fd7457a19f720fb800af4dab292f3498bb73d4d11333b0b19a147c8f24f6a65
      • Instruction Fuzzy Hash: C731E671D102099FCF01DFA8D9859EEBBF9FF09300F10456AE905EB211DA71A955CF64
      Function 00261798 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(00000000), ref: 002617A3
      • GetClientRect.USER32(?,00000000), ref: 002617C3
      • GetParent.USER32(?), ref: 002617E2
      • OffsetRect.USER32(00000000,00000000,00000000), ref: 00261864
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientEmptyOffsetParent
      • String ID:
      • API String ID: 3819956977-0
      • Opcode ID: 5004e39c84893fdd465c533c19d7dae629af672a6c505bb1741c343e13486aeb
      • Instruction ID: a2443eec1c8b8ff3dbee128e74a93c9c17d26e1f996a83e76dc29e33f37262f3
      • Opcode Fuzzy Hash: 5004e39c84893fdd465c533c19d7dae629af672a6c505bb1741c343e13486aeb
      • Instruction Fuzzy Hash: D331C471610602EFE719DF65D885E75B7A9FF45710B18822DE8098B691EB30FCB0CBA0
      Function 002F3496 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 002F350A
      • EqualRect.USER32(?,?), ref: 002F3535
      • BeginDeferWindowPos.USER32(?), ref: 002F3542
      • EndDeferWindowPos.USER32(00000000), ref: 002F3568
        • Part of subcall function 00289BE0: GetWindowRect.USER32(?,00000140), ref: 00289BF4
        • Part of subcall function 00289BE0: GetParent.USER32(?), ref: 00289C4A
        • Part of subcall function 00289BE0: GetParent.USER32(?), ref: 00289C5E
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Rect$DeferParent$BeginEqual
      • String ID:
      • API String ID: 2054780619-0
      • Opcode ID: 768a7f80ae0fd88909246d94075788f504caec2fa8a0b6c4d4ad719725da9fc7
      • Instruction ID: e86c256619d7a626541853f7a417f03d607f3f4e98888ea714b6190c70ed3b24
      • Opcode Fuzzy Hash: 768a7f80ae0fd88909246d94075788f504caec2fa8a0b6c4d4ad719725da9fc7
      • Instruction Fuzzy Hash: 68314971E1021EABCF11DFA5D9849EEFBB9BF4D350F50412AE905A3210DB30AA14CFA1
      Function 0028C2EF Relevance: 6.1, APIs: 4, Instructions: 90COMMON
      Download Yara Rule
      APIs
      • InflateRect.USER32(?,000000FF,000000FF), ref: 0028C328
      • InflateRect.USER32(?,000000FF,000000FF), ref: 0028C366
      • InflateRect.USER32(?,?,?), ref: 0028C397
      • InflateRect.USER32(?,00000001,00000001), ref: 0028C3C0
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: InflateRect
      • String ID:
      • API String ID: 2073123975-0
      • Opcode ID: 809844862ba8af8a5433492512a69b3135c94dd240a8aef583a88973613fe339
      • Instruction ID: de4a6e1ecad7df18936b528033c684c8b4aab4b3ee8694c6275f5cb870f779bd
      • Opcode Fuzzy Hash: 809844862ba8af8a5433492512a69b3135c94dd240a8aef583a88973613fe339
      • Instruction Fuzzy Hash: AB315C31624249AFCF15BFA4EC85C9E3B6CFB45328B100A65F5119B1A2EA30D8B5DF60
      Function 002A4E2C Relevance: 6.1, APIs: 4, Instructions: 90COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0031DC35: __EH_prolog3_catch.LIBCMT ref: 0031DC3C
      • GetWindowRect.USER32(?,?), ref: 002A4E95
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A7D
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A8A
      • PtInRect.USER32(?,?,?), ref: 002A4EB0
        • Part of subcall function 002A55D0: KillTimer.USER32(?,0000EC13,?,?,002A4EC1), ref: 002A565E
      • GetWindowRect.USER32(?,?), ref: 002A4EE9
      • PtInRect.USER32(?,?,?), ref: 002A4F04
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientScreenWindow$H_prolog3_catchKillTimer
      • String ID:
      • API String ID: 307328177-0
      • Opcode ID: c4d48602c2adee6e09d8ea62805f827376ea406663d95a54f1f4e8bf17f0662a
      • Instruction ID: be734ea047d76df5aac83c42761f4ce2ded4a8b33961fed37d4b70f5fd817589
      • Opcode Fuzzy Hash: c4d48602c2adee6e09d8ea62805f827376ea406663d95a54f1f4e8bf17f0662a
      • Instruction Fuzzy Hash: CE313C71E1021E9BCF01EFA4C9449EEBBB9FF49700B14452AF805A7211DB759E25CFA1
      Function 00274845 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(00000001), ref: 00274866
      • ScreenToClient.USER32(?,00000001), ref: 00274873
      • SetCursor.USER32(?), ref: 002748A4
      • PtInRect.USER32(?,00000001,?), ref: 00274915
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Cursor$ClientRectScreen
      • String ID:
      • API String ID: 2390797981-0
      • Opcode ID: a09de1ad7a75aa624369110f42c4f1c624e1388398802b1cafddf46790d0e4f3
      • Instruction ID: 65751419575026d137ed6c928f4904a10e550661d861273cdfd3cf19fdf385d4
      • Opcode Fuzzy Hash: a09de1ad7a75aa624369110f42c4f1c624e1388398802b1cafddf46790d0e4f3
      • Instruction Fuzzy Hash: 51319132A2014AFFCF16EFA4D8889AEBBBDFF15304F058169E509A7111DB309A61CF50
      Function 002880E4 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 00288111
      • GetParent.USER32(?), ref: 0028811A
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A7D
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A8A
      • OffsetRect.USER32(?,00000000,?), ref: 0028815B
      • OffsetRect.USER32(?,?,00000000), ref: 0028816B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientOffsetScreen$ParentWindow
      • String ID:
      • API String ID: 182828750-0
      • Opcode ID: d592c4de14638114001acacec781ab5aefe2167c649020e8c620180af0a20026
      • Instruction ID: e3f6aa860130659be746a2e3e79e5aa28c34351d9fc22594ae27895b9e3fcd14
      • Opcode Fuzzy Hash: d592c4de14638114001acacec781ab5aefe2167c649020e8c620180af0a20026
      • Instruction Fuzzy Hash: 33214D72910209AFDF15EFA8DC889BEB7BDEB49300F10451AF505E3290DA349D54CB61
      Function 002919E9 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
      Download Yara Rule
      APIs
      • RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,00000000,?,00291CC6,00000002,00000000), ref: 00291A1A
      • RedrawWindow.USER32(?,00000000,00000000,00000585,?,00000000,?,00291CC6,00000002,00000000), ref: 00291A47
      • RedrawWindow.USER32(?,00000000,00000000,00000185,?,00000000,?,00291CC6,00000002,00000000), ref: 00291A84
      • RedrawWindow.USER32(?,00000000,00000000,00000585,?), ref: 002DF98A
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RedrawWindow
      • String ID:
      • API String ID: 2219533335-0
      • Opcode ID: c78277902907970c40c4f1e1b36adb18c9a74d3092c4c348d735021dfc5a5a2e
      • Instruction ID: f0bcc9a68fd297a7f9f48ac6bd55350f42aab179bd5fc0ccae25117e6c20d009
      • Opcode Fuzzy Hash: c78277902907970c40c4f1e1b36adb18c9a74d3092c4c348d735021dfc5a5a2e
      • Instruction Fuzzy Hash: EE21C432A61B13ABDB225F22DC05B6672A5BF49B11F150615ED457B2A0EB60AC70CE88
      Function 0038AF46 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 446536d189390c401beffe25645f950d6be4558a333e494cc3f24c207f49b2fb
      • Instruction ID: b97a42f113a8b6067a123935f2333ec0a9bd784f3358c376d5d8dcf4e305aed1
      • Opcode Fuzzy Hash: 446536d189390c401beffe25645f950d6be4558a333e494cc3f24c207f49b2fb
      • Instruction Fuzzy Hash: A32138B1640705EBEB327F61AC05B5E77ACEB403A0F2241B5F611AB190E7709D009755
      Function 0026C351 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0026C358
      • GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 0026C3CF
      • CreatePalette.GDI32(00000000), ref: 0026C41C
        • Part of subcall function 0026BAD4: GetObjectW.GDI32(?,00000002,?), ref: 0026BAE1
      • GetPaletteEntries.GDI32(00000000,00000000,00000000,00000004), ref: 0026C403
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Palette$Entries$CreateH_prolog3ObjectSystem
      • String ID:
      • API String ID: 374951733-0
      • Opcode ID: 65a73ecc13ece0bd4ec0f30fafb45dc988475c8a35caede8c3a590b3fca8089d
      • Instruction ID: 54ac2f1539db0be083c4a13373d2fd15b7163206b18ccc3c95155e215dcd94d8
      • Opcode Fuzzy Hash: 65a73ecc13ece0bd4ec0f30fafb45dc988475c8a35caede8c3a590b3fca8089d
      • Instruction Fuzzy Hash: F821D3726202019FDB0AEF64C855BAE77E4BF09310F148069F9099B291EFB49C64CFA1
      Function 00393552 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.KERNEL32(?,?,?,003852CD,?,?,00242025,?,00384D2C,?,?,?,00000000), ref: 00393557
      • _free.LIBCMT ref: 003935B4
      • _free.LIBCMT ref: 003935EA
      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00242025,?,00384D2C,?,?,?,00000000), ref: 003935F5
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorLast_free
      • String ID:
      • API String ID: 2283115069-0
      • Opcode ID: e32bcf0422b9408524e32688ed1dd306799b6a8412e435658a0b07040ba6838b
      • Instruction ID: e6b5df9289a9819ffaa9afbf3a8cef17c9a5303c7220c3d61a6c2b7498105d54
      • Opcode Fuzzy Hash: e32bcf0422b9408524e32688ed1dd306799b6a8412e435658a0b07040ba6838b
      • Instruction Fuzzy Hash: F111E9F26405527ADE13777A9C86F3B266EDBC6374B270628F1219B2E1ED708E118264
      Function 0026823F Relevance: 6.1, APIs: 4, Instructions: 71COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0026825D
      • GetWindowRect.USER32(?,00000000), ref: 002682A4
      • OffsetRect.USER32(00000000,00000000,?), ref: 002682BC
      • GetWindow.USER32(00000000,00000005), ref: 002682DC
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RectWindow$OffsetParent
      • String ID:
      • API String ID: 3516746122-0
      • Opcode ID: fd41a12bf0059cf23247c7e61442f5b2ce357b04c8252130e9b1c2206d49ea8f
      • Instruction ID: 4eedec529d524f2ea524f383f7567b11ddf4ca5695668b6c758db521f9fe4f71
      • Opcode Fuzzy Hash: fd41a12bf0059cf23247c7e61442f5b2ce357b04c8252130e9b1c2206d49ea8f
      • Instruction Fuzzy Hash: D5218171A1060AAFDF11AFA4DC59FAEBBBCBF04322F100619F910A61D1DB7499148B64
      Function 003936A9 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.KERNEL32(?,?,?,00386E0E,00392F35,?,?,00246940,?,?,?,?,002473CB,?,?,0024768D), ref: 003936AE
      • _free.LIBCMT ref: 0039370B
      • _free.LIBCMT ref: 00393741
      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00386E0E,00392F35,?,?,00246940,?,?,?,?,002473CB), ref: 0039374C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorLast_free
      • String ID:
      • API String ID: 2283115069-0
      • Opcode ID: 924bb63a535aae62c1c70cf4700b5e0b9fbdf107fa635fe3f037f474175aac3e
      • Instruction ID: 657b58b5cf22d7e9b1b74daeb0ef49a363648cda838993ec05a85f68b2045d45
      • Opcode Fuzzy Hash: 924bb63a535aae62c1c70cf4700b5e0b9fbdf107fa635fe3f037f474175aac3e
      • Instruction Fuzzy Hash: 9E110CF33405127ADE1367B6ACC5E3B215EDBC1774B260234F1259B2E1EE718D118268
      Function 0029F9EB Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0029FA07
      • SendMessageW.USER32(?,?,?,00000000), ref: 0029FA22
      • SendMessageW.USER32(?,?), ref: 0029FA3D
      • NotifyWinEvent.USER32(00008006,?,000000FC,?), ref: 0029FAAE
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$EventNotifyParent
      • String ID:
      • API String ID: 1322302069-0
      • Opcode ID: 092fa8713fa259ec9b8d70ad2f00aa474dd07cf4bc0a02a8490d30edf79b8579
      • Instruction ID: cb762256f8f6064edf8cef42c4f3f53f88588c37edf507c609d26c22120ce130
      • Opcode Fuzzy Hash: 092fa8713fa259ec9b8d70ad2f00aa474dd07cf4bc0a02a8490d30edf79b8579
      • Instruction Fuzzy Hash: 2121AE32210202AFDF459F60DD84EAABB6DFB49310F040129FA1D83121DB316864DFA0
      Function 00261C8C Relevance: 6.1, APIs: 4, Instructions: 66COMMON
      Download Yara Rule
      APIs
      • BeginDeferWindowPos.USER32(00000000), ref: 00261CAE
      • IsWindow.USER32(?), ref: 00261CC9
      • DeferWindowPos.USER32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00261D19
      • EndDeferWindowPos.USER32(00000000), ref: 00261D24
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Defer$Begin
      • String ID:
      • API String ID: 2880567340-0
      • Opcode ID: 425495d1a891d069a95bd7c502528c64e55e289e1421bb9a0e4c39d842d30ae1
      • Instruction ID: 28cce7e838232761157dd456056a8db7709e35c59195e43e73207e79aaf89392
      • Opcode Fuzzy Hash: 425495d1a891d069a95bd7c502528c64e55e289e1421bb9a0e4c39d842d30ae1
      • Instruction Fuzzy Hash: D4211A71E1021AAFDB01DFA9DD85AAEBBFDEB0D300F14442AA505E3251D734A961CBA0
      Function 002A5667 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • LoadImageW.USER32(?,00000000,00000000,00000000,00000000,00003000), ref: 002A56C0
      • GetObjectW.GDI32(00000000,00000018,?), ref: 002A56D4
      • InvalidateRect.USER32(00000000,00000000,00000001), ref: 002A5723
      • UpdateWindow.USER32(00000000), ref: 002A572C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ImageInvalidateLoadObjectRectUpdateWindow
      • String ID:
      • API String ID: 3870781972-0
      • Opcode ID: 9e5ce9b0aab082a283ebab88d2d306a94098e9bc4be5d6644bbf0a67542d59e5
      • Instruction ID: 6da28aef180ef3df8e75f88190c3c624039e6a82af1c408e8803179c86c3cb6c
      • Opcode Fuzzy Hash: 9e5ce9b0aab082a283ebab88d2d306a94098e9bc4be5d6644bbf0a67542d59e5
      • Instruction Fuzzy Hash: 9F216D71520B00EFDB659F74CC89BEBB7E8EF45311F10492EE95696190EB74A814CB60
      Function 00283FB9 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$CallCursorHookNextWindow
      • String ID:
      • API String ID: 3719484595-0
      • Opcode ID: 2cd25bb4b31dc84da18238ff930bae47f5a09f60656e286288d9437f3dcd201f
      • Instruction ID: 0a238fb0a773a8cf6381ae2d860a1e214c450f438ecb01aae7d11c1a83a11e81
      • Opcode Fuzzy Hash: 2cd25bb4b31dc84da18238ff930bae47f5a09f60656e286288d9437f3dcd201f
      • Instruction Fuzzy Hash: 65213EBA91110BEBCF15EFA9DD499AEBFB8FF59300F004129E611E65A0D7359A10CF50
      Function 00264A58 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • FindResourceW.KERNEL32(?,?,00000005,?,?,?,?,?,00263784,?,?), ref: 00264A76
      • LoadResource.KERNEL32(?,00000000,?,?,?,?,?,00263784,?,?), ref: 00264A8B
      • LockResource.KERNEL32(00000000,?,?,?,?,?,00263784,?,?), ref: 00264A9D
      • GlobalFree.KERNEL32(?), ref: 00264ADC
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindFreeGlobalLoadLock
      • String ID:
      • API String ID: 3898064442-0
      • Opcode ID: aa4899415c25eb93a6bd3054be50df6bfa1303bdff2e4e91fc72d208d634ea82
      • Instruction ID: 4b74cc2ef32594e3c7af9362e0371a80a949702f42ac3209bb1ca3abfabe32e9
      • Opcode Fuzzy Hash: aa4899415c25eb93a6bd3054be50df6bfa1303bdff2e4e91fc72d208d634ea82
      • Instruction Fuzzy Hash: 7F119035110602AFC712BFA6C8A9B6B77E9EF85321F15806DE88593211DB70DC958B20
      Function 002569A1 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00256E92: GetDlgItem.USER32(?,?), ref: 00256EA3
      • GetWindowLongW.USER32(?,000000F0), ref: 002569BD
      • GetWindowTextLengthW.USER32(?), ref: 002569EA
      • GetWindowTextW.USER32(?,00000000,00000100), ref: 00256A1A
      • SendMessageW.USER32(?,0000014D,000000FF,?), ref: 00256A3A
        • Part of subcall function 00251675: GetWindowTextW.USER32(?,?,00000100), ref: 002516CB
        • Part of subcall function 00251675: lstrcmpW.KERNEL32(?,0024EA93,?,00000000), ref: 002516DD
        • Part of subcall function 00251675: SetWindowTextW.USER32(?,0024EA93), ref: 002516E9
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Text$ItemLengthLongMessageSendlstrcmp
      • String ID:
      • API String ID: 4153035386-0
      • Opcode ID: 5d56561b526721653a907ce5b51c4d575c4c487e4d25026b3748359d7b92cadf
      • Instruction ID: 65c23e4606c5f1ae9599a76ecd36a3cdef3bbbaabda91e231c07d124e58383a7
      • Opcode Fuzzy Hash: 5d56561b526721653a907ce5b51c4d575c4c487e4d25026b3748359d7b92cadf
      • Instruction Fuzzy Hash: 8A118131120115EBDF16AF54CC0AAAD7769EF04321F604114FC21A71E1C7726D64AF48
      Function 00287334 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(00000000), ref: 00287348
        • Part of subcall function 00289BE0: GetWindowRect.USER32(?,00000140), ref: 00289BF4
        • Part of subcall function 00289BE0: GetParent.USER32(?), ref: 00289C4A
        • Part of subcall function 00289BE0: GetParent.USER32(?), ref: 00289C5E
      • ScreenToClient.USER32(?,?), ref: 00287370
      • SetCapture.USER32(?), ref: 0028739B
      • GetWindowRect.USER32(?,?), ref: 002873E0
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ParentRectWindow$CaptureClientCursorScreen
      • String ID:
      • API String ID: 3234571238-0
      • Opcode ID: d724ebb526a9ab3e4968d1ac6218a662edfd28092bf99a75608901a5de642108
      • Instruction ID: 75d72d70dc76e372b632f715c861ade913d5de39fe284b49085c36ef4aafff1e
      • Opcode Fuzzy Hash: d724ebb526a9ab3e4968d1ac6218a662edfd28092bf99a75608901a5de642108
      • Instruction Fuzzy Hash: E921AC71610205EFCB0ADF64C848BEDBBF8FF49305F140259E80983260EB34A961CF81
      Function 00250153 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
      Download Yara Rule
      APIs
      • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 0025018E
      • RegCloseKey.ADVAPI32(00000000), ref: 00250197
      • swprintf.LIBCMT ref: 002501B4
      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 002501C5
        • Part of subcall function 0024FFDF: RegCloseKey.ADVAPI32(00000000,?,?,?,?,0024FE08,?,00000000), ref: 00250024
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Close$PrivateProfileStringValueWriteswprintf
      • String ID:
      • API String ID: 581541481-0
      • Opcode ID: c13a0e680ee4d09598dd1ae30a308f604899c37949389b41d6dd74dae23fefa5
      • Instruction ID: 6892304c62225ad67e025909b4fa5d6c549961e707f35004d75176257338c2a0
      • Opcode Fuzzy Hash: c13a0e680ee4d09598dd1ae30a308f604899c37949389b41d6dd74dae23fefa5
      • Instruction Fuzzy Hash: AF01C072510208BBD711EF658D85FABB3BCAF49B04F104829FA01EB180D7B4ED149B61
      Function 00259C9B Relevance: 6.1, APIs: 4, Instructions: 56COMMON
      Download Yara Rule
      APIs
      • GetObjectW.GDI32(?,0000000C,?), ref: 00259CE6
      • SetBkColor.GDI32(?,?), ref: 00259CF0
      • GetSysColor.USER32(00000008), ref: 00259D00
      • SetTextColor.GDI32(?,?), ref: 00259D08
        • Part of subcall function 00251895: GetWindowLongW.USER32(?,000000F0), ref: 002518B0
        • Part of subcall function 00251895: GetClassNameW.USER32(?,?,0000000A), ref: 002518C5
        • Part of subcall function 00251895: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 002518DC
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color$ClassCompareLongNameObjectStringTextWindow
      • String ID:
      • API String ID: 3274569906-0
      • Opcode ID: 0895dfd060cd082668b18fe7cfb978ed4d356c20c57f4a63875165aead16cd82
      • Instruction ID: e9ba683408dfeef382e4aff78269fef6db67657925459df75cd89a0f35aec15a
      • Opcode Fuzzy Hash: 0895dfd060cd082668b18fe7cfb978ed4d356c20c57f4a63875165aead16cd82
      • Instruction Fuzzy Hash: 5A01AD32A21105EB9B21EF698C44ABFB7BCEB4A312F240515FD02D7180C730DC699BA5
      Function 00389E41 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNEL32(00000000,?,00389CE3,00000000,00000004,00000000), ref: 00389E90
      • GetLastError.KERNEL32(?,?,?,00323D06,00323D55,00000000,00000000,?,?,?,0029AE67,00000001), ref: 00389E9C
      • __dosmaperr.LIBCMT ref: 00389EA3
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CreateErrorLastThread__dosmaperr
      • String ID:
      • API String ID: 2744730728-0
      • Opcode ID: 72e31fc69f8ebe1a0e0c28ee534d4292595ef1dc597f0ace79e4ba49793de03d
      • Instruction ID: 705c1a2a5df10ab9ab4b2359af5086970533c1fa7eea36cef99ec419981a57c6
      • Opcode Fuzzy Hash: 72e31fc69f8ebe1a0e0c28ee534d4292595ef1dc597f0ace79e4ba49793de03d
      • Instruction Fuzzy Hash: 8E01C432500314BBDB12BB65DC06BAE7FADEF81371F25429AF5249A0D0DB709905C7A0
      Function 0027AC4D Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(00000000,?), ref: 0027AC89
      • GetSystemMetrics.USER32(0000002D), ref: 0027AC97
      • GetSystemMetrics.USER32(00000002), ref: 0027ACA3
      • SendMessageW.USER32(00000000,0000101E,00000000,00000000), ref: 0027ACBE
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MetricsSystem$ClientMessageRectSend
      • String ID:
      • API String ID: 2251314529-0
      • Opcode ID: b8e370bd65f4ae44244c72e5c784cb92d2c812519b45daeeae5526635c600c8d
      • Instruction ID: 38981d1f28c4e1028c3cb3b485e5f7cfe5c2fbfec3d2a18ebc583758cd0af99a
      • Opcode Fuzzy Hash: b8e370bd65f4ae44244c72e5c784cb92d2c812519b45daeeae5526635c600c8d
      • Instruction Fuzzy Hash: 84016172E00219AFDB15DFB8DA49AAEFBB8FB48300F01426AE515A3250D7749D14CB51
      Function 00297D9D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
      Download Yara Rule
      APIs
      • InflateRect.USER32(?,00000002,00000002), ref: 00297DDC
      • InvalidateRect.USER32(?,?,00000001), ref: 00297DF0
      • UpdateWindow.USER32(?), ref: 00297DF9
      • SetRectEmpty.USER32(?), ref: 00297E00
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$EmptyInflateInvalidateUpdateWindow
      • String ID:
      • API String ID: 3040190709-0
      • Opcode ID: 6fe3fe41e028f8efce89eb218819ebf94d7575e449687b62d8b3341e94a12f19
      • Instruction ID: ca58e1d5bf45954183adc4da382b09e0d9ee9b3d8653804d4bb0fae78f90b259
      • Opcode Fuzzy Hash: 6fe3fe41e028f8efce89eb218819ebf94d7575e449687b62d8b3341e94a12f19
      • Instruction Fuzzy Hash: 97018071900209DFD711DF69DC89EABBBF8FB4A320F510669E546AB1A1D7305904CB60
      Function 0025C19D Relevance: 6.0, APIs: 4, Instructions: 46COMMON
      Download Yara Rule
      APIs
      • GetTopWindow.USER32(00000000), ref: 0025C1A4
      • GetTopWindow.USER32(00000000), ref: 0025C1E7
      • GetWindow.USER32(00000000,00000002), ref: 0025C209
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window
      • String ID:
      • API String ID: 2353593579-0
      • Opcode ID: 79908331c7f55815a26332bf6559d15b6f0113c1a47d6a79b5d413abaa3d52f8
      • Instruction ID: 9b26af76c52a452e2c695f1600ebee07eddaed7f4008b02bf07bee6697031f5c
      • Opcode Fuzzy Hash: 79908331c7f55815a26332bf6559d15b6f0113c1a47d6a79b5d413abaa3d52f8
      • Instruction Fuzzy Hash: 5D01E93201061AAFCF135F919C05EAE3E2AAF16392F148011FD1594021D736C975EFA9
      Function 0025977B Relevance: 6.0, APIs: 4, Instructions: 45COMMON
      Download Yara Rule
      APIs
      • GetDlgItem.USER32(?,?), ref: 00259785
      • GetTopWindow.USER32(00000000), ref: 00259792
        • Part of subcall function 0025977B: GetWindow.USER32(00000000,00000002), ref: 002597E1
      • GetTopWindow.USER32(?), ref: 002597C6
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$Item
      • String ID:
      • API String ID: 369458955-0
      • Opcode ID: d106fa49228c48d1e956abca01e534a53f7bd505f8b9e3137dd107aeb495d8cf
      • Instruction ID: 1229ced46c958f106c1a2030d1da85e04a0a1ad4450cd8e9d010a74c4b048eea
      • Opcode Fuzzy Hash: d106fa49228c48d1e956abca01e534a53f7bd505f8b9e3137dd107aeb495d8cf
      • Instruction Fuzzy Hash: EF016271431626E7DF232F619C05E9EBB5DAF1A756F044012FC0099111D731CAB89A99
      Function 002754A9 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
      Download Yara Rule
      APIs
      • InvalidateRect.USER32(?,?,00000001,?,00271D49), ref: 002754BF
      • InvalidateRect.USER32(?,?,00000001), ref: 002754E4
      • InvalidateRect.USER32(?,?,00000001,?), ref: 0027550D
      • UpdateWindow.USER32(?), ref: 00275521
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: InvalidateRect$UpdateWindow
      • String ID:
      • API String ID: 488614814-0
      • Opcode ID: 785f5035cda6e4000b72ed8605ba8f6074565622f43b0d03717bd7a081cb5bb2
      • Instruction ID: 745a3fdd62abba5862a21ffbc17e7e0fcfce36cc43530844af3994ebbe11cba9
      • Opcode Fuzzy Hash: 785f5035cda6e4000b72ed8605ba8f6074565622f43b0d03717bd7a081cb5bb2
      • Instruction Fuzzy Hash: 80010872220A119FE7259F29DD64F92B7B9BF18302F058959E58A972B0C7B0B850CB40
      Function 002571A5 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 002571B3
      • GetParent.USER32(?), ref: 002571C6
      • GetParent.USER32(?), ref: 002571E0
      • SetFocus.USER32(?,00000000,?,00000000,00259DD0), ref: 002571F9
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Parent$Focus
      • String ID:
      • API String ID: 384096180-0
      • Opcode ID: e78909f52b7705da45e38dfa9fc6a2b8b4956a57b03164deb6aec349a7640242
      • Instruction ID: 519e40892ceafa7ddc2a01d7b2e3da6047b207c14e1f4c3eb35d8d23330c62cd
      • Opcode Fuzzy Hash: e78909f52b7705da45e38dfa9fc6a2b8b4956a57b03164deb6aec349a7640242
      • Instruction Fuzzy Hash: 22F06D72A207059BDE222F75EC0C92E76BDBF99342B040429FD96C3131DF34D8698B14
      Function 0026D3D5 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
      Download Yara Rule
      APIs
      • ScreenToClient.USER32(?,?), ref: 0026D3F9
      • PtInRect.USER32(?,?,?), ref: 0026D40C
      • SetCapture.USER32(?), ref: 0026D419
      • RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 0026D43B
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CaptureClientRectRedrawScreenWindow
      • String ID:
      • API String ID: 2178243973-0
      • Opcode ID: 9c07981730e27f1740435fd51fa383c402ecec79d0e4db9fd236b14bdaca70cb
      • Instruction ID: 6d09b32e79c2a2fd5f1b05f94dadc11ea315e261aba370f7ec270c409ab19337
      • Opcode Fuzzy Hash: 9c07981730e27f1740435fd51fa383c402ecec79d0e4db9fd236b14bdaca70cb
      • Instruction Fuzzy Hash: B101FBB1910318EFDB119FA0CC49F9ABBBDFB09301F008519F94692260EA75A9A49B54
      Function 0039F7E5 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
      Download Yara Rule
      APIs
      • WriteConsoleW.KERNEL32(00000000,0000010B,003875A9,00000000,00000000,?,0039D584,00000000,00000001,00000000,00000000,?,003958CA,00000000,003874C1,00000000), ref: 0039F7FC
      • GetLastError.KERNEL32(?,0039D584,00000000,00000001,00000000,00000000,?,003958CA,00000000,003874C1,00000000,00000000,00000000,?,00395E1E,00000000), ref: 0039F808
        • Part of subcall function 0039F7CE: CloseHandle.KERNEL32(FFFFFFFE,0039F818,?,0039D584,00000000,00000001,00000000,00000000,?,003958CA,00000000,003874C1,00000000,00000000,00000000), ref: 0039F7DE
      • ___initconout.LIBCMT ref: 0039F818
        • Part of subcall function 0039F790: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0039F7BF,0039D571,00000000,?,003958CA,00000000,003874C1,00000000,00000000), ref: 0039F7A3
      • WriteConsoleW.KERNEL32(00000000,0000010B,003875A9,00000000,?,0039D584,00000000,00000001,00000000,00000000,?,003958CA,00000000,003874C1,00000000,00000000), ref: 0039F82D
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
      • String ID:
      • API String ID: 2744216297-0
      • Opcode ID: 281aa06df28613a30a0a4bade8b8b7f87be2dfc4b952d0d3898b341bc484e698
      • Instruction ID: 89f8b2b7eed0943b15e1d7ca631375dcc09050b092751fd054076bc8d633046a
      • Opcode Fuzzy Hash: 281aa06df28613a30a0a4bade8b8b7f87be2dfc4b952d0d3898b341bc484e698
      • Instruction Fuzzy Hash: 95F01C36401115BFCF632FE2DC0499A7F6EEF0D7A0F014420FA18C9130C6729820DB90
      Function 00364F08 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 002572CD: ShowWindow.USER32(?,00000000,?,?,0024F8A4,00000000,?,00000363,00000001,00000000,00000001,00000001,?,?,00000363,00000001), ref: 002572DE
      • UpdateWindow.USER32(?), ref: 00364F2F
      • UpdateWindow.USER32(?), ref: 00364F42
      • SetRectEmpty.USER32(?), ref: 00364F4F
      • SetRectEmpty.USER32(?), ref: 00364F5C
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$EmptyRectUpdate$Show
      • String ID:
      • API String ID: 1262231214-0
      • Opcode ID: 62516b7ff9a7169be5b559a6382a8456d496d771e15110c064e17e6039df4784
      • Instruction ID: 109ca8911747c2c77b660e20676ab2785f47c0f7eadf9b215e2edd9dfa3ac235
      • Opcode Fuzzy Hash: 62516b7ff9a7169be5b559a6382a8456d496d771e15110c064e17e6039df4784
      • Instruction Fuzzy Hash: 02F098716246129FDB629F74E808B8677ACBB16306F028859F59AC6161DB70E848CF50
      Function 002E3150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID:
      • String ID: z<$@<
      • API String ID: 0-1469301584
      • Opcode ID: c1ef9cbc6386172bddc26702b546ae847c41d36de1ef9067d17481d1b0b6982c
      • Instruction ID: 70462b0d8a6c29593d75837470c8dc4134a331f6028f40d0d2efe2b03154fd1e
      • Opcode Fuzzy Hash: c1ef9cbc6386172bddc26702b546ae847c41d36de1ef9067d17481d1b0b6982c
      • Instruction Fuzzy Hash: AD517E357502219BCF15CF25CC98BBD77A5AF89721F0801A9ED06AB390DB74AD118F91
      Function 0024D5B5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024D9D5: __EH_prolog3_GS.LIBCMT ref: 0024D9DF
        • Part of subcall function 0024D9D5: GetFullPathNameW.KERNEL32(?,00000104,00000000,?,00000268,0024D62E,?,00000000,?,00000000,00000104,00000000,6I$,?,?), ref: 0024DA12
      • CreateFileW.KERNEL32(00000000,80000000,00000000,0000000C,00000003,?,00000000,?,00000000,?,00000000,?,00000000,00000104,00000000,6I$), ref: 0024D755
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CreateFileFullH_prolog3_NamePath
      • String ID: 6I$$6I$
      • API String ID: 2133410154-1489448096
      • Opcode ID: e2c5086a6fb19cf82c828acb8522813a99c77ca4da0b6eb438d14232c813ad93
      • Instruction ID: 7a045b7c958774e738b1ba444bb20faad2b6565e46633f6e6e17ffdeebc65ac7
      • Opcode Fuzzy Hash: e2c5086a6fb19cf82c828acb8522813a99c77ca4da0b6eb438d14232c813ad93
      • Instruction Fuzzy Hash: CC5129B1A3021A9BDB2CDF24DC89BE9B7A9EB44300F1545A9E419D7291D7B4CE90CF90
      Function 002685C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
      Download Yara Rule
      APIs
      • GlobalLock.KERNEL32(?), ref: 002685DA
      • GlobalUnlock.KERNEL32(00000000), ref: 002686F2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$LockUnlock
      • String ID: System
      • API String ID: 2502338518-3470857405
      • Opcode ID: 5b6d3149b785970fd9d48d5770517457bdfed45705b67dbeb29541a3b4b7d961
      • Instruction ID: 8d0530af8ba167a9e63bfe75021b401fcc896f29267094f5088a35e95bf84267
      • Opcode Fuzzy Hash: 5b6d3149b785970fd9d48d5770517457bdfed45705b67dbeb29541a3b4b7d961
      • Instruction Fuzzy Hash: 6A41B275920216DFDF14DFA8C8859BEB7B8FF41344F208629E415D7151EB70AAA4CB90
      Function 002869F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ParentRectWindow
      • String ID: ({<
      • API String ID: 2562589006-716903152
      • Opcode ID: 76d2eb545a4d7595e74202d2fef1c1eca41a4349f51d09672030a11cc2dece86
      • Instruction ID: d1f5c4f5765564e5f32f86d74b8ff9a64c6031ff9df19c5e87c0d5c8721717c0
      • Opcode Fuzzy Hash: 76d2eb545a4d7595e74202d2fef1c1eca41a4349f51d09672030a11cc2dece86
      • Instruction Fuzzy Hash: 27316176A002199FCF15EF65CC989BEBBB9EF89310F14406EE806A7291CB346D11CB91
      Function 002FEEB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3Window
      • String ID: 4{<
      • API String ID: 616115145-1065830628
      • Opcode ID: 8a24d40f591817fc05c108066186af3a8facd1212b5c91c3e6fbee11c42199c2
      • Instruction ID: b836efa621b9e0ac6dbfaaf80480dfd999edc7ee791f336cc9b2d07effa1759e
      • Opcode Fuzzy Hash: 8a24d40f591817fc05c108066186af3a8facd1212b5c91c3e6fbee11c42199c2
      • Instruction Fuzzy Hash: 8731D231A112198FCF06AFA4D995ABDBBB6AF89310F14007DE506AB392CF745D10CF56
      Function 0032A7A5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CopyRect
      • String ID: $4{<
      • API String ID: 1989077687-3900010886
      • Opcode ID: cfe86dcb2b3593c4f0c1c6f7c180e0bd0d8ac9fef237c710a1084455cf77e4b4
      • Instruction ID: 820d505f305a63fd2dcc8d990fddb9b66d3d9561fbd34643dffe8910c8d134d2
      • Opcode Fuzzy Hash: cfe86dcb2b3593c4f0c1c6f7c180e0bd0d8ac9fef237c710a1084455cf77e4b4
      • Instruction Fuzzy Hash: C931B23520061AAFDB06CF64D888BE9BBE9FF48314F090125FD2987290CB34A961DFD5
      Function 0025007C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82registryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024FFDF: RegCloseKey.ADVAPI32(00000000,?,?,?,?,0024FE08,?,00000000), ref: 00250024
      • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 002500AB
      • RegCloseKey.ADVAPI32(00000000), ref: 002500B4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Close$Value
      • String ID: A
      • API String ID: 299128501-3554254475
      • Opcode ID: 16440ef619431b95ccb6a2e26d565e04b17aee7a7cc1da5db9534027fba38737
      • Instruction ID: 4c825d46cdb1e7e295399ef93f96888ce11f3c83172eac8c474f378d018ea36f
      • Opcode Fuzzy Hash: 16440ef619431b95ccb6a2e26d565e04b17aee7a7cc1da5db9534027fba38737
      • Instruction Fuzzy Hash: BA210736110225ABCF169F65DC45BAF7BB9EF49391F044029FC0ACB251DA74CC51DB61
      Function 002816AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • CreateCompatibleDC.GDI32(00000000), ref: 002816CC
      • CreateCompatibleDC.GDI32(00000000), ref: 002816D9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CompatibleCreate
      • String ID: `w&
      • API String ID: 3111197059-98924798
      • Opcode ID: dd976857617322941514d456118589073f7293b56e9e02030729bbdff161e27f
      • Instruction ID: cfd027466c22e06ef9ebe6e30f7ef0b549de184c5f8c61a0942ad97e6d892d44
      • Opcode Fuzzy Hash: dd976857617322941514d456118589073f7293b56e9e02030729bbdff161e27f
      • Instruction Fuzzy Hash: 513125B1801300DFCB84EF68C48429A7BF9BF0A310F1046BED855EB286E7B58695CF90
      Function 002787D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 002785BD: IsWindow.USER32(?), ref: 002785CB
      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00278816
      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0027882C
        • Part of subcall function 0027B87E: IsWindow.USER32(?), ref: 0027B88A
        • Part of subcall function 0027B87E: SendMessageW.USER32(?,0000113E,00000000,?), ref: 0027B8B3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$Window
      • String ID: N
      • API String ID: 2326795674-1130791706
      • Opcode ID: d840b777f833c69daf0bc2b03482de3b1c829f925e27c18a5c426b8877dd9092
      • Instruction ID: 0363ebd16453cccfb8cedf8f95e969459a099b588768be69f0040fdd6709e33e
      • Opcode Fuzzy Hash: d840b777f833c69daf0bc2b03482de3b1c829f925e27c18a5c426b8877dd9092
      • Instruction Fuzzy Hash: 6821243129030AAFCB215F91DC4DBAA7769BF94321F408039FA0D5A1A2DF718830CB92
      Function 0027CC59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71windowCOMMON
      Download Yara Rule
      APIs
      • GetSysColor.USER32(00000014), ref: 0027CCC7
      • CreateDIBitmap.GDI32(0027DDC6,00000028,00000004,?,00000028,00000000), ref: 0027CD17
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: BitmapColorCreate
      • String ID: {&
      • API String ID: 2048008349-3653941810
      • Opcode ID: fa8cbb48af9f8cd9af738af7fe11dee71a3a564177805abe53858f4989463ed8
      • Instruction ID: bded8c12a3322f07892b73a24cbeb9a7764e01e55d68f853085a849f3ded88ff
      • Opcode Fuzzy Hash: fa8cbb48af9f8cd9af738af7fe11dee71a3a564177805abe53858f4989463ed8
      • Instruction Fuzzy Hash: 40218071A5025C9BEB14DBA8CD46BEDB7F8EB15304F5080AEE545EB281DA349A08CB61
      Function 002C5038 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 002C5065
        • Part of subcall function 00256ECE: GetWindowLongW.USER32(?,000000EC), ref: 00256EDB
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      • OffsetRect.USER32(?,000000F9,00000000), ref: 002C50C2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: LongRectWindow$EmptyOffset
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 4187485167-973906075
      • Opcode ID: 7a3545946533ef829885e36968ede53cbdc6c3a942d64deac83a6931bd61eb7e
      • Instruction ID: 947463b2a48d80a80b4e71f1a2a769528a90c79cbcd09f222e0e666923716e16
      • Opcode Fuzzy Hash: 7a3545946533ef829885e36968ede53cbdc6c3a942d64deac83a6931bd61eb7e
      • Instruction Fuzzy Hash: B6213771E006199FCB50DF68D985AAEB7F8FF49320F14816AE805E7241D734AE14CB95
      Function 002F4087 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 002F40B4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RectWindow
      • String ID: g5/$g5/
      • API String ID: 861336768-2943588861
      • Opcode ID: d34e1982f7fc2d973a7aedda4768a4e1eb43c18e52546301277621ce607a18cb
      • Instruction ID: 8f475f2ec0bc29958c8c92bcbc3d8719f7f66e961e387d47a632b5e57333d66c
      • Opcode Fuzzy Hash: d34e1982f7fc2d973a7aedda4768a4e1eb43c18e52546301277621ce607a18cb
      • Instruction Fuzzy Hash: C721CCB5A0021EAFCB00DFA9C9849AEBBF8FF08314F104559E915A7210D774AA14CF61
      Function 0037F3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0037FA8F
      • ___raise_securityfailure.LIBCMT ref: 0037FB76
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: FeaturePresentProcessor___raise_securityfailure
      • String ID: P]@
      • API String ID: 3761405300-3929314603
      • Opcode ID: a8d300ef2bed9f07b5b5c5cdb0bf513c81e60c102c30ae6d36909533ddd914b1
      • Instruction ID: 298ce30132e377cea53f9f53779f05c71627329b71f445f194ee8fb8d2dbf827
      • Opcode Fuzzy Hash: a8d300ef2bed9f07b5b5c5cdb0bf513c81e60c102c30ae6d36909533ddd914b1
      • Instruction Fuzzy Hash: E721E2B5500B009ED711DF24FA89B563BA4FB08340F64803AE588AB3B0D3B49A80CF88
      Function 0027D186 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CopyInfoMonitorRect
      • String ID: (
      • API String ID: 2119610155-3887548279
      • Opcode ID: a3f25aee80a4279f34a3ca57ab99f665c48146a05f2a8d4a3c5c95c4e56894b2
      • Instruction ID: fe8e9f4f6879daea4688f63e30b97693bad79ac896d4773e91d8d8dfaff006bf
      • Opcode Fuzzy Hash: a3f25aee80a4279f34a3ca57ab99f665c48146a05f2a8d4a3c5c95c4e56894b2
      • Instruction Fuzzy Hash: BB11D371A1060AAFCB10CFA9D985D9EB7F8FF09300B908859E45AE7210D730FA40CF20
      Function 0026F09B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45keyboardwindowCOMMON
      Download Yara Rule
      APIs
      • GetKeyState.USER32(00000011), ref: 0026F0B2
        • Part of subcall function 0026F967: __EH_prolog3.LIBCMT ref: 0026F96E
        • Part of subcall function 0026F967: SendMessageW.USER32(?,000000B0,?,?), ref: 0026F9B1
      • SendMessageW.USER32(?,000000B0,0000002E,?), ref: 0026F0F6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$H_prolog3State
      • String ID: .
      • API String ID: 1947833932-248832578
      • Opcode ID: 1cc0277227233edad8c782529006f9fcedd0878a6e0aefa4261adb676fd6e732
      • Instruction ID: 4c40dd6f365daa680873c39c5c5fad91fd9d97ae578bc515da564e735fed90b9
      • Opcode Fuzzy Hash: 1cc0277227233edad8c782529006f9fcedd0878a6e0aefa4261adb676fd6e732
      • Instruction Fuzzy Hash: 7601F235220209FFDF259F40EE46EEE7B6BEB41300F004025F90456161DBB199F0DB51
      Function 0029AB4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0029AB8C
      • RedrawWindow.USER32(?,00000000,00000000,00000585,00000000), ref: 0029ABBC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ParentRedrawWindow
      • String ID: ({<
      • API String ID: 3969678505-716903152
      • Opcode ID: 73632bd60264f35af52641e442034f36efe6b67c6f5f4412ac74030543c4f65c
      • Instruction ID: 8df1bae70aabdfeb995df8ef97291881a518c054f0f4d31898a53b621f5b9418
      • Opcode Fuzzy Hash: 73632bd60264f35af52641e442034f36efe6b67c6f5f4412ac74030543c4f65c
      • Instruction Fuzzy Hash: 9501A7316207049BDB195F399C65F5677EAAFE4301F00452EF556C71A0EEB0EC60CB95
      Function 0024909C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
      Download Yara Rule
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 002490C0
      • PathFindExtensionW.SHLWAPI(?), ref: 002490D6
        • Part of subcall function 00248B58: __EH_prolog3_GS.LIBCMT ref: 00248B62
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ExtensionFileFindH_prolog3_ModuleNamePath
      • String ID: %Ts%Ts.dll
      • API String ID: 3433622546-1896370695
      • Opcode ID: 531efcdb47d7c0a90f8a08ba5c7327d98fe515fba0ea5fc98b379012948eb45b
      • Instruction ID: 3c0fec401f0d7e90ee4d0eacfa044b5a0741ddcf5b6c1f5cad1e24c77f975c0b
      • Opcode Fuzzy Hash: 531efcdb47d7c0a90f8a08ba5c7327d98fe515fba0ea5fc98b379012948eb45b
      • Instruction Fuzzy Hash: A101867291011AABCB16EFA4ED49AEF73FCEF09300F4104B6A40AE7040DA75DA46CB90
      Function 0031DED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registrywindowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0031DEDF
      • RegisterWindowMessageW.USER32(00000010,00000004,0031DC71,00000000,00000000,0000005C,00297E5A,?), ref: 0031DF29
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3MessageRegisterWindow
      • String ID: ToolbarButton%p
      • API String ID: 875023513-899657487
      • Opcode ID: 90dbf85d856b8abb2889f735109e44bfd15a4aac410472847af62c3fbdb07be4
      • Instruction ID: a9e0b2a80e3c25b2a39cdc3a54cf6df9d8d18662edb6dc5c36e8691325fea0d2
      • Opcode Fuzzy Hash: 90dbf85d856b8abb2889f735109e44bfd15a4aac410472847af62c3fbdb07be4
      • Instruction Fuzzy Hash: 6EF08C688106159ECB1ABBB4DC02BAE7334FF05310F440465F5A1A7292DB38AA56CF68
      Function 00289B1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 00289B25
        • Part of subcall function 00256ECE: GetWindowLongW.USER32(?,000000EC), ref: 00256EDB
      • OffsetRect.USER32(?,?,?), ref: 00289B74
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: LongOffsetParentRectWindow
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 2777164097-973906075
      • Opcode ID: b13c63d4b256b13af7f4ead30e311c1c407ad2109e84062fdf88bbf4632d1912
      • Instruction ID: 5402a2e0806c7be841c5035285d6a7e79ad6fa0382f2eb460f0f53a1794833e6
      • Opcode Fuzzy Hash: b13c63d4b256b13af7f4ead30e311c1c407ad2109e84062fdf88bbf4632d1912
      • Instruction Fuzzy Hash: 2BF06236610209AFDF06AF65D848DBD7BADEF49355F044025F905C7160DB35E864CB94
      Function 0024E3D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29timeCOMMON
      Download Yara Rule
      APIs
      • FileTimeToLocalFileTime.KERNEL32($,?,?,?,?,?,?,0024E1E6,?,?,?,?,?,?,?,?), ref: 0024E3EB
      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,0024E1E6,?,?,?,?,?,?,?,?), ref: 0024E3FD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Time$File$LocalSystem
      • String ID: $
      • API String ID: 1748579591-1178188002
      • Opcode ID: d6d7e2fb858775a9bcc83f68b9672366ad78c541f67a88c4a55fa662eecda83d
      • Instruction ID: a47bbe5e1b9b63fcc3ab4e8f770a68a12dbc033fdfd50a5cc99e651553a93a7a
      • Opcode Fuzzy Hash: d6d7e2fb858775a9bcc83f68b9672366ad78c541f67a88c4a55fa662eecda83d
      • Instruction Fuzzy Hash: 8DF03071A2020ADF9F15EFB5C949EAF77FCAB08304B404479A806D7140EA38EA15CB64
      Function 002554CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
      Download Yara Rule
      APIs
      • ClientToScreen.USER32(?,?), ref: 002554DC
      • ClientToScreen.USER32(?,?), ref: 002554E9
        • Part of subcall function 00256ECE: GetWindowLongW.USER32(?,000000EC), ref: 00256EDB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientScreen$LongWindow
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 3170764692-973906075
      • Opcode ID: 377a1041f24db220fb18b09df4460b6e19609e26134d5c67256cf4400c887e5d
      • Instruction ID: 0b60e116d89d5a9ab952f76536bebb1a8618c6f8a8f1dbc59e35c4b61582dfe7
      • Opcode Fuzzy Hash: 377a1041f24db220fb18b09df4460b6e19609e26134d5c67256cf4400c887e5d
      • Instruction Fuzzy Hash: FFE09276111615AFE7159F25DC88E56BBBDFF96361B000425F94583330E731AC24CBA4
      Function 00255A6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
      Download Yara Rule
      APIs
      • ScreenToClient.USER32(?,?), ref: 00255A7D
      • ScreenToClient.USER32(?,?), ref: 00255A8A
        • Part of subcall function 00256ECE: GetWindowLongW.USER32(?,000000EC), ref: 00256EDB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ClientScreen$LongWindow
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 3170764692-973906075
      • Opcode ID: ba0e8051a294e4b212108076f59a0f3bf9ea70a21bf00070666751571bdf4224
      • Instruction ID: 6cd385c2a40ce7a6f55f5ed88dca6b9fdac4e7e99121579508a0bd420f4fc8ac
      • Opcode Fuzzy Hash: ba0e8051a294e4b212108076f59a0f3bf9ea70a21bf00070666751571bdf4224
      • Instruction Fuzzy Hash: E4E09276100625AFD7119F15DC88D56FBBDFF95365B004126F94583330E731AC24CBA4
      Function 00254871 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: BrushCreateH_prolog3Solid
      • String ID: VW%
      • API String ID: 2362735850-697210052
      • Opcode ID: 4c3e31792b2df9bff135ca2ae6ee3c3acc4606daa5accd4f5e88f59117a2e608
      • Instruction ID: 8a67b60e1001cea27c544fab1dbd34237778b364255c755c0dc417a93a4c1047
      • Opcode Fuzzy Hash: 4c3e31792b2df9bff135ca2ae6ee3c3acc4606daa5accd4f5e88f59117a2e608
      • Instruction Fuzzy Hash: 17E0CD715106319FD712FF60C81575F75A4BF05717F108018F7548B181CB758554DB9D
      Function 0024C052 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(004024A4,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C05E
      • TlsGetValue.KERNEL32(00402488,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C072
      • LeaveCriticalSection.KERNEL32(004024A4,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C08C
      • LeaveCriticalSection.KERNEL32(004024A4,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C097
      Memory Dump Source
      • Source File: 00000000.00000002.2198192262.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000000.00000002.2198125834.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198643057.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198720193.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198745424.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198789807.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2198828179.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$Leave$EnterValue
      • String ID:
      • API String ID: 3969253408-0
      • Opcode ID: 43095b269a9c23a0b424d8f832486559eea39a9fc12fdf32537356df85032d4c
      • Instruction ID: 02e3d8ae4036524dfd0e74be2e204de9f60d9726cc3e19519f475e2d47ce0b6f
      • Opcode Fuzzy Hash: 43095b269a9c23a0b424d8f832486559eea39a9fc12fdf32537356df85032d4c
      • Instruction Fuzzy Hash: E6F02436211214DFCFAD4F38DC44A5BF7ACFF157603155015E81293111C731EC20CAA0

      Execution Graph

      Execution Coverage:2.6%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:1160
      Total number of Limit Nodes:18
      execution_graph 45558 298458 45559 298477 45558->45559 45560 29847f 45559->45560 45564 2984cb 45559->45564 45569 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45560->45569 45562 298487 45565 2984c9 45562->45565 45570 24a380 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45562->45570 45564->45565 45746 2885fe 50 API calls 45564->45746 45567 2984a0 45567->45565 45571 29852c 45567->45571 45569->45562 45570->45567 45576 298538 __EH_prolog3_GS 45571->45576 45572 29858e 45573 298597 GetParent 45572->45573 45574 2985cd 45572->45574 45768 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 45573->45768 45575 298661 45574->45575 45583 2985d5 45574->45583 45747 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45575->45747 45576->45572 45576->45573 45767 295c40 9 API calls __floor_pentium4 45576->45767 45578 29860e 45592 29863b 45578->45592 45593 29864c 45578->45593 45581 2985a6 45769 24a310 RaiseException 45581->45769 45583->45578 45772 295c40 9 API calls __floor_pentium4 45583->45772 45584 2985b1 45584->45574 45587 2985b7 GetParent 45584->45587 45770 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 45587->45770 45588 298605 UpdateWindow 45588->45578 45591 2985c6 45771 2571a5 182 API calls 45591->45771 45773 267b0a 45592->45773 45777 288663 52 API calls 45593->45777 45597 2986e6 45600 298d09 45597->45600 45616 298716 45597->45616 45599 29865c 45611 298ae8 45599->45611 45791 29d9b2 183 API calls 45600->45791 45602 298d17 45604 298d2f 45602->45604 45792 24a380 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45602->45792 45603 298669 45603->45597 45606 2986ba GetAsyncKeyState 45603->45606 45603->45611 45604->45611 45793 295c40 9 API calls __floor_pentium4 45604->45793 45606->45597 45609 2986c9 45606->45609 45608 298d4e UpdateWindow 45621 298d6a 45608->45621 45609->45597 45610 29881a 45748 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45610->45748 45798 37f95e 5 API calls __floor_pentium4 45611->45798 45613 298827 45614 29883a 45613->45614 45615 298ea3 45613->45615 45627 29893c 45614->45627 45641 298860 45614->45641 45799 2471ca 45615->45799 45616->45610 45778 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45616->45778 45642 298e56 SetCapture 45621->45642 45665 298da6 45621->45665 45623 29879c InvalidateRect 45623->45610 45653 2987c5 45623->45653 45749 295c40 9 API calls __floor_pentium4 45627->45749 45637 298944 UpdateWindow 45651 298960 45637->45651 45641->45611 45779 295446 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45641->45779 45796 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 45642->45796 45646 298cf8 45646->45611 45797 29c2a7 58 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 45646->45797 45663 298987 45651->45663 45673 2989fb 45651->45673 45653->45610 45657 2987f8 InflateRect RedrawWindow 45653->45657 45654 2988ba InvalidateRect 45654->45611 45676 2988e7 45654->45676 45657->45610 45659 298e89 45662 298e92 RedrawWindow 45659->45662 45662->45611 45670 2989cd SetCapture 45663->45670 45671 2989c0 InflateRect 45663->45671 45794 295c40 9 API calls __floor_pentium4 45665->45794 45669 298dfb UpdateWindow 45669->45646 45682 298e0a 45669->45682 45780 2596dc 178 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 45670->45780 45671->45670 45673->45646 45750 31c316 56 API calls 45673->45750 45676->45611 45679 29891e InflateRect 45676->45679 45678 2989df 45680 267b0a 161 API calls 45678->45680 45679->45662 45681 2989ea SetCursor 45680->45681 45681->45646 45682->45646 45795 2928a2 RaiseException 45682->45795 45685 298e2c 45685->45646 45688 298e32 NotifyWinEvent NotifyWinEvent 45685->45688 45688->45646 45692 298a41 45751 31cd5d 45692->45751 45746->45565 45747->45603 45748->45613 45749->45637 45750->45692 45752 31cd69 __EH_prolog3_GS 45751->45752 45802 31cc82 45752->45802 45754 31cd7d 45755 31cda0 GetCursorPos SetRect 45754->45755 45756 31cd96 CopyRect 45754->45756 45757 31cdc3 45755->45757 45756->45757 45758 31cdd7 IsRectEmpty 45757->45758 45759 31cdce 45757->45759 45758->45759 45760 31cde2 InflateRect 45758->45760 45812 248b33 56 API calls 45759->45812 45760->45759 45762 31ce3a Concurrency::details::ExternalContextBase::~ExternalContextBase 45813 37f95e 5 API calls __floor_pentium4 45762->45813 45764 31cdf7 45764->45762 45766 31ce25 DoDragDrop 45764->45766 45766->45762 45767->45572 45768->45581 45769->45584 45770->45591 45771->45574 45772->45588 45774 267b19 45773->45774 45776 267b20 SetCursor 45773->45776 45884 27d209 45774->45884 45776->45593 45777->45599 45778->45623 45779->45654 45780->45678 45791->45602 45792->45604 45793->45608 45794->45669 45795->45685 45796->45646 45797->45659 46149 381fe3 RaiseException 45799->46149 45801 2471e3 45803 31cc8e __EH_prolog3 45802->45803 45814 24e41c 45803->45814 45807 31ccc6 45808 31cd07 45807->45808 45809 31cccf GetProfileIntW GetProfileIntW 45807->45809 45828 25610c LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45808->45828 45809->45808 45811 31cd0e Concurrency::details::ExternalContextBase::~ExternalContextBase 45811->45754 45812->45764 45829 24bbbb 45814->45829 45817 256098 45818 2560a5 45817->45818 45819 256106 45817->45819 45820 2560b3 45818->45820 45883 256074 InitializeCriticalSection 45818->45883 45821 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 45819->45821 45823 2560f4 EnterCriticalSection 45820->45823 45824 2560c2 EnterCriticalSection 45820->45824 45825 25610b 45821->45825 45823->45807 45826 2560ec LeaveCriticalSection 45824->45826 45827 2560d9 InitializeCriticalSection 45824->45827 45826->45823 45827->45826 45828->45811 45834 24bfad 45829->45834 45831 24bbca 45833 24bbe4 45831->45833 45849 24bf56 7 API calls 3 library calls 45831->45849 45833->45817 45836 24bfb9 __EH_prolog3 45834->45836 45835 24c032 45838 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 45835->45838 45836->45835 45837 24bffa 45836->45837 45839 24bfe0 45836->45839 45874 24bcac TlsAlloc InitializeCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 45836->45874 45867 24c052 EnterCriticalSection 45837->45867 45840 24c037 45838->45840 45839->45835 45850 24bdbb EnterCriticalSection 45839->45850 45845 24bff4 45845->45835 45845->45837 45846 24c028 Concurrency::details::ExternalContextBase::~ExternalContextBase 45846->45831 45847 24c00c 45875 24c0fa 34 API calls 3 library calls 45847->45875 45849->45833 45853 24bde0 45850->45853 45851 24be84 _memcpy_s 45852 24bea0 LeaveCriticalSection 45851->45852 45852->45845 45853->45851 45854 24be34 GlobalHandle GlobalUnlock 45853->45854 45855 24be1f 45853->45855 45857 246af4 Concurrency::details::ExternalContextBase::~ExternalContextBase 26 API calls 45854->45857 45876 246af4 45855->45876 45858 24be53 GlobalReAlloc 45857->45858 45860 24be60 45858->45860 45861 24be64 GlobalLock 45860->45861 45862 24beb7 45860->45862 45861->45851 45863 24bebc GlobalHandle GlobalLock 45862->45863 45864 24becb LeaveCriticalSection 45862->45864 45863->45864 45881 2471e4 RaiseException std::_Xinvalid_argument 45864->45881 45868 24c096 LeaveCriticalSection 45867->45868 45869 24c06b 45867->45869 45871 24c006 45868->45871 45869->45868 45870 24c070 TlsGetValue 45869->45870 45870->45868 45872 24c07c 45870->45872 45871->45846 45871->45847 45872->45868 45873 24c088 LeaveCriticalSection 45872->45873 45873->45871 45874->45839 45875->45846 45877 246b07 Concurrency::details::ExternalContextBase::~ExternalContextBase 45876->45877 45878 246b0e GlobalAlloc 45877->45878 45882 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 45877->45882 45878->45860 45880 246b19 45882->45880 45883->45820 45885 27d22a _memcpy_s 45884->45885 45894 27d2b1 45884->45894 45888 27d25a VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 45885->45888 45887 27d2c4 45887->45776 45895 27da08 45888->45895 45890 27d2a3 45972 27d4d4 45890->45972 46060 37f3a0 45894->46060 46067 37f980 45895->46067 45897 27da14 GetSysColor 45898 27da29 GetSysColor 45897->45898 45899 27da35 GetSysColor 45897->45899 45898->45899 45901 27da58 45899->45901 45902 27da4c GetSysColor 45899->45902 46068 2549bd 45901->46068 45902->45901 45904 27da6e 22 API calls 45905 27dba1 GetSysColor 45904->45905 45906 27db98 45904->45906 45907 27dbb3 GetSysColorBrush 45905->45907 45906->45907 45908 27de20 45907->45908 45909 27dbcf GetSysColorBrush 45907->45909 45911 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 45908->45911 45909->45908 45910 27dbe2 GetSysColorBrush 45909->45910 45910->45908 45912 27dbf5 45910->45912 45913 27de25 45911->45913 46076 2555a8 45912->46076 45915 27dc02 CreateSolidBrush 46081 2554a1 45915->46081 45918 2555a8 57 API calls 45919 27dc20 CreateSolidBrush 45918->45919 45920 2554a1 56 API calls 45919->45920 45921 27dc31 45920->45921 45922 2555a8 57 API calls 45921->45922 45923 27dc3e CreateSolidBrush 45922->45923 45924 2554a1 56 API calls 45923->45924 45925 27dc4f 45924->45925 45926 2555a8 57 API calls 45925->45926 45927 27dc5c CreateSolidBrush 45926->45927 45928 2554a1 56 API calls 45927->45928 45929 27dc70 45928->45929 45930 2555a8 57 API calls 45929->45930 45931 27dc7d CreateSolidBrush 45930->45931 45932 2554a1 56 API calls 45931->45932 45933 27dc8e 45932->45933 45934 2555a8 57 API calls 45933->45934 45935 27dc9b CreateSolidBrush 45934->45935 45936 2554a1 56 API calls 45935->45936 45937 27dcac 45936->45937 45938 2555a8 57 API calls 45937->45938 45939 27dcb9 CreateSolidBrush 45938->45939 45940 2554a1 56 API calls 45939->45940 45941 27dcca 45940->45941 45942 2555a8 57 API calls 45941->45942 45943 27dcd7 CreatePen 45942->45943 45944 2554a1 56 API calls 45943->45944 45945 27dcf0 45944->45945 45946 2555a8 57 API calls 45945->45946 45947 27dcfd CreatePen 45946->45947 45948 2554a1 56 API calls 45947->45948 45949 27dd14 45948->45949 45950 2555a8 57 API calls 45949->45950 45951 27dd21 CreatePen 45950->45951 45952 2554a1 56 API calls 45951->45952 45953 27dd38 45952->45953 45954 27dd4f 45953->45954 45958 2555a8 57 API calls 45953->45958 45955 27ddbc 45954->45955 45956 27dd58 CreateSolidBrush 45954->45956 46087 27cc59 7 API calls 2 library calls 45955->46087 45959 2554a1 56 API calls 45956->45959 45958->45954 45960 27ddba 45959->45960 46093 2ad857 45960->46093 45961 27ddc6 45961->45908 45962 27ddca 45961->45962 45963 2554a1 56 API calls 45962->45963 45965 27dde3 CreatePatternBrush 45963->45965 45967 2554a1 56 API calls 45965->45967 45969 27ddf4 45967->45969 46088 254abe 45969->46088 45970 27de1a Concurrency::details::ExternalContextBase::~ExternalContextBase 45970->45890 45973 27d4e3 __EH_prolog3_GS 45972->45973 45974 2549bd 57 API calls 45973->45974 45975 27d4f2 GetDeviceCaps 45974->45975 45978 27d533 45975->45978 45976 27d56e 45977 27d58c 45976->45977 45982 25561c 56 API calls 45976->45982 45980 27d5aa 45977->45980 45986 25561c 56 API calls 45977->45986 45978->45976 45979 25561c 56 API calls 45978->45979 45981 27d567 DeleteObject 45979->45981 45983 27d5c8 45980->45983 45989 25561c 56 API calls 45980->45989 45981->45976 45985 27d585 DeleteObject 45982->45985 45984 27d5e6 45983->45984 45991 25561c 56 API calls 45983->45991 45987 27d604 45984->45987 45995 25561c 56 API calls 45984->45995 45985->45977 45988 27d5a3 DeleteObject 45986->45988 45992 27d622 45987->45992 45998 25561c 56 API calls 45987->45998 45988->45980 45990 27d5c1 DeleteObject 45989->45990 45990->45983 45994 27d5df DeleteObject 45991->45994 45993 27d640 45992->45993 45999 25561c 56 API calls 45992->45999 45996 27d65e 45993->45996 46004 25561c 56 API calls 45993->46004 45994->45984 45997 27d5fd DeleteObject 45995->45997 46000 27d67c 45996->46000 46007 25561c 56 API calls 45996->46007 45997->45987 46001 27d61b DeleteObject 45998->46001 46003 27d639 DeleteObject 45999->46003 46141 27d15c 46000->46141 46001->45992 46003->45993 46006 27d657 DeleteObject 46004->46006 46005 27d694 _memcpy_s 46009 27d6a1 GetTextCharsetInfo 46005->46009 46006->45996 46008 27d675 DeleteObject 46007->46008 46008->46000 46010 27d6d9 lstrcpyW 46009->46010 46012 27d776 CreateFontIndirectW 46010->46012 46013 27d70a 46010->46013 46014 2554a1 56 API calls 46012->46014 46013->46012 46015 27d713 EnumFontFamiliesW 46013->46015 46020 27d788 __vsnwprintf_s_l 46014->46020 46016 27d744 EnumFontFamiliesW 46015->46016 46017 27d72f lstrcpyW 46015->46017 46018 27d763 lstrcpyW 46016->46018 46017->46012 46018->46012 46021 27d7c7 CreateFontIndirectW 46020->46021 46022 2554a1 56 API calls 46021->46022 46023 27d7d9 46022->46023 46024 27d15c SystemParametersInfoW 46023->46024 46025 27d7f4 CreateFontIndirectW 46024->46025 46026 2554a1 56 API calls 46025->46026 46027 27d81c CreateFontIndirectW 46026->46027 46028 2554a1 56 API calls 46027->46028 46029 27d848 CreateFontIndirectW 46028->46029 46030 2554a1 56 API calls 46029->46030 46031 27d869 GetSystemMetrics lstrcpyW CreateFontIndirectW 46030->46031 46032 2554a1 56 API calls 46031->46032 46033 27d8a5 GetStockObject 46032->46033 46034 27d8cf GetObjectW 46033->46034 46035 27d948 GetStockObject 46033->46035 46034->46035 46036 27d8e0 lstrcpyW CreateFontIndirectW 46034->46036 46144 255721 46035->46144 46038 2554a1 56 API calls 46036->46038 46040 27d92f CreateFontIndirectW 46038->46040 46042 2554a1 56 API calls 46040->46042 46042->46035 46061 37f3ab IsProcessorFeaturePresent 46060->46061 46062 37f3a9 46060->46062 46064 37fa98 46061->46064 46062->45887 46148 37fa5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46064->46148 46066 37fb7b 46066->45887 46067->45897 46069 2549c9 __EH_prolog3 46068->46069 46070 2549ec GetWindowDC 46069->46070 46110 25545f 46070->46110 46072 254a02 Concurrency::details::ExternalContextBase::~ExternalContextBase 46072->45904 46077 2555b1 46076->46077 46078 2555ae 46076->46078 46119 25561c 46077->46119 46078->45915 46080 2555b6 DeleteObject 46080->45915 46082 2554ae 46081->46082 46083 2554c3 46081->46083 46124 256001 56 API calls 2 library calls 46082->46124 46083->45918 46085 2554b8 46125 256396 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 46085->46125 46087->45961 46089 2555a8 57 API calls 46088->46089 46090 254afe 46089->46090 46091 37f3a0 __floor_pentium4 5 API calls 46090->46091 46092 254b16 46091->46092 46092->45960 46094 2ad860 46093->46094 46104 27de08 46093->46104 46094->46104 46126 27f34a 27 API calls 46094->46126 46096 2ad873 46127 27f34a 27 API calls 46096->46127 46098 2ad87d 46128 27f34a 27 API calls 46098->46128 46100 2ad887 46129 27f34a 27 API calls 46100->46129 46102 2ad891 46130 27f34a 27 API calls 46102->46130 46105 254c2e 46104->46105 46131 2555df 46105->46131 46107 254c5e ReleaseDC 46135 254a77 46107->46135 46111 25546c 46110->46111 46115 2549fe 46110->46115 46117 255f8e 56 API calls 2 library calls 46111->46117 46113 255477 46118 256396 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 46113->46118 46115->46072 46116 25542b RaiseException std::_Xinvalid_argument 46115->46116 46117->46113 46118->46115 46120 255627 46119->46120 46121 25562e 46119->46121 46123 256001 56 API calls 2 library calls 46120->46123 46121->46080 46123->46121 46124->46085 46125->46083 46126->46096 46127->46098 46128->46100 46129->46102 46130->46104 46132 2555f2 46131->46132 46133 2555eb 46131->46133 46132->46107 46140 255f8e 56 API calls 2 library calls 46133->46140 46136 254aa5 46135->46136 46137 254ab1 46135->46137 46138 2555df 56 API calls 46136->46138 46137->45970 46139 254aaa DeleteDC 46138->46139 46139->46137 46140->46132 46142 27d16b SystemParametersInfoW 46141->46142 46142->46005 46147 256001 56 API calls 2 library calls 46144->46147 46146 25572b 46147->46146 46148->46066 46149->45801 46150 299e3d 46157 285a66 46150->46157 46153 267b0a 161 API calls 46154 299e64 46153->46154 46155 27d4d4 104 API calls 46154->46155 46156 299e6b 46155->46156 46164 25acb4 46157->46164 46160 267b0a 161 API calls 46161 285a79 46160->46161 46168 27d2ee 8 API calls 46161->46168 46163 285a80 46163->46153 46163->46156 46167 25acc6 46164->46167 46169 25a443 46167->46169 46168->46163 46183 248b33 56 API calls 46169->46183 46171 25a44b 46172 25a459 46171->46172 46184 24cc50 8 API calls 46171->46184 46185 256f22 GetWindowLongW 46172->46185 46175 25a460 46176 25a467 46175->46176 46177 25a481 46175->46177 46186 25972e 52 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46176->46186 46188 2592e8 50 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46177->46188 46180 25a488 46180->46160 46181 25a46c 46187 25c19d 182 API calls 46181->46187 46183->46171 46184->46172 46185->46175 46186->46181 46187->46177 46188->46180 46189 245da0 GetModuleHandleW 46190 245de5 GetCommandLineW 46189->46190 46191 245dfa 46189->46191 46248 24a41e SetErrorMode SetErrorMode 46190->46248 46193 245d70 76 API calls 46191->46193 46195 24614d 46193->46195 46196 245e04 46259 248573 46196->46259 46205 245d70 76 API calls 46210 24609d messages 46205->46210 46207 245e76 46208 246056 46207->46208 46209 245e9e 46207->46209 46317 246915 46208->46317 46212 246915 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 46209->46212 46220 245ea5 46212->46220 46214 24607a 46218 246084 46214->46218 46219 24604c 46214->46219 46215 24606b 46401 241d60 76 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46215->46401 46217 246076 46217->46214 46321 241ed0 46218->46321 46219->46205 46223 245fc8 46220->46223 46224 245ec8 46220->46224 46225 246169 46220->46225 46221 245ff5 46399 243800 126 API calls 2 library calls 46221->46399 46223->46219 46223->46221 46378 242590 46224->46378 46402 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46225->46402 46229 246000 46232 24600e 46229->46232 46236 245d70 76 API calls 46229->46236 46230 246173 46403 242c90 38 API calls 4 library calls 46230->46403 46400 2449f0 25 API calls messages 46232->46400 46236->46232 46237 246178 46240 246039 messages 46240->46210 46241 245ef7 46241->46230 46243 245f57 46241->46243 46244 245f3c 46241->46244 46397 2429b0 25 API calls 2 library calls 46243->46397 46398 243370 129 API calls 3 library calls 46244->46398 46247 245fc3 46247->46223 46249 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46248->46249 46250 24a43b 46249->46250 46251 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46250->46251 46252 24a449 46251->46252 46253 24a464 46252->46253 46404 24a47c 46252->46404 46254 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46253->46254 46256 24a469 46254->46256 46257 245df6 46256->46257 46445 24f43e 58 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46256->46445 46257->46191 46257->46196 46260 248588 46259->46260 46500 2428c0 46260->46500 46262 248591 46263 2428c0 26 API calls 46262->46263 46264 24859f 46263->46264 46265 2428c0 26 API calls 46264->46265 46266 2485ad 46265->46266 46267 2428c0 26 API calls 46266->46267 46268 2485bb 46267->46268 46269 2428c0 26 API calls 46268->46269 46270 245e0c 46269->46270 46271 249250 46270->46271 46273 24925d 46271->46273 46272 245e40 46275 2465e0 46272->46275 46273->46272 46506 245b70 46273->46506 46278 246621 46275->46278 46276 246706 46644 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46276->46644 46278->46276 46280 242590 72 API calls 46278->46280 46279 246710 46281 246648 46280->46281 46282 24665a 46281->46282 46641 242a40 38 API calls 4 library calls 46281->46641 46284 24668a 46282->46284 46642 242950 38 API calls 46282->46642 46286 246695 GetModuleFileNameW 46284->46286 46289 2466bb ___crtDownlevelLCIDToLocaleName 46284->46289 46286->46289 46288 245e4a 46288->46219 46290 2462b0 46288->46290 46289->46288 46643 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46289->46643 46293 2462fb 46290->46293 46291 24630a 46292 246370 PathRemoveFileSpecW 46291->46292 46646 242950 38 API calls 46291->46646 46296 246380 ___crtDownlevelLCIDToLocaleName 46292->46296 46293->46291 46294 2463d3 46293->46294 46645 2429b0 25 API calls 2 library calls 46293->46645 46649 242c90 38 API calls 4 library calls 46294->46649 46300 2463c9 46296->46300 46301 246399 46296->46301 46299 2463d8 46648 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46300->46648 46302 245e69 46301->46302 46647 242a40 38 API calls 4 library calls 46301->46647 46305 245030 46302->46305 46306 245051 46305->46306 46307 2450d8 46305->46307 46308 2450cd 46306->46308 46311 24505d 46306->46311 46307->46207 46651 242a40 38 API calls 4 library calls 46308->46651 46310 245071 46310->46207 46311->46310 46312 2450e3 46311->46312 46313 24508a 46311->46313 46652 242c90 38 API calls 4 library calls 46312->46652 46650 2429b0 25 API calls 2 library calls 46313->46650 46316 2450e8 46318 24691c 46317->46318 46320 24605d 46318->46320 46653 3871f0 46318->46653 46320->46214 46320->46215 46322 241f08 46321->46322 46323 242387 46322->46323 46324 241f12 46322->46324 46703 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46323->46703 46327 242590 72 API calls 46324->46327 46326 242391 46704 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46326->46704 46329 241f31 46327->46329 46331 241f44 46329->46331 46692 242a40 38 API calls 4 library calls 46329->46692 46330 24239b 46705 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46330->46705 46664 246180 46331->46664 46335 2423a5 46706 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46335->46706 46337 2423af 46338 241f5a 46338->46326 46339 241f8d 46338->46339 46340 242590 72 API calls 46339->46340 46341 241fa9 46340->46341 46342 241fbc 46341->46342 46693 242a40 38 API calls 4 library calls 46341->46693 46342->46330 46344 241fcf 46342->46344 46345 242590 72 API calls 46344->46345 46346 241feb 46345->46346 46347 241ffe 46346->46347 46694 242a40 38 API calls 4 library calls 46346->46694 46349 246180 39 API calls 46347->46349 46350 242011 46349->46350 46679 242d70 46350->46679 46352 242025 ___crtDownlevelLCIDToLocaleName 46352->46335 46355 2420c5 46352->46355 46359 2420e6 ___crtDownlevelLCIDToLocaleName 46352->46359 46695 242950 38 API calls 46352->46695 46353 2422b7 ShellExecuteExW 46356 242332 46353->46356 46357 242323 46353->46357 46696 2429b0 25 API calls 2 library calls 46355->46696 46356->46210 46374 245d70 46356->46374 46357->46356 46361 242327 WaitForSingleObject 46357->46361 46358 24215c 46698 2429b0 25 API calls 2 library calls 46358->46698 46359->46335 46359->46358 46363 24217d ___crtDownlevelLCIDToLocaleName 46359->46363 46697 242950 38 API calls 46359->46697 46361->46356 46362 2421f3 46700 2429b0 25 API calls 2 library calls 46362->46700 46363->46335 46363->46362 46367 242214 ___crtDownlevelLCIDToLocaleName 46363->46367 46699 242950 38 API calls 46363->46699 46366 24228a 46702 2429b0 25 API calls 2 library calls 46366->46702 46367->46335 46367->46353 46367->46366 46701 242950 38 API calls 46367->46701 46373 2422ab 46373->46335 46373->46353 46375 245d7e __vsnwprintf_s_l 46374->46375 46782 386a91 46375->46782 46377 245d98 46377->46210 46379 2425a4 46378->46379 46380 24267d 46378->46380 46379->46380 46995 24710b 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46379->46995 46380->46241 46396 242a40 38 API calls 4 library calls 46380->46396 46382 2425ba 46382->46380 46383 2425c4 FindResourceW 46382->46383 46383->46380 46384 2425df LoadResource 46383->46384 46384->46380 46385 2425ef LockResource 46384->46385 46385->46380 46386 242601 SizeofResource 46385->46386 46387 242613 46386->46387 46387->46380 46388 242654 46387->46388 46996 242950 38 API calls 46387->46996 46997 384956 25 API calls 3 library calls 46388->46997 46391 24266d 46998 241ba0 RaiseException std::_Xinvalid_argument 46391->46998 46396->46241 46397->46244 46398->46247 46399->46229 46400->46240 46401->46217 46402->46230 46403->46237 46405 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46404->46405 46406 24a499 GetModuleFileNameW 46405->46406 46407 24a4c1 46406->46407 46408 24a4ca PathFindExtensionW 46407->46408 46479 255445 RaiseException std::_Xinvalid_argument 46407->46479 46410 24a4e2 46408->46410 46411 24a4dd 46408->46411 46446 24a3d9 46410->46446 46480 255445 RaiseException std::_Xinvalid_argument 46411->46480 46414 24a4ff 46415 24a508 46414->46415 46481 255445 RaiseException std::_Xinvalid_argument 46414->46481 46417 24a51a 46415->46417 46482 38939f 26 API calls 3 library calls 46415->46482 46421 24a643 46417->46421 46435 24a555 46417->46435 46467 247116 46417->46467 46420 247116 71 API calls 46423 24a57d 46420->46423 46489 2471e4 RaiseException std::_Xinvalid_argument 46421->46489 46422 24a542 46483 38939f 26 API calls 3 library calls 46422->46483 46436 24a58d 46423->46436 46484 38939f 26 API calls 3 library calls 46423->46484 46424 24a634 46428 37f3a0 __floor_pentium4 5 API calls 46424->46428 46433 24a641 46428->46433 46432 24a618 46488 241ba0 RaiseException std::_Xinvalid_argument 46432->46488 46433->46253 46434 24a5db 46486 241ba0 RaiseException std::_Xinvalid_argument 46434->46486 46435->46420 46435->46421 46435->46436 46436->46421 46443 24a5ed 46436->46443 46485 38736c 25 API calls 2 library calls 46436->46485 46443->46421 46443->46424 46487 38932a 25 API calls 2 library calls 46443->46487 46445->46257 46447 24a3e2 PathFindFileNameW 46446->46447 46448 24a418 46446->46448 46450 24a3fb 46447->46450 46455 24a3f1 46447->46455 46449 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 46448->46449 46452 24a41d SetErrorMode SetErrorMode 46449->46452 46490 387296 25 API calls 2 library calls 46450->46490 46457 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46452->46457 46453 24a409 46491 241ba0 RaiseException std::_Xinvalid_argument 46453->46491 46455->46414 46458 24a43b 46457->46458 46459 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46458->46459 46460 24a449 46459->46460 46461 24a464 46460->46461 46463 24a47c 75 API calls 46460->46463 46462 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46461->46462 46464 24a469 46462->46464 46463->46461 46465 24a475 46464->46465 46492 24f43e 58 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46464->46492 46465->46414 46468 247177 46467->46468 46469 247122 46467->46469 46470 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 46468->46470 46469->46468 46471 247129 46469->46471 46472 24717c 46470->46472 46473 24bbbb Concurrency::details::ExternalContextBase::~ExternalContextBase 56 API calls 46471->46473 46472->46422 46474 24712e 46473->46474 46493 241cb0 FindResourceW 46474->46493 46476 24713a 46477 247140 46476->46477 46499 242ee0 26 API calls 2 library calls 46476->46499 46477->46422 46482->46417 46483->46435 46484->46436 46485->46434 46487->46432 46490->46453 46492->46465 46494 241cd5 46493->46494 46495 241cd9 LoadResource 46493->46495 46494->46476 46496 241cef LockResource 46495->46496 46498 241ce6 46495->46498 46497 241cfc SizeofResource 46496->46497 46496->46498 46497->46498 46498->46476 46499->46477 46501 2428cd 46500->46501 46502 2428de 46500->46502 46501->46262 46505 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46502->46505 46504 2428e8 46505->46504 46507 245b9d 46506->46507 46508 245ba7 46507->46508 46509 245d58 46507->46509 46512 242590 72 API calls 46508->46512 46560 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46509->46560 46511 245d62 46515 245bc5 46512->46515 46513 245bef 46540 386f55 46513->46540 46515->46513 46559 242a40 38 API calls 4 library calls 46515->46559 46516 245c04 46518 386f55 47 API calls 46516->46518 46524 245c2f 46516->46524 46520 245c16 46518->46520 46522 386f55 47 API calls 46520->46522 46520->46524 46521 245c48 46521->46273 46523 245c28 46522->46523 46523->46524 46525 386f55 47 API calls 46523->46525 46550 24931b 46524->46550 46526 245c86 46525->46526 46526->46524 46527 386f55 47 API calls 46526->46527 46528 245c9c 46527->46528 46528->46524 46529 386f55 47 API calls 46528->46529 46530 245cb2 46529->46530 46530->46524 46531 386f55 47 API calls 46530->46531 46532 245ccd 46531->46532 46532->46524 46533 386f55 47 API calls 46532->46533 46534 245ce8 46533->46534 46534->46524 46535 386f55 47 API calls 46534->46535 46536 245d03 46535->46536 46536->46524 46537 386f55 47 API calls 46536->46537 46538 245d1e 46537->46538 46538->46524 46539 386f55 47 API calls 46538->46539 46539->46524 46541 386f86 46540->46541 46542 386f63 46540->46542 46563 386f9e 47 API calls 3 library calls 46541->46563 46542->46541 46543 386f69 46542->46543 46561 386e09 14 API calls __dosmaperr 46543->46561 46545 386f99 46545->46516 46547 386f6e 46562 386d2f 25 API calls _memcpy_s 46547->46562 46549 386f79 46549->46516 46551 249327 __EH_prolog3 46550->46551 46552 249355 46551->46552 46553 249332 46551->46553 46606 24960a 38 API calls 46552->46606 46564 2484ff 46553->46564 46556 24933a 46572 24936c 46556->46572 46558 249348 Concurrency::details::ExternalContextBase::~ExternalContextBase 46558->46521 46559->46513 46560->46511 46561->46547 46562->46549 46563->46545 46565 24850b __EH_prolog3 46564->46565 46607 246bc9 46565->46607 46570 248539 Concurrency::details::ExternalContextBase::~ExternalContextBase 46570->46556 46633 37f980 46572->46633 46574 249378 lstrcmpA 46575 249399 lstrcmpA 46574->46575 46597 24938d Concurrency::details::ExternalContextBase::~ExternalContextBase 46574->46597 46576 2493b5 CompareStringA 46575->46576 46575->46597 46577 2493d4 CompareStringA 46576->46577 46576->46597 46578 2493f0 CompareStringA 46577->46578 46577->46597 46579 24940c CompareStringA 46578->46579 46578->46597 46580 249428 CompareStringA 46579->46580 46579->46597 46581 249444 CompareStringA 46580->46581 46580->46597 46582 249460 CompareStringA 46581->46582 46581->46597 46583 24947c CompareStringA 46582->46583 46582->46597 46584 249498 46583->46584 46583->46597 46634 3893fe 47 API calls 2 library calls 46584->46634 46586 2494a5 46587 2494ac 46586->46587 46588 2494ff lstrcmpA 46586->46588 46635 2450f0 74 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46587->46635 46589 249521 lstrcmpA 46588->46589 46590 24950f 46588->46590 46593 249540 CompareStringA 46589->46593 46594 249531 46589->46594 46637 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46590->46637 46598 249558 46593->46598 46599 24956b CompareStringA 46593->46599 46638 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46594->46638 46595 2494b5 46595->46597 46636 249a40 38 API calls 46595->46636 46597->46558 46639 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46598->46639 46599->46597 46600 249584 46599->46600 46640 25094d 56 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46600->46640 46604 2494d7 46605 245030 38 API calls 46604->46605 46605->46597 46606->46558 46608 246bf7 46607->46608 46609 246bd8 46607->46609 46627 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46608->46627 46612 248cc7 46609->46612 46611 246c01 46613 24852b 46612->46613 46614 248cd3 46612->46614 46613->46570 46616 248a4b 46613->46616 46614->46613 46628 249112 76 API calls 46614->46628 46617 248a8d 46616->46617 46618 248a58 46616->46618 46632 246dcb 26 API calls 46617->46632 46629 248e34 WideCharToMultiByte 46618->46629 46621 248a60 46621->46617 46623 248a67 46621->46623 46622 248a8b 46622->46570 46630 246f2c 40 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46623->46630 46625 248a6f WideCharToMultiByte 46631 246fde 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46625->46631 46627->46611 46628->46613 46629->46621 46630->46625 46631->46622 46632->46622 46633->46574 46634->46586 46635->46595 46636->46604 46637->46597 46638->46597 46639->46597 46640->46597 46641->46282 46642->46284 46643->46276 46644->46279 46645->46291 46646->46292 46647->46302 46648->46294 46649->46299 46650->46310 46651->46307 46652->46316 46654 392ef2 46653->46654 46655 392f30 46654->46655 46657 392f1b HeapAlloc 46654->46657 46660 392f04 __dosmaperr 46654->46660 46663 386e09 14 API calls __dosmaperr 46655->46663 46658 392f2e 46657->46658 46657->46660 46659 392f35 46658->46659 46659->46318 46660->46655 46660->46657 46662 39ae37 EnterCriticalSection LeaveCriticalSection __dosmaperr 46660->46662 46662->46660 46663->46659 46666 2461cb 46664->46666 46665 2461da 46668 246240 PathAppendW 46665->46668 46708 242950 38 API calls 46665->46708 46666->46665 46667 2462a8 46666->46667 46707 2429b0 25 API calls 2 library calls 46666->46707 46711 242c90 38 API calls 4 library calls 46667->46711 46669 246255 ___crtDownlevelLCIDToLocaleName 46668->46669 46673 24629e 46669->46673 46674 24626e 46669->46674 46710 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46673->46710 46676 24628a 46674->46676 46709 242a40 38 API calls 4 library calls 46674->46709 46675 2462ad 46676->46338 46680 242d82 __vsnwprintf_s_l 46679->46680 46690 242df1 46679->46690 46712 386b3b 46680->46712 46682 242e17 46720 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46682->46720 46686 242e21 46687 242dd2 46715 386b5f 46687->46715 46691 242dfb 46690->46691 46719 241c60 26 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 46690->46719 46691->46352 46692->46331 46693->46342 46694->46347 46695->46355 46696->46359 46697->46358 46698->46363 46699->46362 46700->46367 46701->46366 46702->46373 46703->46326 46704->46330 46705->46335 46706->46337 46707->46665 46708->46668 46709->46676 46710->46667 46711->46675 46721 384cd4 46712->46721 46760 384e5b 46715->46760 46717 386b7e 46717->46690 46718 242950 38 API calls 46718->46687 46719->46682 46720->46686 46722 384cfc 46721->46722 46723 384d14 46721->46723 46736 386e09 14 API calls __dosmaperr 46722->46736 46723->46722 46725 384d1c 46723->46725 46738 38528d 46725->46738 46727 384d01 46737 386d2f 25 API calls _memcpy_s 46727->46737 46729 384d0c 46731 37f3a0 __floor_pentium4 5 API calls 46729->46731 46730 384d2c __vsnwprintf_s_l 46746 385804 50 API calls 3 library calls 46730->46746 46732 242da3 46731->46732 46732->46682 46732->46687 46732->46718 46735 384db3 46747 385310 46735->46747 46736->46727 46737->46729 46739 3852ad 46738->46739 46745 3852a4 46738->46745 46739->46745 46750 393552 37 API calls 3 library calls 46739->46750 46741 3852cd 46751 3937a4 37 API calls __cftof 46741->46751 46743 3852e3 46752 3937d1 47 API calls __cftof 46743->46752 46745->46730 46746->46735 46753 392eb8 46747->46753 46749 385320 46749->46729 46750->46741 46751->46743 46752->46745 46754 392ec3 HeapFree 46753->46754 46758 392eec _free 46753->46758 46755 392ed8 46754->46755 46754->46758 46759 386e09 14 API calls __dosmaperr 46755->46759 46757 392ede GetLastError 46757->46758 46758->46749 46759->46757 46761 384e7b 46760->46761 46762 384e66 46760->46762 46764 384ebf 46761->46764 46767 384e89 46761->46767 46776 386e09 14 API calls __dosmaperr 46762->46776 46780 386e09 14 API calls __dosmaperr 46764->46780 46766 384e6b 46777 386d2f 25 API calls _memcpy_s 46766->46777 46778 384b4d 50 API calls 5 library calls 46767->46778 46768 384eb7 46781 386d2f 25 API calls _memcpy_s 46768->46781 46771 384e76 46771->46717 46772 384ea1 46774 384ecf 46772->46774 46779 386e09 14 API calls __dosmaperr 46772->46779 46774->46717 46776->46766 46777->46771 46778->46772 46779->46768 46780->46768 46781->46774 46783 386ac1 46782->46783 46784 386ad6 46782->46784 46800 386e09 14 API calls __dosmaperr 46783->46800 46784->46783 46786 386ada 46784->46786 46792 384a06 46786->46792 46787 386ac6 46801 386d2f 25 API calls _memcpy_s 46787->46801 46791 386ad1 46791->46377 46793 384a12 __fread_nolock 46792->46793 46802 38717a EnterCriticalSection 46793->46802 46795 384a20 46803 38534e 46795->46803 46799 384a3e 46799->46377 46800->46787 46801->46791 46802->46795 46817 39431b 46803->46817 46806 38528d __cftof 47 API calls 46807 385388 __vsnwprintf_s_l 46806->46807 46828 3855c0 46807->46828 46810 385310 __vsnwprintf_s_l 14 API calls 46811 3853d9 46810->46811 46841 3943ce 46811->46841 46814 37f3a0 __floor_pentium4 5 API calls 46815 384a2d 46814->46815 46816 384a55 LeaveCriticalSection __fread_nolock 46815->46816 46816->46799 46845 387f33 46817->46845 46819 39432c 46852 39d47b 46819->46852 46821 394332 46822 385371 46821->46822 46823 394383 46821->46823 46822->46806 46861 392ef2 15 API calls 2 library calls 46823->46861 46825 39438d 46826 392eb8 _free 14 API calls 46825->46826 46827 394396 46826->46827 46827->46822 46867 386750 46828->46867 46830 3853cc 46830->46810 46831 3855e0 46874 386e09 14 API calls __dosmaperr 46831->46874 46833 3855e5 46875 386d2f 25 API calls _memcpy_s 46833->46875 46835 3855d1 __vsnwprintf_s_l 46835->46830 46835->46831 46876 38595d 48 API calls 2 library calls 46835->46876 46877 3861c1 48 API calls __vsnwprintf_s_l 46835->46877 46878 3859e0 48 API calls __vsnwprintf_s_l 46835->46878 46879 385a07 50 API calls 4 library calls 46835->46879 46880 385cf7 50 API calls 2 library calls 46835->46880 46842 3943d9 46841->46842 46844 3853fb 46841->46844 46842->46844 46883 387e28 46842->46883 46844->46814 46846 387f3f 46845->46846 46847 387f54 46845->46847 46862 386e09 14 API calls __dosmaperr 46846->46862 46847->46819 46849 387f44 46863 386d2f 25 API calls _memcpy_s 46849->46863 46851 387f4f 46851->46819 46853 39d488 46852->46853 46854 39d495 46852->46854 46864 386e09 14 API calls __dosmaperr 46853->46864 46857 39d4a1 46854->46857 46865 386e09 14 API calls __dosmaperr 46854->46865 46856 39d48d 46856->46821 46857->46821 46859 39d4c2 46866 386d2f 25 API calls _memcpy_s 46859->46866 46861->46825 46862->46849 46863->46851 46864->46856 46865->46859 46866->46856 46868 386768 46867->46868 46869 386755 46867->46869 46868->46835 46881 386e09 14 API calls __dosmaperr 46869->46881 46871 38675a 46882 386d2f 25 API calls _memcpy_s 46871->46882 46873 386765 46873->46835 46874->46833 46875->46830 46876->46835 46877->46835 46878->46835 46879->46835 46880->46835 46881->46871 46882->46873 46884 387e65 46883->46884 46885 387e40 46883->46885 46884->46844 46885->46884 46886 387f33 __fread_nolock 25 API calls 46885->46886 46887 387e5e 46886->46887 46889 395c6e 46887->46889 46890 395c7a __fread_nolock 46889->46890 46891 395c9a 46890->46891 46892 395c82 46890->46892 46894 395d35 46891->46894 46898 395ccc 46891->46898 46959 386df6 14 API calls __dosmaperr 46892->46959 46964 386df6 14 API calls __dosmaperr 46894->46964 46895 395c87 46960 386e09 14 API calls __dosmaperr 46895->46960 46914 388f2e EnterCriticalSection 46898->46914 46899 395d3a 46965 386e09 14 API calls __dosmaperr 46899->46965 46902 395cd2 46904 395cee 46902->46904 46905 395d03 46902->46905 46903 395d42 46966 386d2f 25 API calls _memcpy_s 46903->46966 46961 386e09 14 API calls __dosmaperr 46904->46961 46915 395d60 46905->46915 46909 395cfe 46963 395d2d LeaveCriticalSection 46909->46963 46910 395cf3 46962 386df6 14 API calls __dosmaperr 46910->46962 46913 395c8f 46913->46884 46914->46902 46916 395d82 46915->46916 46954 395d9e 46915->46954 46917 395d86 46916->46917 46919 395dd6 46916->46919 46981 386df6 14 API calls __dosmaperr 46917->46981 46921 395de9 46919->46921 46984 396e12 27 API calls __fread_nolock 46919->46984 46920 395d8b 46982 386e09 14 API calls __dosmaperr 46920->46982 46967 395907 46921->46967 46925 395d93 46983 386d2f 25 API calls _memcpy_s 46925->46983 46928 395dff 46932 395e28 46928->46932 46933 395e03 46928->46933 46929 395e3e 46930 395e52 46929->46930 46931 395e97 WriteFile 46929->46931 46936 395e5d 46930->46936 46937 395e87 46930->46937 46934 395ebb GetLastError 46931->46934 46948 395e75 46931->46948 46986 3954f5 51 API calls 4 library calls 46932->46986 46939 395e1e 46933->46939 46985 39589f 6 API calls 46933->46985 46934->46948 46940 395e62 46936->46940 46941 395e77 46936->46941 46974 395978 46937->46974 46945 395f0b 46939->46945 46946 395ee1 46939->46946 46939->46954 46940->46939 46943 395e67 46940->46943 46988 395b3c 8 API calls 2 library calls 46941->46988 46987 395a53 7 API calls __floor_pentium4 46943->46987 46945->46954 46992 386e09 14 API calls __dosmaperr 46945->46992 46949 395ee8 46946->46949 46950 395eff 46946->46950 46948->46939 46989 386e09 14 API calls __dosmaperr 46949->46989 46991 386dd3 14 API calls 2 library calls 46950->46991 46954->46909 46955 395f23 46993 386df6 14 API calls __dosmaperr 46955->46993 46956 395eed 46990 386df6 14 API calls __dosmaperr 46956->46990 46959->46895 46960->46913 46961->46910 46962->46909 46963->46913 46964->46899 46965->46903 46966->46913 46968 39d47b __fread_nolock 25 API calls 46967->46968 46969 395918 46968->46969 46970 39596e 46969->46970 46994 393552 37 API calls 3 library calls 46969->46994 46970->46928 46970->46929 46972 39593b 46972->46970 46973 395955 GetConsoleMode 46972->46973 46973->46970 46980 395987 46974->46980 46975 395a38 46976 37f3a0 __floor_pentium4 5 API calls 46975->46976 46977 395a51 46976->46977 46977->46939 46978 3959f7 WriteFile 46979 395a3a GetLastError 46978->46979 46978->46980 46979->46975 46980->46975 46980->46978 46981->46920 46982->46925 46983->46954 46984->46921 46985->46939 46986->46939 46987->46948 46988->46948 46989->46956 46990->46954 46991->46954 46992->46955 46993->46954 46994->46972 46995->46382 46996->46388 46997->46391 46999 2480d0 47000 2480e3 46999->47000 47001 2481ec 46999->47001 47110 24d5b5 50 API calls __floor_pentium4 47000->47110 47003 24810e 47004 2480fe 47003->47004 47004->47001 47004->47003 47005 2481fa 47004->47005 47006 24818a 47004->47006 47114 37fb7d 5 API calls ___report_securityfailure 47005->47114 47008 248197 47006->47008 47093 389214 47006->47093 47008->47006 47009 2481ff 47011 24820c 47009->47011 47012 248216 47009->47012 47013 24825d 47009->47013 47115 388140 39 API calls __fread_nolock 47012->47115 47015 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 47013->47015 47014 2481f5 47014->47001 47018 248252 47015->47018 47017 2481ac 47017->47014 47030 2481db 47017->47030 47111 386df6 14 API calls __dosmaperr 47017->47111 47119 386df6 14 API calls __dosmaperr 47018->47119 47019 248227 47022 248238 47019->47022 47116 387b93 25 API calls 2 library calls 47019->47116 47022->47018 47117 387bbf 25 API calls 2 library calls 47022->47117 47024 2481d1 47112 386df6 14 API calls __dosmaperr 47024->47112 47025 248267 47120 24ccb4 72 API calls 3 library calls 47025->47120 47029 248245 47029->47011 47118 247f52 28 API calls 47029->47118 47113 24d26c CloseHandle 47030->47113 47033 24827b 47121 242a40 38 API calls 4 library calls 47033->47121 47035 2482a0 47122 2427d0 38 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 47035->47122 47038 2482ac 47040 248305 47038->47040 47041 248315 47038->47041 47123 3873d0 27 API calls 3 library calls 47038->47123 47124 2451a0 26 API calls 2 library calls 47038->47124 47125 2427d0 38 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 47038->47125 47126 387b93 25 API calls 2 library calls 47040->47126 47127 2427d0 38 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 47041->47127 47043 248310 47043->47041 47045 24834a 47043->47045 47129 247f52 28 API calls 47045->47129 47046 24831e 47047 24833c 47046->47047 47128 246830 38 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 47046->47128 47049 248352 47130 386df6 14 API calls __dosmaperr 47049->47130 47053 248358 47131 24ccb4 72 API calls 3 library calls 47053->47131 47055 24836c 47056 2483a6 47055->47056 47057 24837a 47055->47057 47059 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 47056->47059 47132 3873d0 27 API calls 3 library calls 47057->47132 47061 248399 47059->47061 47060 248388 47062 24839e 47060->47062 47133 387b93 25 API calls 2 library calls 47060->47133 47061->47062 47134 247f52 28 API calls 47061->47134 47065 2483b3 47135 386df6 14 API calls __dosmaperr 47065->47135 47067 2483b9 47136 24ccb4 72 API calls 3 library calls 47067->47136 47069 2483cd 47080 24841c 47069->47080 47137 388537 72 API calls 47069->47137 47072 248442 47074 24844c 47072->47074 47075 248469 47072->47075 47073 248405 47076 24840c 47073->47076 47138 386df6 14 API calls __dosmaperr 47073->47138 47140 242a40 38 API calls 4 library calls 47074->47140 47078 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 47075->47078 47079 24846e 47078->47079 47081 24847c 47079->47081 47082 24849a 47079->47082 47139 24ccb4 72 API calls 3 library calls 47080->47139 47141 388d7d 72 API calls 2 library calls 47081->47141 47085 2471ca Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 47082->47085 47087 24848c 47085->47087 47086 248464 47088 248494 47087->47088 47142 386df6 14 API calls __dosmaperr 47087->47142 47090 2484a4 47143 24ccb4 72 API calls 3 library calls 47090->47143 47092 2484b8 47094 389220 __fread_nolock 47093->47094 47095 38923e GetFileType 47094->47095 47096 38924b GetLastError 47095->47096 47097 389260 47095->47097 47157 386dd3 14 API calls 2 library calls 47096->47157 47144 389006 47097->47144 47101 389281 47158 386e09 14 API calls __dosmaperr 47101->47158 47102 389296 47160 388f51 15 API calls 2 library calls 47102->47160 47105 389286 47159 386df6 14 API calls __dosmaperr 47105->47159 47106 3892a7 47161 389305 LeaveCriticalSection 47106->47161 47109 389257 47109->47017 47110->47004 47111->47024 47112->47030 47114->47009 47115->47019 47116->47022 47117->47029 47118->47018 47119->47025 47120->47033 47121->47035 47122->47038 47123->47038 47124->47038 47125->47038 47126->47043 47127->47046 47128->47047 47129->47049 47130->47053 47131->47055 47132->47060 47133->47061 47134->47065 47135->47067 47136->47069 47137->47073 47138->47080 47139->47072 47140->47086 47141->47087 47142->47090 47143->47092 47145 389012 __fread_nolock 47144->47145 47162 395377 EnterCriticalSection 47145->47162 47148 38903e 47163 388de0 47148->47163 47149 389080 47149->47101 47149->47102 47151 389019 47151->47148 47153 3890ad EnterCriticalSection 47151->47153 47155 389060 47151->47155 47154 3890ba LeaveCriticalSection 47153->47154 47153->47155 47154->47151 47171 389110 LeaveCriticalSection __cftof 47155->47171 47157->47109 47158->47105 47159->47109 47160->47106 47161->47109 47162->47151 47172 39468b 47163->47172 47165 388df2 47169 388dff 47165->47169 47179 394a95 6 API calls __dosmaperr 47165->47179 47166 392eb8 _free 14 API calls 47168 388e54 47166->47168 47168->47155 47170 388f2e EnterCriticalSection 47168->47170 47169->47166 47170->47155 47171->47149 47177 394698 __dosmaperr 47172->47177 47173 3946d8 47181 386e09 14 API calls __dosmaperr 47173->47181 47174 3946c3 RtlAllocateHeap 47175 3946d6 47174->47175 47174->47177 47175->47165 47177->47173 47177->47174 47180 39ae37 EnterCriticalSection LeaveCriticalSection __dosmaperr 47177->47180 47179->47165 47180->47177 47181->47175 47182 391dd1 47185 391cab 47182->47185 47186 391cb9 47185->47186 47187 391ccb 47185->47187 47213 3803b3 GetModuleHandleW 47186->47213 47197 391b52 47187->47197 47190 391cbe 47190->47187 47214 391d51 GetModuleHandleExW 47190->47214 47192 391d04 47196 391d0e 47198 391b5e __fread_nolock 47197->47198 47220 395377 EnterCriticalSection 47198->47220 47200 391b68 47221 391bbe 47200->47221 47202 391b75 47225 391b93 47202->47225 47205 391d0f 47230 397ea5 GetPEB 47205->47230 47208 391d3e 47211 391d51 __cftof 3 API calls 47208->47211 47209 391d1e GetPEB 47209->47208 47210 391d2e GetCurrentProcess TerminateProcess 47209->47210 47210->47208 47212 391d46 ExitProcess 47211->47212 47213->47190 47215 391d70 GetProcAddress 47214->47215 47216 391d93 47214->47216 47219 391d85 47215->47219 47217 391d99 FreeLibrary 47216->47217 47218 391cca 47216->47218 47217->47218 47218->47187 47219->47216 47220->47200 47222 391bca __fread_nolock 47221->47222 47223 391c2b __cftof 47222->47223 47228 3928ce 14 API calls __cftof 47222->47228 47223->47202 47229 3953bf LeaveCriticalSection 47225->47229 47227 391b81 47227->47192 47227->47205 47228->47223 47229->47227 47231 397ebf 47230->47231 47233 391d19 47230->47233 47234 39489a 5 API calls __dosmaperr 47231->47234 47233->47208 47233->47209 47234->47233

      Executed Functions

      Function 00391D0F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 776 391d0f-391d1c call 397ea5 779 391d3e-391d4a call 391d51 ExitProcess 776->779 780 391d1e-391d2c GetPEB 776->780 780->779 781 391d2e-391d38 GetCurrentProcess TerminateProcess 780->781 781->779
      APIs
      • GetCurrentProcess.KERNEL32(?,?,00391D0E,?,?,?,?,?,00384D2C), ref: 00391D31
      • TerminateProcess.KERNEL32(00000000,?,00391D0E,?,?,?,?,?,00384D2C), ref: 00391D38
      • ExitProcess.KERNEL32 ref: 00391D4A
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Process$CurrentExitTerminate
      • String ID:
      • API String ID: 1703294689-0
      • Opcode ID: 7223cc0ffee0b5a16cb0662e98e2692317c9d933044a4d92148f6bea8d9f78ea
      • Instruction ID: 75bd31ac3016342e096d40eae5dc093b44d6f726afea24e4fcc91b03f1a48621
      • Opcode Fuzzy Hash: 7223cc0ffee0b5a16cb0662e98e2692317c9d933044a4d92148f6bea8d9f78ea
      • Instruction Fuzzy Hash: 91E0B631100109ABCF176BA4DE4DA683B6DEB85741F014814F8159A171CB35DD42CA50
      Function 0027DA08 Relevance: 79.0, APIs: 43, Strings: 2, Instructions: 298COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __EH_prolog3.LIBCMT ref: 0027DA0F
      • GetSysColor.USER32(00000016), ref: 0027DA18
      • GetSysColor.USER32(0000000F), ref: 0027DA2B
      • GetSysColor.USER32(00000015), ref: 0027DA42
      • GetSysColor.USER32(0000000F), ref: 0027DA4E
      • GetDeviceCaps.GDI32(?,0000000C), ref: 0027DA76
      • GetSysColor.USER32(0000000F), ref: 0027DA84
      • GetSysColor.USER32(00000010), ref: 0027DA92
      • GetSysColor.USER32(00000015), ref: 0027DAA0
      • GetSysColor.USER32(00000016), ref: 0027DAAE
      • GetSysColor.USER32(00000014), ref: 0027DABC
      • GetSysColor.USER32(00000012), ref: 0027DACA
      • GetSysColor.USER32(00000011), ref: 0027DAD8
      • GetSysColor.USER32(00000006), ref: 0027DAE3
      • GetSysColor.USER32(0000000D), ref: 0027DAEE
      • GetSysColor.USER32(0000000E), ref: 0027DAF9
      • GetSysColor.USER32(00000005), ref: 0027DB04
      • GetSysColor.USER32(00000008), ref: 0027DB12
      • GetSysColor.USER32(00000009), ref: 0027DB1D
      • GetSysColor.USER32(00000007), ref: 0027DB28
      • GetSysColor.USER32(00000002), ref: 0027DB33
      • GetSysColor.USER32(00000003), ref: 0027DB3E
      • GetSysColor.USER32(0000001B), ref: 0027DB4C
      • GetSysColor.USER32(0000001C), ref: 0027DB5A
      • GetSysColor.USER32(0000000A), ref: 0027DB68
      • GetSysColor.USER32(0000000B), ref: 0027DB76
      • GetSysColor.USER32(00000013), ref: 0027DB84
      • GetSysColor.USER32(0000001A), ref: 0027DBAD
      • GetSysColorBrush.USER32(00000010), ref: 0027DBBE
      • GetSysColorBrush.USER32(00000014), ref: 0027DBD1
      • GetSysColorBrush.USER32(00000005), ref: 0027DBE4
      • CreateSolidBrush.GDI32(?), ref: 0027DC05
      • CreateSolidBrush.GDI32(00000010), ref: 0027DC23
      • CreateSolidBrush.GDI32(?), ref: 0027DC41
      • CreateSolidBrush.GDI32(?), ref: 0027DC62
      • CreateSolidBrush.GDI32(?), ref: 0027DC80
      • CreateSolidBrush.GDI32(?), ref: 0027DC9E
      • CreateSolidBrush.GDI32(?), ref: 0027DCBC
      • CreatePen.GDI32(00000000,00000001), ref: 0027DCE2
      • CreatePen.GDI32(00000000,00000001), ref: 0027DD06
      • CreatePen.GDI32(00000000,00000001), ref: 0027DD2A
      • CreateSolidBrush.GDI32(?), ref: 0027DDA8
      • CreatePatternBrush.GDI32(00000000), ref: 0027DDE6
        • Part of subcall function 002555A8: DeleteObject.GDI32(00000000), ref: 002555B7
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
      • String ID: {&$PW%
      • API String ID: 3754413814-2158479433
      • Opcode ID: a0ed5d299dd354bab07f255341b5ad4d187858516fd352aad2399e1091c826b4
      • Instruction ID: 92146675ee44af219daa78ce3ae26006d6d578390fcb5f289a1b43907124015b
      • Opcode Fuzzy Hash: a0ed5d299dd354bab07f255341b5ad4d187858516fd352aad2399e1091c826b4
      • Instruction Fuzzy Hash: 5EC1C170A00A26AFDB06AFB0CD297ADBBB5FF09702F404518F60997191DB39A525DF90
      Function 0027D4D4 Relevance: 72.1, APIs: 35, Strings: 6, Instructions: 370stringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 85 27d4d4-27d531 call 37f9b4 call 2549bd GetDeviceCaps 90 27d533-27d542 85->90 91 27d54c 85->91 92 27d544-27d54a 90->92 93 27d54e 90->93 91->93 94 27d550-27d558 92->94 93->94 95 27d56e-27d576 94->95 96 27d55a-27d55e 94->96 97 27d58c-27d594 95->97 98 27d578-27d57c 95->98 96->95 99 27d560-27d568 call 25561c DeleteObject 96->99 102 27d596-27d59a 97->102 103 27d5aa-27d5b2 97->103 98->97 101 27d57e-27d586 call 25561c DeleteObject 98->101 99->95 101->97 102->103 106 27d59c-27d5a4 call 25561c DeleteObject 102->106 107 27d5b4-27d5b8 103->107 108 27d5c8-27d5d0 103->108 106->103 107->108 113 27d5ba-27d5c2 call 25561c DeleteObject 107->113 109 27d5e6-27d5ee 108->109 110 27d5d2-27d5d6 108->110 115 27d604-27d60c 109->115 116 27d5f0-27d5f4 109->116 110->109 114 27d5d8-27d5e0 call 25561c DeleteObject 110->114 113->108 114->109 122 27d622-27d62a 115->122 123 27d60e-27d612 115->123 116->115 121 27d5f6-27d5fe call 25561c DeleteObject 116->121 121->115 124 27d640-27d648 122->124 125 27d62c-27d630 122->125 123->122 128 27d614-27d61c call 25561c DeleteObject 123->128 130 27d65e-27d666 124->130 131 27d64a-27d64e 124->131 125->124 129 27d632-27d63a call 25561c DeleteObject 125->129 128->122 129->124 136 27d67c-27d6d7 call 27d15c call 381da0 GetTextCharsetInfo 130->136 137 27d668-27d66c 130->137 131->130 135 27d650-27d658 call 25561c DeleteObject 131->135 135->130 149 27d6de-27d6e2 136->149 150 27d6d9-27d6dc 136->150 137->136 142 27d66e-27d676 call 25561c DeleteObject 137->142 142->136 151 27d6e5-27d6ec 149->151 152 27d6e4 149->152 150->151 153 27d6f0-27d708 lstrcpyW 151->153 154 27d6ee 151->154 152->151 155 27d776-27d7c0 CreateFontIndirectW call 2554a1 call 389559 call 37fee0 153->155 156 27d70a-27d711 153->156 154->153 169 27d7c7-27d8cd CreateFontIndirectW call 2554a1 call 27d15c CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 GetSystemMetrics lstrcpyW CreateFontIndirectW call 2554a1 GetStockObject 155->169 170 27d7c2-27d7c4 155->170 156->155 158 27d713-27d72d EnumFontFamiliesW 156->158 160 27d744-27d761 EnumFontFamiliesW 158->160 161 27d72f-27d742 lstrcpyW 158->161 163 27d763-27d768 160->163 164 27d76a 160->164 161->155 165 27d76f-27d770 lstrcpyW 163->165 164->165 165->155 183 27d8cf-27d8de GetObjectW 169->183 184 27d948-27d9ad GetStockObject call 255721 GetObjectW CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 call 27de26 169->184 170->169 183->184 185 27d8e0-27d943 lstrcpyW CreateFontIndirectW call 2554a1 CreateFontIndirectW call 2554a1 183->185 197 27d9d8-27d9da 184->197 185->184 198 27d9af-27d9b6 197->198 199 27d9dc-27d9ec call 254abe 197->199 200 27da02-27da07 call 2471ca 198->200 201 27d9b8-27d9c2 call 259706 198->201 205 27d9f1-27da01 call 254c2e call 37f95e 199->205 201->197 210 27d9c4-27d9d4 201->210 210->197
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 0027D4DE
        • Part of subcall function 002549BD: __EH_prolog3.LIBCMT ref: 002549C4
        • Part of subcall function 002549BD: GetWindowDC.USER32(00000000,00000004,0027DA6E,00000000), ref: 002549F0
      • GetDeviceCaps.GDI32(?,00000058), ref: 0027D4FE
      • DeleteObject.GDI32(00000000), ref: 0027D568
      • DeleteObject.GDI32(00000000), ref: 0027D586
      • DeleteObject.GDI32(00000000), ref: 0027D5A4
      • DeleteObject.GDI32(00000000), ref: 0027D5C2
      • DeleteObject.GDI32(00000000), ref: 0027D5E0
      • DeleteObject.GDI32(00000000), ref: 0027D5FE
      • DeleteObject.GDI32(00000000), ref: 0027D61C
      • DeleteObject.GDI32(00000000), ref: 0027D63A
      • DeleteObject.GDI32(00000000), ref: 0027D658
      • DeleteObject.GDI32(00000000), ref: 0027D676
      • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 0027D6AE
      • lstrcpyW.KERNEL32(?,?), ref: 0027D6FE
      • EnumFontFamiliesW.GDI32(?,00000000,0027CFFF,Segoe UI), ref: 0027D725
      • lstrcpyW.KERNEL32(?,Segoe UI), ref: 0027D738
      • EnumFontFamiliesW.GDI32(?,00000000,0027CFFF,Tahoma), ref: 0027D756
      • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 0027D770
      • CreateFontIndirectW.GDI32(?), ref: 0027D77A
      • CreateFontIndirectW.GDI32(?), ref: 0027D7CB
      • CreateFontIndirectW.GDI32(?), ref: 0027D80A
      • CreateFontIndirectW.GDI32(?), ref: 0027D836
      • CreateFontIndirectW.GDI32(?), ref: 0027D857
      • GetSystemMetrics.USER32(00000048), ref: 0027D876
      • lstrcpyW.KERNEL32(?,Marlett), ref: 0027D889
      • CreateFontIndirectW.GDI32(?), ref: 0027D893
      • GetStockObject.GDI32(00000011), ref: 0027D8BF
      • GetObjectW.GDI32(00000000,0000005C,?), ref: 0027D8D6
      • lstrcpyW.KERNEL32(?,Arial), ref: 0027D913
      • CreateFontIndirectW.GDI32(?), ref: 0027D91D
      • CreateFontIndirectW.GDI32(?), ref: 0027D936
      • GetStockObject.GDI32(00000011), ref: 0027D94A
      • GetObjectW.GDI32(?,0000005C,?), ref: 0027D95F
      • CreateFontIndirectW.GDI32(?), ref: 0027D96D
      • CreateFontIndirectW.GDI32(?), ref: 0027D98E
        • Part of subcall function 0027DE26: __EH_prolog3_GS.LIBCMT ref: 0027DE2D
        • Part of subcall function 0027DE26: GetTextMetricsW.GDI32(?,?), ref: 0027DE62
        • Part of subcall function 0027DE26: GetTextMetricsW.GDI32(?,?), ref: 0027DEA3
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CapsCharsetDeviceH_prolog3InfoSystemWindow
      • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma$l:;
      • API String ID: 3506729969-435004317
      • Opcode ID: 39a1b1a4473a5ebb934f2395aea9455e1104d3625221f41ce8013fde942139a4
      • Instruction ID: d53f8b3811d630f2d0d8e53d71d0c01faad6701df79bea4fd599564476885ac1
      • Opcode Fuzzy Hash: 39a1b1a4473a5ebb934f2395aea9455e1104d3625221f41ce8013fde942139a4
      • Instruction Fuzzy Hash: 1BE18EB0A103599FDB12AFB0CC59BDEBBBCAF05305F008459E60EA7291DB749958CF15
      Function 0024936C Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 189stringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 214 24936c-24938b call 37f980 lstrcmpA 217 24938d-249394 214->217 218 249399-2493a7 lstrcmpA 214->218 219 2495b6-2495bb call 37f949 217->219 220 2493b5-2493ce CompareStringA 218->220 221 2493a9-2493b0 218->221 223 2493d4-2493ea CompareStringA 220->223 224 2495af 220->224 221->219 223->224 226 2493f0-249406 CompareStringA 223->226 224->219 227 24940c-249422 CompareStringA 226->227 228 2495a8 226->228 227->228 229 249428-24943e CompareStringA 227->229 228->224 230 249444-24945a CompareStringA 229->230 231 24959f-2495a6 229->231 230->231 232 249460-249476 CompareStringA 230->232 231->219 233 24947c-249492 CompareStringA 232->233 234 24958f-24959d 232->234 233->234 235 249498-2494aa call 3893fe 233->235 234->219 238 2494ac-2494c0 call 2450f0 235->238 239 2494ff-24950d lstrcmpA 235->239 249 2494f2-2494fa call 241d40 238->249 250 2494c2-2494ef call 249a40 call 245030 call 241d40 238->250 240 249521-24952f lstrcmpA 239->240 241 24950f-24951c call 25094d 239->241 244 249540-249556 CompareStringA 240->244 245 249531-24953e call 25094d 240->245 241->219 251 249558-24955e call 25094d 244->251 252 24956b-249582 CompareStringA 244->252 245->219 249->219 250->249 262 249565-249569 251->262 252->219 254 249584-24958d call 25094d 252->254 254->262 262->219
      APIs
      • __EH_prolog3.LIBCMT ref: 00249373
      • lstrcmpA.KERNEL32(?,003AF548,00000008,00249348,?,?,00000004,00245C48,?,?,?), ref: 00249383
      • lstrcmpA.KERNEL32(?,003AF54C,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0024939F
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: lstrcmp$H_prolog3
      • String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$RestartByRestartManager$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde$ddenoshow
      • API String ID: 477540313-844245956
      • Opcode ID: 696c9c777fa5fd49df155fcbeaa7678ec205676cdc6968db0c7d2bc3f1071bc6
      • Instruction ID: fcf71736e3b90768682930ee66fc5047b495e028e6edcab762ddd03efad0c357
      • Opcode Fuzzy Hash: 696c9c777fa5fd49df155fcbeaa7678ec205676cdc6968db0c7d2bc3f1071bc6
      • Instruction Fuzzy Hash: 3951D6B0AA4706BEEB269F708D8EF7B3A6CEB13B49F100118F155A61D1C6B49D54CB21
      Function 00241ED0 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 394synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 268 241ed0-241f0c call 246cac 271 242387-24238c call 241c60 268->271 272 241f12-241f33 call 242590 268->272 275 242391-242396 call 241c60 271->275 280 241f44-241f74 call 246180 272->280 281 241f35-241f3f call 242a40 272->281 279 24239b-2423a0 call 241c60 275->279 285 2423a5-2423af call 241c60 279->285 288 241f76-241f79 280->288 289 241f7e-241f87 call 246cac 280->289 281->280 288->289 289->275 293 241f8d-241fab call 242590 289->293 297 241fbc-241fc9 call 246cac 293->297 298 241fad-241fb7 call 242a40 293->298 297->279 302 241fcf-241fed call 242590 297->302 298->297 306 241ffe-24203c call 246180 call 242d70 302->306 307 241fef-241ff9 call 242a40 302->307 313 242046-24205a 306->313 314 24203e-242041 306->314 307->306 315 242064-24206b 313->315 316 24205c-24205f 313->316 314->313 317 242071-24209d call 3847a6 315->317 318 2420fb-242102 315->318 316->315 317->285 326 2420a3-2420a5 317->326 319 242195-242199 318->319 320 242108-242134 call 3847a6 318->320 323 24222c-242230 319->323 324 24219f-2421cb call 3847a6 319->324 320->285 331 24213a-24213c 320->331 327 2422c4 323->327 328 242236-242262 call 3847a6 323->328 324->285 342 2421d1-2421d3 324->342 326->285 332 2420ab-2420ba 326->332 333 2422c7-242321 ShellExecuteExW 327->333 328->285 351 242268-24226a 328->351 331->285 336 242142-242151 331->336 337 2420bc-2420c8 call 242950 332->337 338 2420cb-2420d3 332->338 339 242334-242348 333->339 340 242323-242325 333->340 344 242162-24216a 336->344 345 242153-24215f call 242950 336->345 337->338 347 2420d5 338->347 348 2420da-2420ec call 2429b0 338->348 352 242352-242367 339->352 353 24234a-24234d 339->353 349 242327-24232c WaitForSingleObject 340->349 350 242332 340->350 342->285 343 2421d9-2421e8 342->343 354 2421f9-242201 343->354 355 2421ea-2421f6 call 242950 343->355 360 242171-242183 call 2429b0 344->360 361 24216c 344->361 345->344 347->348 348->285 378 2420f2-2420f7 348->378 349->350 350->339 351->285 363 242270-24227f 351->363 356 242371-242384 352->356 357 242369-24236c 352->357 353->352 368 242203 354->368 369 242208-24221a call 2429b0 354->369 355->354 357->356 360->285 382 242189-242192 360->382 361->360 364 242290-242298 363->364 365 242281-24228d call 242950 363->365 374 24229f-2422b1 call 2429b0 364->374 375 24229a 364->375 365->364 368->369 369->285 384 242220-242229 369->384 374->285 385 2422b7-2422c2 374->385 375->374 378->318 382->319 384->323 385->333
      APIs
        • Part of subcall function 00242590: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425CE
        • Part of subcall function 00242590: LoadResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425E1
        • Part of subcall function 00242590: LockResource.KERNEL32(00000000,?,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 002425F1
        • Part of subcall function 00242590: SizeofResource.KERNEL32(00000000,00000000,?,00000006,?,?,?,?,?,00241F31,\sldim\sldim.exe,?,00000000,?), ref: 00242605
      • ShellExecuteExW.SHELL32(?), ref: 00242319
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0024232C
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$ExecuteFindLoadLockObjectShellSingleSizeofWait
      • String ID: /autoreboot$ /pushdeployment$ /skipcountdown$ /testinstall$/adminclient /new /source "%s" /norunsw$<$@$AdminDirector.xml$\sldim\sldim.exe
      • API String ID: 2787188216-2987903987
      • Opcode ID: a769efe9f164979e6bc3cac026d8864712f99075cb05dfef1d84018b588b31e5
      • Instruction ID: bd316de2f5de7a4517062b7237581496aa32531e1c1e2854915d81590d214df9
      • Opcode Fuzzy Hash: a769efe9f164979e6bc3cac026d8864712f99075cb05dfef1d84018b588b31e5
      • Instruction Fuzzy Hash: A5E12571A10206DFDB19DFA9C885BAEBBF5EF84310F544268F850A7391DB70A958CF50
      Function 00245DA0 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 331COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 386 245da0-245ddf GetModuleHandleW 387 245de5-245df8 GetCommandLineW call 24a41e 386->387 388 246143 386->388 394 245e04-245e58 call 248573 call 249250 call 2465e0 387->394 395 245dfa-245dff 387->395 389 246148-246168 call 245d70 388->389 402 2460f2 394->402 403 245e5e-245e8a call 2462b0 call 245030 394->403 395->389 405 2460f7-2460ff call 245d70 402->405 412 245e94-245e98 403->412 413 245e8c-245e8f 403->413 411 246104-246116 405->411 414 246120-246142 call 248743 411->414 415 246118-24611b 411->415 416 246056-246069 call 246915 412->416 417 245e9e-245eb3 call 246915 412->417 413->412 415->414 424 24607a 416->424 425 24606b-246078 call 241d60 416->425 426 245fc8-245fcb 417->426 427 245eb9-245ec2 call 246cac 417->427 429 24607c-246082 424->429 425->429 430 245fcd-245fd8 426->430 442 245ec8-245ee6 call 242590 427->442 443 246169-24616e call 241c60 427->443 433 246084-246091 call 241ed0 429->433 434 2460eb-2460f0 429->434 435 245ff1-245ff3 430->435 436 245fda-245fe7 430->436 450 2460a7-2460b7 433->450 451 246093-246098 call 245d70 433->451 434->405 438 245ff5-246002 call 243800 435->438 439 24604c-246051 435->439 436->435 441 245fe9-245fec 436->441 453 246004-246011 call 245d70 438->453 454 246018-246028 438->454 439->405 441->435 467 245ef7-245f36 442->467 468 245ee8-245ef2 call 242a40 442->468 449 246173-246178 call 242c90 443->449 457 2460c1-2460d1 450->457 458 2460b9-2460bc 450->458 466 24609d-2460a0 451->466 453->454 463 246032-246047 call 2449f0 call 37f6c7 454->463 464 24602a-24602d 454->464 459 2460d3-2460d6 457->459 460 2460db-2460e9 call 37f6c7 457->460 458->457 459->460 460->411 463->411 464->463 466->450 477 245f41-245f51 467->477 478 245f38-245f3a 467->478 468->467 477->449 485 245f57-245f73 call 2429b0 477->485 478->477 480 245f3c-245f3f 478->480 481 245f76-245f8a 480->481 483 245f8c-245f8f 481->483 484 245fb9-245fc6 call 243370 481->484 486 245f91-245fa0 483->486 484->430 485->481 489 245fa2-245fa5 486->489 490 245faa-245faf 486->490 489->490 490->486 493 245fb1-245fb7 490->493 493->484
      APIs
      • GetModuleHandleW.KERNEL32(00000000,8B315B15), ref: 00245DD5
      • GetCommandLineW.KERNEL32(00000000), ref: 00245DE7
        • Part of subcall function 0024A41E: SetErrorMode.KERNELBASE(00000000,00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A424
        • Part of subcall function 0024A41E: SetErrorMode.KERNELBASE(00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A430
        • Part of subcall function 00241C60: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?), ref: 00241C85
        • Part of subcall function 00241C60: GetLastError.KERNEL32(?,00000000,00000000,?), ref: 00241C8F
      Strings
      • xi@, xrefs: 00245E36
      • Fatal Error: GetModuleHandle failed, xrefs: 00246143
      • Fatal Error: Failed to generate AdminUninstaller, xrefs: 0024604C
      • Fatal Error: Failed to generate AdminInstaller, xrefs: 002460EB
      • Fatal Error: MFC initialization failed, xrefs: 00245DFA
      • Fatal Error: AdminInstall failed to run, xrefs: 00246093
      • Fatal Error: Failed to determine application path, xrefs: 002460F2
      • 20230-40400-1100, xrefs: 00245ED3, 00245EEA
      • Fatal Error: AdminUninstall failed to run, xrefs: 00246004
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Error$Mode$CommandCriticalHandleInitializeLastLineModuleSection
      • String ID: 20230-40400-1100$Fatal Error: AdminInstall failed to run$Fatal Error: AdminUninstall failed to run$Fatal Error: Failed to determine application path$Fatal Error: Failed to generate AdminInstaller$Fatal Error: Failed to generate AdminUninstaller$Fatal Error: GetModuleHandle failed$Fatal Error: MFC initialization failed$xi@
      • API String ID: 2847907607-2648580806
      • Opcode ID: 39a8ee02b146411dd1d04479cbfd0912edb28676982c11611630fbf1143f9725
      • Instruction ID: 3d0ad568d492ff79e434f4774099a3cc6312b23de408a10c307c1fd31e456596
      • Opcode Fuzzy Hash: 39a8ee02b146411dd1d04479cbfd0912edb28676982c11611630fbf1143f9725
      • Instruction Fuzzy Hash: EBC1F470A10606DFDB05DFA8C849B9EF7B4FF45314F148269E805AB292EB719D14CF92
      Function 0024BDBB Relevance: 15.1, APIs: 10, Instructions: 109memoryCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 494 24bdbb-24bdde EnterCriticalSection 495 24bde0-24bde6 494->495 496 24bdec-24bdf1 494->496 495->496 497 24be95-24be9b 495->497 498 24bdf3-24bdf5 496->498 499 24be0d-24be1d 496->499 500 24bea0-24beb6 LeaveCriticalSection 497->500 501 24be9d 497->501 502 24bdf8-24bdfb 498->502 503 24be34-24be5d GlobalHandle GlobalUnlock call 246af4 GlobalReAlloc 499->503 504 24be1f-24be32 call 246af4 GlobalAlloc 499->504 501->500 505 24be05-24be07 502->505 506 24bdfd-24be03 502->506 511 24be60-24be62 503->511 504->511 505->497 505->499 506->502 506->505 512 24be64-24be92 GlobalLock call 381da0 511->512 513 24beb7-24beba 511->513 512->497 515 24bebc-24bec5 GlobalHandle GlobalLock 513->515 516 24becb-24bed9 LeaveCriticalSection call 2471e4 513->516 515->516
      APIs
      • EnterCriticalSection.KERNEL32(004024A4,?,?,?), ref: 0024BDCD
      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?), ref: 0024BE2C
      • GlobalHandle.KERNEL32(00402498), ref: 0024BE35
      • GlobalUnlock.KERNEL32(00000000), ref: 0024BE3E
      • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0024BE57
      • GlobalLock.KERNEL32(00000000), ref: 0024BE65
      • LeaveCriticalSection.KERNEL32(004024A4,?,?,?), ref: 0024BEAA
      • GlobalHandle.KERNEL32(00000000), ref: 0024BEBE
      • GlobalLock.KERNEL32(00000000), ref: 0024BEC5
      • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0024BECE
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
      • String ID:
      • API String ID: 2667261700-0
      • Opcode ID: 4bdbaa1d854861856a46b5bfd55e5a9e35dd010110e42035e742f56a426b7697
      • Instruction ID: d7053bc72c5fbb37239cfb9c0827ab607f156a22545e300dfe4c7406735fdd06
      • Opcode Fuzzy Hash: 4bdbaa1d854861856a46b5bfd55e5a9e35dd010110e42035e742f56a426b7697
      • Instruction Fuzzy Hash: 7231C235600205EFDF1ACF68D889A9A7BB9FF85301F1480A8E905DB295DB70ED11CF50
      Function 0024CC50 Relevance: 12.0, APIs: 8, Instructions: 34COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0024CC56
      • GetSystemMetrics.USER32(0000000C), ref: 0024CC61
      • GetSystemMetrics.USER32(00000002), ref: 0024CC6C
      • GetSystemMetrics.USER32(00000003), ref: 0024CC7A
      • GetDC.USER32(00000000), ref: 0024CC88
      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0024CC93
      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0024CC9F
      • ReleaseDC.USER32(00000000,00000000), ref: 0024CCAB
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
      • String ID:
      • API String ID: 1031845853-0
      • Opcode ID: 9044c7f98d6e0367e92587a398c12c81fb2608a284f3501674007db93d596aa8
      • Instruction ID: f6bda7e6a1a661c383be45c495412233c4b7128b64ff028b6eea2a8c89ee4de4
      • Opcode Fuzzy Hash: 9044c7f98d6e0367e92587a398c12c81fb2608a284f3501674007db93d596aa8
      • Instruction Fuzzy Hash: 7FF01771A80720AFE7121FB1AD0DB667F68FB46712F004525F212DA1D0EBBA8405CFA0
      Function 0031CC82 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • __EH_prolog3.LIBCMT ref: 0031CC89
        • Part of subcall function 00256098: EnterCriticalSection.KERNEL32(00402958,?,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 002560C9
        • Part of subcall function 00256098: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560DF
        • Part of subcall function 00256098: LeaveCriticalSection.KERNEL32(00402958,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560ED
        • Part of subcall function 00256098: EnterCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560FA
      • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 0031CCDC
      • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 0031CCF2
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
      • String ID: DragDelay$DragMinDist$windows
      • API String ID: 3965097884-2101198082
      • Opcode ID: 509d18faac1d846b894119d2547234d9138053bac9e90a088738fa7c85a983cf
      • Instruction ID: 0ecd4c646215b1d92ef662fb46bf76979e24007ca5f2e29f0d9ec27b8013eb71
      • Opcode Fuzzy Hash: 509d18faac1d846b894119d2547234d9138053bac9e90a088738fa7c85a983cf
      • Instruction Fuzzy Hash: EF011EB0D40F059FDBA2EF34894AB1ABAF4FB09704F80493DE149EB691D7B464418F09
      Function 0024A47C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 145COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 598 24a47c-24a4bf call 24bbbb GetModuleFileNameW 601 24a4c5 call 255445 598->601 602 24a4c1-24a4c3 598->602 603 24a4ca-24a4db PathFindExtensionW 601->603 602->601 602->603 605 24a4e2-24a501 call 24a3d9 603->605 606 24a4dd call 255445 603->606 610 24a503 call 255445 605->610 611 24a508-24a50c 605->611 606->605 610->611 613 24a526-24a52a 611->613 614 24a50e-24a520 call 38939f 611->614 616 24a561-24a565 613->616 617 24a52c-24a53d call 247116 613->617 614->613 623 24a643-24a648 call 2471e4 614->623 618 24a567-24a57f call 247116 616->618 619 24a5a2-24a5ac 616->619 626 24a542-24a54a 617->626 636 24a581-24a593 call 38939f 618->636 637 24a59b 618->637 624 24a5fc-24a600 619->624 625 24a5ae-24a5cc 619->625 628 24a634-24a642 call 37f3a0 624->628 629 24a602-24a632 call 38932a call 241ba0 call 38939f 624->629 630 24a5d3-24a5f5 call 38736c call 241ba0 call 38939f 625->630 631 24a5ce 625->631 632 24a54c 626->632 633 24a54f-24a55b call 38939f 626->633 629->623 629->628 630->623 657 24a5f7-24a5f9 630->657 631->630 632->633 633->616 633->623 636->623 650 24a599 636->650 637->619 650->619 657->624
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 0024A4B7
      • PathFindExtensionW.SHLWAPI(?,?,?), ref: 0024A4D1
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ExtensionFileFindModuleNamePath
      • String ID: .CHM$.HLP$.INI
      • API String ID: 2295281026-4017452060
      • Opcode ID: bce508e2ca7b623f9d1b38232a1cd771bbe9396e3fd87e3e8d768600381898f9
      • Instruction ID: 666dbc7768654f5c1c6171dcd1fee78f6f834adf6186b59ba253b281f5adaa90
      • Opcode Fuzzy Hash: bce508e2ca7b623f9d1b38232a1cd771bbe9396e3fd87e3e8d768600381898f9
      • Instruction Fuzzy Hash: 1A41D3B0A507099BDB25EF74CD45BAA73ECEF44300F4448AAA545C7181EBB4D954CF22
      Function 00241CB0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 658 241cb0-241cd3 FindResourceW 659 241cd5-241cd8 658->659 660 241cd9-241ce4 LoadResource 658->660 661 241ce6-241cee 660->661 662 241cef-241cfa LockResource 660->662 662->661 663 241cfc-241d0c SizeofResource 662->663 664 241d22-241d24 663->664 665 241d0e 663->665 664->661 667 241d26-241d34 664->667 666 241d10-241d12 665->666 666->661 668 241d14-241d20 666->668 668->664 668->666
      APIs
      • FindResourceW.KERNELBASE(?,?,00000006), ref: 00241CC8
      • LoadResource.KERNEL32(?,00000000), ref: 00241CDC
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoad
      • String ID:
      • API String ID: 2619053042-0
      • Opcode ID: 131e26b35f17bb069b757185fb362803551cecaaad9caf48433e98359f9f0863
      • Instruction ID: 1bb28264d461fe0ec052ae26a8cf9ac88532867d3be546150671d5eb8141bde1
      • Opcode Fuzzy Hash: 131e26b35f17bb069b757185fb362803551cecaaad9caf48433e98359f9f0863
      • Instruction Fuzzy Hash: 9D012D77B202365BDB211FAAEC8457AB39CEB84366B014537FD49D7100D531DC7087A0
      Function 0027D209 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000000,00404478), ref: 0027D266
      • VerSetConditionMask.KERNEL32(00000000), ref: 0027D26E
      • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 0027D27F
      • GetSystemMetrics.USER32(00001000), ref: 0027D290
        • Part of subcall function 0027DA08: __EH_prolog3.LIBCMT ref: 0027DA0F
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000016), ref: 0027DA18
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000F), ref: 0027DA2B
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000015), ref: 0027DA42
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000F), ref: 0027DA4E
        • Part of subcall function 0027DA08: GetDeviceCaps.GDI32(?,0000000C), ref: 0027DA76
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000F), ref: 0027DA84
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000010), ref: 0027DA92
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000015), ref: 0027DAA0
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000016), ref: 0027DAAE
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000014), ref: 0027DABC
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000012), ref: 0027DACA
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000011), ref: 0027DAD8
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000006), ref: 0027DAE3
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000D), ref: 0027DAEE
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000E), ref: 0027DAF9
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000005), ref: 0027DB04
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000008), ref: 0027DB12
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000009), ref: 0027DB1D
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000007), ref: 0027DB28
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000002), ref: 0027DB33
        • Part of subcall function 0027DA08: GetSysColor.USER32(00000003), ref: 0027DB3E
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000001B), ref: 0027DB4C
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000001C), ref: 0027DB5A
        • Part of subcall function 0027DA08: GetSysColor.USER32(0000000A), ref: 0027DB68
        • Part of subcall function 0027D4D4: __EH_prolog3_GS.LIBCMT ref: 0027D4DE
        • Part of subcall function 0027D4D4: GetDeviceCaps.GDI32(?,00000058), ref: 0027D4FE
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D568
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D586
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5A4
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5C2
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5E0
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D5FE
        • Part of subcall function 0027D4D4: DeleteObject.GDI32(00000000), ref: 0027D61C
        • Part of subcall function 0027D2EE: GetSystemMetrics.USER32(00000031), ref: 0027D2FC
        • Part of subcall function 0027D2EE: GetSystemMetrics.USER32(00000032), ref: 0027D30A
        • Part of subcall function 0027D2EE: SetRectEmpty.USER32(004045E4), ref: 0027D31D
        • Part of subcall function 0027D2EE: EnumDisplayMonitors.USER32(00000000,00000000,0027D186,004045E4), ref: 0027D32D
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(00000030,00000000,004045E4,00000000), ref: 0027D33C
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(00001002,00000000,00404608,00000000), ref: 0027D369
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(00001012,00000000,0040460C,00000000), ref: 0027D37D
        • Part of subcall function 0027D2EE: SystemParametersInfoW.USER32(0000100A,00000000,0040461C,00000000), ref: 0027D3A3
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
      • String ID:
      • API String ID: 551326122-0
      • Opcode ID: c1b93b1d3b7f1c8f8c51d5939208166897ce1801c4c0d69e95907377dd9c4a52
      • Instruction ID: 4b38c6a6b3f710e29ee6eeaeba048facd25981c92db8eeade7ae368acf725bc9
      • Opcode Fuzzy Hash: c1b93b1d3b7f1c8f8c51d5939208166897ce1801c4c0d69e95907377dd9c4a52
      • Instruction Fuzzy Hash: C5118AB0A003186BEB25AF75DC5AFEB77BCEF89700F00445DF64696181DBB44A058F90
      Function 00395D60 Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 682 395d60-395d7c 683 395f3b 682->683 684 395d82-395d84 682->684 685 395f3d-395f41 683->685 686 395da6-395dc7 684->686 687 395d86-395d99 call 386df6 call 386e09 call 386d2f 684->687 688 395dc9-395dcc 686->688 689 395dce-395dd4 686->689 702 395d9e-395da1 687->702 688->689 691 395dd6-395ddb 688->691 689->687 689->691 693 395ddd-395de9 call 396e12 691->693 694 395dec-395dfd call 395907 691->694 693->694 703 395dff-395e01 694->703 704 395e3e-395e50 694->704 702->685 707 395e28-395e34 call 3954f5 703->707 708 395e03-395e0b 703->708 705 395e52-395e5b 704->705 706 395e97-395eb9 WriteFile 704->706 712 395e5d-395e60 705->712 713 395e87-395e90 call 395978 705->713 709 395ebb-395ec1 GetLastError 706->709 710 395ec4 706->710 717 395e39-395e3c 707->717 714 395ecd-395ed0 708->714 715 395e11-395e1e call 39589f 708->715 709->710 718 395ec7-395ecc 710->718 720 395e62-395e65 712->720 721 395e77-395e85 call 395b3c 712->721 724 395e95 713->724 719 395ed3-395ed8 714->719 725 395e21-395e23 715->725 717->725 718->714 726 395eda-395edf 719->726 727 395f36-395f39 719->727 720->719 728 395e67-395e75 call 395a53 720->728 721->717 724->717 725->718 730 395f0b-395f17 726->730 731 395ee1-395ee6 726->731 727->685 728->717 734 395f19-395f1c 730->734 735 395f1e-395f31 call 386e09 call 386df6 730->735 736 395ee8-395efa call 386e09 call 386df6 731->736 737 395eff-395f06 call 386dd3 731->737 734->683 734->735 735->702 736->702 737->702
      APIs
        • Part of subcall function 003954F5: GetConsoleCP.KERNEL32(003874C1,00000000,00000000), ref: 0039553D
      • WriteFile.KERNEL32(?,00000000,003875A9,000000FF,00000000,0000010B,00000000,00000000,00000000,000000FF,?,003874C1,003F9328,0000000C,003875A9,000000FF), ref: 00395EB1
      • GetLastError.KERNEL32(?,003874C1,003F9328,0000000C,003875A9,000000FF), ref: 00395EBB
      • __dosmaperr.LIBCMT ref: 00395F00
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ConsoleErrorFileLastWrite__dosmaperr
      • String ID:
      • API String ID: 251514795-0
      • Opcode ID: cdccd65cb75114a38f6505f65056b8181b519d901ee1414fa3fffff8c19ae69e
      • Instruction ID: d730307bc01ce5929fc2253967f6051a242530b4ef61b5e04fd96f5df0dc9c64
      • Opcode Fuzzy Hash: cdccd65cb75114a38f6505f65056b8181b519d901ee1414fa3fffff8c19ae69e
      • Instruction Fuzzy Hash: A651C271E00A0AAFEF13AFA4C885BEEBBB9EF15350F150455E501AB151D731DE818BA1
      Function 0024A3D9 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • PathFindFileNameW.SHLWAPI(00000000,?,0024A4FF,?,?,00000104), ref: 0024A3E5
      • SetErrorMode.KERNELBASE(00000000,00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A424
      • SetErrorMode.KERNELBASE(00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A430
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorMode$FileFindNamePath
      • String ID:
      • API String ID: 3295048339-0
      • Opcode ID: 873fae54b74672de77b325694101ca59b96988c239d56a8ec8d63f29c9009c2c
      • Instruction ID: 5849ac5a19193ddf7ce0e9ca1feba33f68ba1e49922f7929743477994fa627a4
      • Opcode Fuzzy Hash: 873fae54b74672de77b325694101ca59b96988c239d56a8ec8d63f29c9009c2c
      • Instruction Fuzzy Hash: 2D11E970464204AFDF15BF64D84DB5D3B9CEF04324F108465F8598B652DB75C961CFA1
      Function 00395978 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON
      Download Yara Rule
      APIs
      • WriteFile.KERNELBASE(?,?,?,?,00000000,003874C1,00000000,00000000,?,00395E95,00000000,00000000,00000000,003875A9,0000010B,00000000), ref: 00395A14
      • GetLastError.KERNEL32(?,00395E95,00000000,00000000,00000000,003875A9,0000010B,00000000,00000000,00000000,000000FF,?,003874C1,003F9328,0000000C,003875A9), ref: 00395A3A
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorFileLastWrite
      • String ID:
      • API String ID: 442123175-0
      • Opcode ID: 1e5ca086d2372218f5cd9dbfa372d83057368b913f56f1ced0dd2bbddb8efb2a
      • Instruction ID: ed7f2f880b46b6f9208d0ae0d356163b81a7ff5e703feb7e90399fa32761ac36
      • Opcode Fuzzy Hash: 1e5ca086d2372218f5cd9dbfa372d83057368b913f56f1ced0dd2bbddb8efb2a
      • Instruction Fuzzy Hash: 8B217C35A002199FDF1BCF29CC809E9B7B9EB49315F2441AAE946D7211E6309E82CF64
      Function 0024A41E Relevance: 3.0, APIs: 2, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • SetErrorMode.KERNELBASE(00000000,00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A424
      • SetErrorMode.KERNELBASE(00000000,?,00245DF6,00000000,00000000,00000000), ref: 0024A430
        • Part of subcall function 0024A47C: GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 0024A4B7
        • Part of subcall function 0024A47C: PathFindExtensionW.SHLWAPI(?,?,?), ref: 0024A4D1
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ErrorMode$ExtensionFileFindModuleNamePath
      • String ID:
      • API String ID: 1764437154-0
      • Opcode ID: 141c340a98053c280693a1db3a00789eba749a9ef79b2b245b8599eb8822cbb7
      • Instruction ID: 2bbff0bb2b7a51680fbe568c9613100f0aaf6ca45b974661ac80b73f00d5fbd8
      • Opcode Fuzzy Hash: 141c340a98053c280693a1db3a00789eba749a9ef79b2b245b8599eb8822cbb7
      • Instruction Fuzzy Hash: BBF0B4745702449FCB15FF64D44DA097BA8EF05714F008499F8858B252C775C912CF92
      Function 00388DE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0039468B: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,003936F4,00000001,00000364,00000006,000000FF,?,?,?,00386E0E,00392F35), ref: 003946CC
      • _free.LIBCMT ref: 00388E4F
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AllocateHeap_free
      • String ID:
      • API String ID: 614378929-0
      • Opcode ID: b6cacd039cdbd9e274d22d70bf3b934f18c8b406ed8d15e58fd08736db6412eb
      • Instruction ID: e95484cbcda9d20ba8de4bd5ddac4478524f116598da4624eae933286ca803cf
      • Opcode Fuzzy Hash: b6cacd039cdbd9e274d22d70bf3b934f18c8b406ed8d15e58fd08736db6412eb
      • Instruction Fuzzy Hash: 8A012672A043176BC7229F58C88199AFB98FB05370F510669E445A76C0D770AD11C7E4
      Function 0024BFAD Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0024BFB4
        • Part of subcall function 0024BCAC: TlsAlloc.KERNEL32(?,0024BFE0,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024BCCB
        • Part of subcall function 0024BCAC: InitializeCriticalSection.KERNEL32(004024A4,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024BCDC
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AllocCriticalH_prolog3InitializeSection
      • String ID:
      • API String ID: 2369468792-0
      • Opcode ID: 0492abe1c65c9c420ee422f1ca25ab8bae4651ab77c2a406be79a5d698e0db70
      • Instruction ID: 9bd18eba682cc092fd85d91e38f84aeece54808e9ae007b4d7756b0f971ba8f5
      • Opcode Fuzzy Hash: 0492abe1c65c9c420ee422f1ca25ab8bae4651ab77c2a406be79a5d698e0db70
      • Instruction Fuzzy Hash: AB019E30611203CFCB2AAF38CD9966D3660AF00350B10803AE8169B2A0EBB4CD21CF40
      Function 0039468B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,003936F4,00000001,00000364,00000006,000000FF,?,?,?,00386E0E,00392F35), ref: 003946CC
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: 3b9cd2ecb3d329b78081cc44bc91ee9d2d268641f65bd49b9fe8837d604b678e
      • Instruction ID: f3ee8e4aeb260e1cd5f400f772af09e8e9d943b271972dd61196d37aa3772cf1
      • Opcode Fuzzy Hash: 3b9cd2ecb3d329b78081cc44bc91ee9d2d268641f65bd49b9fe8837d604b678e
      • Instruction Fuzzy Hash: F2F0E972641A216BEF236F669C05E5B374CAF43761B168125A814AA590CA30DC1387E5
      Function 00248A4B Relevance: 1.5, APIs: 1, Instructions: 37COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00248E34: WideCharToMultiByte.KERNELBASE(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00248A60,00000000,?,00000000,?,00248539,00000000), ref: 00248E45
      • WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00248539,00000000,00000000,00000000), ref: 00248A7D
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharMultiWide
      • String ID:
      • API String ID: 626452242-0
      • Opcode ID: 78803307a69a19b13210bb6edd518ec12e6ff73bd04a14fe0c7adf5e78933c71
      • Instruction ID: a587f0657801b850b0b0c8cd416bec20fd0ce24129d66bb3eba2b07ca00c14fb
      • Opcode Fuzzy Hash: 78803307a69a19b13210bb6edd518ec12e6ff73bd04a14fe0c7adf5e78933c71
      • Instruction Fuzzy Hash: C7F0EDB133452A7EEE0D6A98DC8AE7F764CDB01360F10022EF606865C1DEE09D254BF2
      Function 0024931B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00249322
        • Part of subcall function 002484FF: __EH_prolog3.LIBCMT ref: 00248506
        • Part of subcall function 0024936C: __EH_prolog3.LIBCMT ref: 00249373
        • Part of subcall function 0024936C: lstrcmpA.KERNEL32(?,003AF548,00000008,00249348,?,?,00000004,00245C48,?,?,?), ref: 00249383
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3$lstrcmp
      • String ID:
      • API String ID: 1628994602-0
      • Opcode ID: 792a0936ff4f7b4898a5abfb79701096de4f48efe0ff81ce755ef08ad19a0fc3
      • Instruction ID: 752b5324ab0f2bb94b0336cca78d9ba735ee0e28c0c3bba7b52811364b58e68d
      • Opcode Fuzzy Hash: 792a0936ff4f7b4898a5abfb79701096de4f48efe0ff81ce755ef08ad19a0fc3
      • Instruction Fuzzy Hash: 5DE0C93052011AEBCF1EAF60C856BAE7761BF16710F008458E9152A1D1CF755A60EE95
      Function 002484FF Relevance: 1.5, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 00248506
        • Part of subcall function 00248A4B: WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00248539,00000000,00000000,00000000), ref: 00248A7D
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharH_prolog3MultiWide
      • String ID:
      • API String ID: 354187267-0
      • Opcode ID: 37abadf0503b82bf5a4997250876ca8f7040c9786fbb2c829ac2a4cf1cd1cb88
      • Instruction ID: 0e21cb3664f0e508131eaa02cd8efecf55da99752c7eca66cca0a5653ed10f1e
      • Opcode Fuzzy Hash: 37abadf0503b82bf5a4997250876ca8f7040c9786fbb2c829ac2a4cf1cd1cb88
      • Instruction Fuzzy Hash: 44E0CD747209206BCF0F7F64C812B5D2511AF53B00F004019F5046F342CF7A0B239ADA
      Function 0027D15C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
      Download Yara Rule
      APIs
      • SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 0027D17C
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: InfoParametersSystem
      • String ID:
      • API String ID: 3098949447-0
      • Opcode ID: e80f83166a2a9909dc30a80f8a8bc13508f45cf09cd2656ab5977410e62df7a4
      • Instruction ID: 2541ec600a9b7f3db9efc427c6b0e5b982e0a6c852f8aa6b75e9998d90f3e6f3
      • Opcode Fuzzy Hash: e80f83166a2a9909dc30a80f8a8bc13508f45cf09cd2656ab5977410e62df7a4
      • Instruction Fuzzy Hash: 9AD092B0264246AFE7059B44DC19BB237B8EB56761F908078E60D4F2A0D6B26C60CBA4
      Function 00248E34 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      • WideCharToMultiByte.KERNELBASE(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00248A60,00000000,?,00000000,?,00248539,00000000), ref: 00248E45
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ByteCharMultiWide
      • String ID:
      • API String ID: 626452242-0
      • Opcode ID: be30922135fe0d0b326fd9fed189581ebe2f86123117a9ac4241579a3fec03e8
      • Instruction ID: 1f86f84df34c642627d677079a014e62adc2a8b213a25c8f782f6a727f95445c
      • Opcode Fuzzy Hash: be30922135fe0d0b326fd9fed189581ebe2f86123117a9ac4241579a3fec03e8
      • Instruction Fuzzy Hash: 8BC048B52482197EFE022AE4AC09E7B3A5CD751720F104258BE2CC51E0D9619D2056B2
      Function 002555A8 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
      Download Yara Rule
      APIs
      • DeleteObject.GDI32(00000000), ref: 002555B7
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: DeleteObject
      • String ID:
      • API String ID: 1531683806-0
      • Opcode ID: 062176981ff33b33d688d1a52e515fe209da9e657cd1c7fd4fd0ba6b61e32aeb
      • Instruction ID: 404a8c0bd615379ee8b6e855bee1cba99dd145d7a716178b52c2084ad03372a3
      • Opcode Fuzzy Hash: 062176981ff33b33d688d1a52e515fe209da9e657cd1c7fd4fd0ba6b61e32aeb
      • Instruction Fuzzy Hash: 1CB092F0E22961AAEE41AB308A2C72A29585B51317F408894E40A81006EA3980199A48

      Non-executed Functions

      Function 00282063 Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0028206A
      • CreateCompatibleDC.GDI32(00000000), ref: 00282098
      • GetObjectW.GDI32(?,00000018,?), ref: 002820B1
      • SelectObject.GDI32(?,?), ref: 002820CD
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 002820EE
      • SelectObject.GDI32(?,00000000), ref: 002820FF
      • CreateCompatibleDC.GDI32(?), ref: 00282119
      • SelectObject.GDI32(?,?), ref: 0028212E
      • SelectObject.GDI32(?,00000000), ref: 0028213F
      • DeleteObject.GDI32(?), ref: 00282148
      • BitBlt.GDI32(?,00000000,00000000,000000FF,?,?,00000000,00000000,00CC0020), ref: 00282168
      • GetPixel.GDI32(?,0000002C,00000000), ref: 0028218E
      • SetPixel.GDI32(?,0000002C,00000000,00000000), ref: 002821D5
      • SelectObject.GDI32(?,?), ref: 002821FC
      • SelectObject.GDI32(?,00000000), ref: 00282206
      • DeleteObject.GDI32(?), ref: 0028220E
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
      • String ID:
      • API String ID: 3639146769-0
      • Opcode ID: 75bad47ca7f21e3945d911f7ad10e0214ee4396312f189f4e4fc89f6883e4e4c
      • Instruction ID: 97b964f51a04ecb9334ee3620ac23263ef8b39b7a7c842bba0422e354b7d1f07
      • Opcode Fuzzy Hash: 75bad47ca7f21e3945d911f7ad10e0214ee4396312f189f4e4fc89f6883e4e4c
      • Instruction Fuzzy Hash: E051803492122AEFCF12EFA4DC48AAEBB79FF09311F100014F915A21A1C7715D69DFA1
      Function 0024F022 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON
      Download Yara Rule
      APIs
      • CoInitialize.OLE32(00000000), ref: 0024F042
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Initialize
      • String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
      • API String ID: 2538663250-1403614551
      • Opcode ID: d5c3538dd025756c26ed7bcb048c300deae4e0cebb7872f0ce858dd90a9dec7b
      • Instruction ID: 6d3fe0d5fd24bb27d6bfadb1762dbf5b820890b0d4e92acc2e1a0549025affff
      • Opcode Fuzzy Hash: d5c3538dd025756c26ed7bcb048c300deae4e0cebb7872f0ce858dd90a9dec7b
      • Instruction Fuzzy Hash: 5E21F435260701AFE7656F30DD95BA376A8FBC0B55F40453DF506C2991EBB0D8008A20
      Function 00276030 Relevance: 15.1, APIs: 10, Instructions: 110windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00276037
        • Part of subcall function 002548B5: __EH_prolog3.LIBCMT ref: 002548BC
        • Part of subcall function 002548B5: GetDC.USER32(00000000), ref: 002548E8
      • IsRectEmpty.USER32(?), ref: 00276052
      • InvertRect.USER32(?,?), ref: 00276068
      • SetRectEmpty.USER32(?), ref: 0027607B
      • GetClientRect.USER32(00000000,00000000), ref: 002760C8
      • GetSystemMetrics.USER32(00000015), ref: 002760E6
      • GetSystemMetrics.USER32(00000015), ref: 0027610C
      • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 0027614D
      • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 0027617D
      • InvertRect.USER32(?,?), ref: 00276189
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
      • String ID:
      • API String ID: 3401445556-0
      • Opcode ID: 751431b859e7667bbf5b8fa1b3dd736b142b0791cace6126a9e72b98c59094a4
      • Instruction ID: 7bfc00aa771a7a0e8770c45d607beaef32f0b06d34812765941732b163873cbe
      • Opcode Fuzzy Hash: 751431b859e7667bbf5b8fa1b3dd736b142b0791cace6126a9e72b98c59094a4
      • Instruction Fuzzy Hash: EF4166728206289FDF02DF64C949BED7BB8FF05312F154168E809AB261DB756A44CBA0
      Function 00372097 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 0037209E
      • IsAppThemed.UXTHEME(0000003C,0037221B,?), ref: 003720E0
      • OpenThemeData.UXTHEME(?,Button), ref: 0037210B
      • GetThemePartSize.UXTHEME(?,00000003,00000003,00000005,00000000,00000001,?,00000000), ref: 00372152
      • CloseThemeData.UXTHEME(?), ref: 00372173
      • GetObjectW.GDI32(?,00000018,?), ref: 0037219C
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Theme$Data$CloseH_prolog3ObjectOpenPartSizeThemed
      • String ID: Button
      • API String ID: 1633685699-1034594571
      • Opcode ID: ef6dd8c676f2fe995561839b9095de5148d96865e9659ce81e09b67f3d32697a
      • Instruction ID: 394587061b8404afca77cf47639433750a426a77a8b1ca87db1bbf60042a9046
      • Opcode Fuzzy Hash: ef6dd8c676f2fe995561839b9095de5148d96865e9659ce81e09b67f3d32697a
      • Instruction Fuzzy Hash: 07315271A10206AFDB16DF64CC55FAFB7B9FF54711F008029FA05AA281EB789901CF50
      Function 0024C0FA Relevance: 12.1, APIs: 8, Instructions: 97memoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __EH_prolog3_catch.LIBCMT ref: 0024C101
      • EnterCriticalSection.KERNEL32(?,00000010,0024C028,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C112
      • TlsGetValue.KERNEL32(?,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C12E
      • LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C196
      • LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C1B0
      • TlsSetValue.KERNEL32(?,00000000), ref: 0024C1E1
      • LeaveCriticalSection.KERNEL32(00241F31,?,00000000,?,?,?,?,?,00241F31,\sldim\sldim.exe), ref: 0024C1FF
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
      • String ID:
      • API String ID: 1707010094-0
      • Opcode ID: 52e170ada18d578c2bfc493af151fc4ec954c3f8c87d39a1f79da087c99446e6
      • Instruction ID: 928bcaa715aa0d928d0dcf5d3e60cad042ba6a43ac2dd8a406975b5095a12d4c
      • Opcode Fuzzy Hash: 52e170ada18d578c2bfc493af151fc4ec954c3f8c87d39a1f79da087c99446e6
      • Instruction Fuzzy Hash: 3D31B275901701DFDB6ADF19C885A2BBBB5FF41720B24C069E81E9B2A2C770E850DF90
      Function 002E405D Relevance: 10.6, APIs: 7, Instructions: 85COMMON
      Download Yara Rule
      APIs
      • LockWindowUpdate.USER32(00000000,00000004,00000004), ref: 002E409E
      • ValidateRect.USER32(?,00000000,?), ref: 002E40DA
      • UpdateWindow.USER32(?), ref: 002E40E3
      • LockWindowUpdate.USER32(00000000), ref: 002E40F4
      • ValidateRect.USER32(?,00000000,?), ref: 002E4122
      • UpdateWindow.USER32(?), ref: 002E412B
      • LockWindowUpdate.USER32(00000000), ref: 002E413C
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: UpdateWindow$Lock$RectValidate
      • String ID:
      • API String ID: 797752328-0
      • Opcode ID: 5fec26231f3ca6be02716593d7fdce335c251296f916d0fde6f57bb7662e2234
      • Instruction ID: 7e9994f9e8c9fc720fe86d568b501672a8224a8122a9386546049bdcb57afb0b
      • Opcode Fuzzy Hash: 5fec26231f3ca6be02716593d7fdce335c251296f916d0fde6f57bb7662e2234
      • Instruction Fuzzy Hash: 3E31D131550206EFCF25AF61C908B6ABBB9FF54700F514569F94AA7260EB31EC20CB40
      Function 0025802E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78libraryloaderthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024BFAD: __EH_prolog3.LIBCMT ref: 0024BFB4
      • GetCurrentThreadId.KERNEL32 ref: 00258056
      • SetWindowsHookExW.USER32(00000005,0025C99B,00000000,00000000), ref: 00258066
      • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 002580C9
      • FreeLibrary.KERNEL32(?,?,00247218,?,?,?,00262A40), ref: 002580D9
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressCurrentFreeH_prolog3HookLibraryProcThreadWindows
      • String ID: HtmlHelpW$hhctrl.ocx
      • API String ID: 3379832378-3773518134
      • Opcode ID: 89207d8444f79f882681e6b519e854f32398f6884bd7eb962d9fa40d38a4a0f4
      • Instruction ID: 825e5962f87cfc89241a560fbe6e38613e8e2f4bce4d98e033a7527c1f12a7f6
      • Opcode Fuzzy Hash: 89207d8444f79f882681e6b519e854f32398f6884bd7eb962d9fa40d38a4a0f4
      • Instruction Fuzzy Hash: C4210A31520706ABDB326F61DC09B677B94EF41762F004429FE1DA6590DFB0D8688BA5
      Function 002430E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71registrylibraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00243104
      • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00243122
      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000), ref: 0024315B
      • RegCloseKey.ADVAPI32(00000000), ref: 0024316E
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressCloseHandleModuleOpenProc
      • String ID: Advapi32.dll$RegOpenKeyTransactedW
      • API String ID: 823179699-3913318428
      • Opcode ID: 07a59e2e478915a8089cbc1b675d36491dd90605f30ee084b7aafb02b61293a1
      • Instruction ID: 5be001c50a5cbd555896fdfd3bc989784e347bb0dfabd34e95683245970b03a2
      • Opcode Fuzzy Hash: 07a59e2e478915a8089cbc1b675d36491dd90605f30ee084b7aafb02b61293a1
      • Instruction Fuzzy Hash: 7B117F31710205ABDF29CF9ADC45B9ABBADEB45750F148029F90CD7190D7B19A60DA60
      Function 0025A0AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
      • IsWindow.USER32(00000000), ref: 0025A0C3
      • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 0025A0EB
      • SizeofResource.KERNEL32(?,00000000), ref: 0025A0FD
      • LoadResource.KERNEL32(?,00000000), ref: 0025A109
      • LockResource.KERNEL32(00000000), ref: 0025A114
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeofWindow
      • String ID: AFX_DIALOG_LAYOUT
      • API String ID: 2582447065-2436846380
      • Opcode ID: 37ecf5b80894c37a89504bc09d7a412eac3daa01be02487d297a5b18421851c3
      • Instruction ID: 380a465f841465a54fd1c6bb0ce680c2d9d7a300318f2435ca5055add5fa0220
      • Opcode Fuzzy Hash: 37ecf5b80894c37a89504bc09d7a412eac3daa01be02487d297a5b18421851c3
      • Instruction Fuzzy Hash: 59110471620602AFDF125F65CC4AE6F7AACEB49352F148226FD09C3211EB74CD54CB26
      Function 0025C075 Relevance: 9.1, APIs: 6, Instructions: 88windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 0025C096
      • GetWindow.USER32(?,00000005), ref: 0025C0AD
      • GetWindowRect.USER32(00000000,00000000), ref: 0025C0D1
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A7D
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A8A
      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000015), ref: 0025C0F7
      • GetWindow.USER32(00000000,00000002), ref: 0025C100
      • ScrollWindow.USER32(?,?,?,?,?), ref: 0025C11C
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Window$ClientScreen$RectScrollVisible
      • String ID:
      • API String ID: 1714389229-0
      • Opcode ID: c77f8809a87698ae5cc73bf29427bfd5969336acfa451c760d4281246c0a37d7
      • Instruction ID: c6b3d923d20585e391b16ab553e96086faef87c560669d4f63bf49e3f296740b
      • Opcode Fuzzy Hash: c77f8809a87698ae5cc73bf29427bfd5969336acfa451c760d4281246c0a37d7
      • Instruction Fuzzy Hash: 0E317A36610709AFDB12CF54CC88ABEBBB9FF89716F208018F905A7211EB34DD148B64
      Function 0026E000 Relevance: 9.1, APIs: 6, Instructions: 86keyboardwindowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 0026E035
      • GetKeyState.USER32(00000012), ref: 0026E063
      • GetKeyState.USER32(00000011), ref: 0026E074
      • SendMessageW.USER32(?,00000157,00000000,00000000), ref: 0026E089
      • SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 0026E09E
      • GetNextDlgTabItem.USER32(?,?,00000000), ref: 0026E0DD
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSendState$ItemNextParent
      • String ID:
      • API String ID: 1930099164-0
      • Opcode ID: 8f159ec645d4d0bf7f904cfe85a4a4efe41e7d150135d2a8f7136ae10d0e6246
      • Instruction ID: b51939a31fc739811a39219d91c71dc4c46ccde721b461b169a5f2ce273c32de
      • Opcode Fuzzy Hash: 8f159ec645d4d0bf7f904cfe85a4a4efe41e7d150135d2a8f7136ae10d0e6246
      • Instruction Fuzzy Hash: 5B21F8793302179BEE292F389D08A3A766DFB50741F024438F90AB6060EFF19CB08A55
      Function 002800C7 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
      Download Yara Rule
      APIs
      • PatBlt.GDI32(00000000,00000000,-00000002,-00000002,00FF0062,?), ref: 002800EB
      • SetBkColor.GDI32(?), ref: 00280111
      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00CC0020,?,00280A29), ref: 00280139
      • SetBkColor.GDI32(?), ref: 00280152
      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00EE0086,?,00280A29), ref: 0028017A
      • BitBlt.GDI32(00000000,00000001,00000001,00000001,00000001,00000000,00000000,00000000,008800C6), ref: 002801A2
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Color
      • String ID:
      • API String ID: 2811717613-0
      • Opcode ID: 914e71b556d732507d3114f4e0a194e0665fa7e3c37dca78af48d3bc0a7ffd61
      • Instruction ID: acb333a141600744f7a1bda0648026ced834f6baa78e614c7a3c83f5813f4c42
      • Opcode Fuzzy Hash: 914e71b556d732507d3114f4e0a194e0665fa7e3c37dca78af48d3bc0a7ffd61
      • Instruction Fuzzy Hash: 8B214A71101A40BFC7219F96ED89D577BBEFBC6B14B004918F646921B0C7BAA870DF20
      Function 00256098 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 37COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(00402958,?,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 002560C9
      • InitializeCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560DF
      • LeaveCriticalSection.KERNEL32(00402958,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560ED
      • EnterCriticalSection.KERNEL32(00000000,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?,?), ref: 002560FA
        • Part of subcall function 00256074: InitializeCriticalSection.KERNEL32(00402958,002560B3,?,?,?,0024BF70,00000010,00000008,0024BBE4,0024BC27,00247218,00247110,002425BA,?,?,?), ref: 0025608C
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$EnterInitialize$Leave
      • String ID: X)@
      • API String ID: 713024617-2943645793
      • Opcode ID: 9d25e3fb53dbbbec9310bb1c4495a26f10431010984279ba967c7f9124494c2d
      • Instruction ID: 2111639fd0c28a9f69e8eaab887415598bd514cbd55825ce9a30f3e664fa0520
      • Opcode Fuzzy Hash: 9d25e3fb53dbbbec9310bb1c4495a26f10431010984279ba967c7f9124494c2d
      • Instruction Fuzzy Hash: 22F0F6F26102159FDE111F64EE0CB5A7B6CFB56322F805032EA11A30D2C7B8C841CBE9
      Function 002B20B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128windowCOMMON
      Download Yara Rule
      APIs
      • __EH_prolog3.LIBCMT ref: 002B20B7
      • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 002B21B5
      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002B21E1
        • Part of subcall function 002ACC30: __EH_prolog3.LIBCMT ref: 002ACC37
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: H_prolog3MessageSend
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 936991600-973906075
      • Opcode ID: c739d64f813c58b0df4104e1f483fde07ca5e241b0659a33f24134abc6f4116f
      • Instruction ID: 828af78a2364dfdfe7189183624e1fa1a91c48398fdc833d6005c8d39d5f2fa8
      • Opcode Fuzzy Hash: c739d64f813c58b0df4104e1f483fde07ca5e241b0659a33f24134abc6f4116f
      • Instruction Fuzzy Hash: C541CF71730302DBEB19AF68CC95BB973A5FF09350F140068EA0ADB2E2DB709865CB11
      Function 00243030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00243040
      • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00243050
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegOpenKeyTransactedW
      • API String ID: 1646373207-3913318428
      • Opcode ID: 0c12bddd5d4c77bf7f2129141e1d8789c4d12aff1543068ef58beb81ae1f699c
      • Instruction ID: d563c4c54923ef057e2ef7bc509ef7c0a79a17146a483a4d83066d0ad2f68b44
      • Opcode Fuzzy Hash: 0c12bddd5d4c77bf7f2129141e1d8789c4d12aff1543068ef58beb81ae1f699c
      • Instruction Fuzzy Hash: 0CF01932150219ABDF265FD9EC05FD67B9DEB04751F04862AF600910E0C7B1D9B0EB60
      Function 002870A5 Relevance: 6.1, APIs: 4, Instructions: 145windowCOMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 00287156
      • GetWindowRect.USER32(?,?), ref: 00287163
      • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0028719C
      • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00287234
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageRectSend$EmptyWindow
      • String ID:
      • API String ID: 1914275016-0
      • Opcode ID: 51b7c577bf28aca86a26b82031b940e9631af09fe08a4ea7c0d597b6305a2559
      • Instruction ID: 946ece948e3bb4da1caaac9a2a7690391c46a706da8e8550dc2654f39abaf170
      • Opcode Fuzzy Hash: 51b7c577bf28aca86a26b82031b940e9631af09fe08a4ea7c0d597b6305a2559
      • Instruction Fuzzy Hash: B9515F35A112169FCF05AF64CC98ABE7BB9FF89710F140069E906A7390DB74AD01CF91
      Function 002880E4 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 00288111
      • GetParent.USER32(?), ref: 0028811A
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A7D
        • Part of subcall function 00255A6E: ScreenToClient.USER32(?,?), ref: 00255A8A
      • OffsetRect.USER32(?,00000000,?), ref: 0028815B
      • OffsetRect.USER32(?,?,00000000), ref: 0028816B
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Rect$ClientOffsetScreen$ParentWindow
      • String ID:
      • API String ID: 182828750-0
      • Opcode ID: d592c4de14638114001acacec781ab5aefe2167c649020e8c620180af0a20026
      • Instruction ID: e3f6aa860130659be746a2e3e79e5aa28c34351d9fc22594ae27895b9e3fcd14
      • Opcode Fuzzy Hash: d592c4de14638114001acacec781ab5aefe2167c649020e8c620180af0a20026
      • Instruction Fuzzy Hash: 33214D72910209AFDF15EFA8DC889BEB7BDEB49300F10451AF505E3290DA349D54CB61
      Function 0025007C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82registryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0024FFDF: RegCloseKey.ADVAPI32(00000000,?,?,?,?,0024FE08,?,00000000), ref: 00250024
      • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 002500AB
      • RegCloseKey.ADVAPI32(00000000), ref: 002500B4
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: Close$Value
      • String ID: A
      • API String ID: 299128501-3554254475
      • Opcode ID: 16440ef619431b95ccb6a2e26d565e04b17aee7a7cc1da5db9534027fba38737
      • Instruction ID: 4c825d46cdb1e7e295399ef93f96888ce11f3c83172eac8c474f378d018ea36f
      • Opcode Fuzzy Hash: 16440ef619431b95ccb6a2e26d565e04b17aee7a7cc1da5db9534027fba38737
      • Instruction Fuzzy Hash: BA210736110225ABCF169F65DC45BAF7BB9EF49391F044029FC0ACB251DA74CC51DB61
      Function 002C5038 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
      Download Yara Rule
      APIs
      • SetRectEmpty.USER32(?), ref: 002C5065
        • Part of subcall function 00256ECE: GetWindowLongW.USER32(?,000000EC), ref: 00256EDB
        • Part of subcall function 00256F22: GetWindowLongW.USER32(?,000000F0), ref: 00256F2F
      • OffsetRect.USER32(?,000000F9,00000000), ref: 002C50C2
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: LongRectWindow$EmptyOffset
      • String ID: _MOUSEANCHORWND@@
      • API String ID: 4187485167-973906075
      • Opcode ID: 7a3545946533ef829885e36968ede53cbdc6c3a942d64deac83a6931bd61eb7e
      • Instruction ID: 947463b2a48d80a80b4e71f1a2a769528a90c79cbcd09f222e0e666923716e16
      • Opcode Fuzzy Hash: 7a3545946533ef829885e36968ede53cbdc6c3a942d64deac83a6931bd61eb7e
      • Instruction Fuzzy Hash: B6213771E006199FCB50DF68D985AAEB7F8FF49320F14816AE805E7241D734AE14CB95
      Function 002F4087 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 002F40B4
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: RectWindow
      • String ID: g5/$g5/
      • API String ID: 861336768-2943588861
      • Opcode ID: d34e1982f7fc2d973a7aedda4768a4e1eb43c18e52546301277621ce607a18cb
      • Instruction ID: 8f475f2ec0bc29958c8c92bcbc3d8719f7f66e961e387d47a632b5e57333d66c
      • Opcode Fuzzy Hash: d34e1982f7fc2d973a7aedda4768a4e1eb43c18e52546301277621ce607a18cb
      • Instruction Fuzzy Hash: C721CCB5A0021EAFCB00DFA9C9849AEBBF8FF08314F104559E915A7210D774AA14CF61
      Function 0026F09B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45keyboardwindowCOMMON
      Download Yara Rule
      APIs
      • GetKeyState.USER32(00000011), ref: 0026F0B2
        • Part of subcall function 0026F967: __EH_prolog3.LIBCMT ref: 0026F96E
        • Part of subcall function 0026F967: SendMessageW.USER32(?,000000B0,?,?), ref: 0026F9B1
      • SendMessageW.USER32(?,000000B0,0000002E,?), ref: 0026F0F6
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: MessageSend$H_prolog3State
      • String ID: .
      • API String ID: 1947833932-248832578
      • Opcode ID: 1cc0277227233edad8c782529006f9fcedd0878a6e0aefa4261adb676fd6e732
      • Instruction ID: 4c40dd6f365daa680873c39c5c5fad91fd9d97ae578bc515da564e735fed90b9
      • Opcode Fuzzy Hash: 1cc0277227233edad8c782529006f9fcedd0878a6e0aefa4261adb676fd6e732
      • Instruction Fuzzy Hash: 7601F235220209FFDF259F40EE46EEE7B6BEB41300F004025F90456161DBB199F0DB51
      Function 0024909C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
      Download Yara Rule
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 002490C0
      • PathFindExtensionW.SHLWAPI(?), ref: 002490D6
        • Part of subcall function 00248B58: __EH_prolog3_GS.LIBCMT ref: 00248B62
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: ExtensionFileFindH_prolog3_ModuleNamePath
      • String ID: %Ts%Ts.dll
      • API String ID: 3433622546-1896370695
      • Opcode ID: 531efcdb47d7c0a90f8a08ba5c7327d98fe515fba0ea5fc98b379012948eb45b
      • Instruction ID: 3c0fec401f0d7e90ee4d0eacfa044b5a0741ddcf5b6c1f5cad1e24c77f975c0b
      • Opcode Fuzzy Hash: 531efcdb47d7c0a90f8a08ba5c7327d98fe515fba0ea5fc98b379012948eb45b
      • Instruction Fuzzy Hash: A101867291011AABCB16EFA4ED49AEF73FCEF09300F4104B6A40AE7040DA75DA46CB90
      Function 0024C052 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(004024A4,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C05E
      • TlsGetValue.KERNEL32(00402488,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C072
      • LeaveCriticalSection.KERNEL32(004024A4,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C08C
      • LeaveCriticalSection.KERNEL32(004024A4,?,?,?,?,0024C04E,00000000,00000004,0024BBCA,00247218,00247110,002425BA,?,?,?,?), ref: 0024C097
      Memory Dump Source
      • Source File: 00000003.00000002.2169886591.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
      • Associated: 00000003.00000002.2169864263.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170020452.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170066095.00000000003FD000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170089791.00000000003FF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000402000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170111520.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.2170158046.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_240000_startswinstall.jbxd
      Similarity
      • API ID: CriticalSection$Leave$EnterValue
      • String ID:
      • API String ID: 3969253408-0
      • Opcode ID: 43095b269a9c23a0b424d8f832486559eea39a9fc12fdf32537356df85032d4c
      • Instruction ID: 02e3d8ae4036524dfd0e74be2e204de9f60d9726cc3e19519f475e2d47ce0b6f
      • Opcode Fuzzy Hash: 43095b269a9c23a0b424d8f832486559eea39a9fc12fdf32537356df85032d4c
      • Instruction Fuzzy Hash: E6F02436211214DFCFAD4F38DC44A5BF7ACFF157603155015E81293111C731EC20CAA0